0

im try to take data from html form and transfer it to my DB using post and php. Whenever I do, the data changes to something unfamiliar to me.

I'm very new to programming, please help me.

my html code:

<form action="insert.php" method="post">
                        <tbody>
                            <tr>
                                <td width="20%">privet name</td>
                                <td><input type="text" id="privetname" name="fname" size="16"></td>
                            </tr>

                            <tr>
                                <td width="20%">&nbsp;last name</td>
                                <td><input type="text" id="lastname" name="lname" size="16"></td>
                            </tr>

                            <tr>
                                <td width="20%">&nbsp;phone</td>
                                <td><input type="text" id="phone" name="phone" size="16"></td>
                            </tr>

                            <tr>
                                <td width="20%">&nbsp;email</td>
                                <td><input type="email" id="email" name="email" size="16"></td>
                            </tr>

                            <tr>
                                <td width="20%">&nbsp;birthday</td>
                                <td><input type="date" id="birthday" name="birthday"></td>
                            </tr>

                            <tr>
                                <td width="20%">&nbsp;anniversary</td>
                                <td><input type="date" id="anniversary" name="anniversary"></td>
                            </tr>

                            <tr>
                                <td><button type="submit"><font size="+1">Create Customer</font></button></td>
                            </tr>
                        </tbody>
                    </form>

my php code:

$sql="INSERT INTO customer (fname, lname, phone, email, birthday, anniversary) 

VALUES


('$_POST[fname]','$_POST[lname]','$_POST[phone]','$_POST[email]','$_POST[birthday]','$_POST[anniversary]')"; /* ,'$_POST[birthday]','$_POST[anniversary]' */
ליאור הרשקו
  • 1
  • [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)***. Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Feb 28 '20 at 13:05
  • Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Feb 28 '20 at 13:05

0 Answers0