Backend PHP code will not submit data to database

Question

I am submitting data from a form to a backend PHP file. The file is called settings.php and will not for some reason submit the data to the database. The database connection is working, and I've been trying to solve this for more than a day.

It did work before, but I decided to do some changes to the files and I must have messed something up, maybe I'm to blind to see it myself.

Here's the HTML part:

            $infoSql = "SELECT * FROM info WHERE uname = '$username'";
            $infoResult = mysqli_query($conn, $infoSql);
            $infoRow = mysqli_fetch_assoc($infoResult);
            $infoResultCheck = mysqli_num_rows($infoResult);

            if($infoResultCheck == 0) {
                    echo '        <form action="includes/settings.php" method="post" enctype= multipart/form-data>
                    <div class="user_settings_beggining">
                            <div class="form_set_user_top">
                                <p>Beskriv dig själv</p>
                            </div>

                            Var bor du?
                            <input type="text" name="school" required>
                            <br>

                            Är du frisk?
                            <input type="text" name="class" required>
                            <br>

                            Din inställning till viruset
                            <input type="text" name="motto" required>
                            <br>

                            Profilbild:
                            <input type="file" name="picture">
                            <br>

                            Rensa:
                            <input type="reset" value="Rensa" style="align-self: 
                            flex-start; 
                            width: 100px; 
                            background: none; 
                            border: 1px solid black; 
                            outline: none;
                            cursor: pointer;
                            padding: 5px;">
                            <br>

                            <input type="submit" value="Klar" style="align-self: 
                            flex-start; 
                            width: 100px; 
                            background: none; 
                            border: 1px solid black; 
                            outline: none;
                            cursor: pointer;
                            padding: 5px;">
                            </div></form>
                            ';


            }

Here's the PHP code:

        require "database.php";
        session_start();
        $username = $_SESSION["uname"];

        $file = $_FILES["picture"];
        $user_school = mysqli_real_escape_string($conn, $_POST["school"]);
        $user_class = mysqli_real_escape_string($conn, $_POST["class"]);
        $user_motto = mysqli_real_escape_string($conn, $_POST["motto"]);

        $fileName = $_FILES["picture"]["name"];
        $fileTmpName = $_FILES["picture"]["tmp_name"];
        $fileSize = $_FILES["picture"]["size"];
        $fileError = $_FILES["picture"]["error"];
        $fileType = $_FILES["picture"]["type"];

        $fileExt = explode(".", $fileName);
        $fileActualExt = strtolower(end($fileExt));
        $allowed = array("jpg", "jpeg", "png", "gif");
        $fileNameNew = uniqid('', true).".".$fileActualExt;
        $fileDestination = "../profile-img/".$fileNameNew;


        if(isset($file)) {
            if(in_array($fileActualExt, $allowed)) {
                if($fileError === 0) {
                    if($fileSize < 5000000) {

                        move_uploaded_file($fileTmpName, $fileDestination);

                    }
                }
            }
        } else {
            $fileNameNew = 'null';

        }



         $sql = "INSERT INTO info (uname, user_image, user_school, user_class, user_motto) 
         VALUES ('$username', $fileNameNew', '$user_school', '$user_class, '$user_motto');";

         mysqli_query($conn, $sql);
         header("Location: ../user.php?success");

You are wide open for SQL injection. Since you're using mysqli, take advantage of [prepared statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and [bind_param](http://php.net/manual/en/mysqli-stmt.bind-param.php). **This will take care of any pesky quoting issues that may occur.** — aynber, Mar 12 '20 at 14:39
Start by doing some basic debugging, so you can give us a more detailed breakdown of the problem. If you don't know how to do basic debugging, now would be a good time to go and learn - otherwise you will never be able to solve simple issues in your programs. http://www.phpknowhow.com/basics/basic-debugging/ has a simple guide to PHP debugging. Also, ensure PHP is set to log errors, and mysqli is set to throw exceptions when the SQL crashes. See https://stackify.com/php-error-logs-guide/ (php error logging/reporting) and https://stackoverflow.com/a/14578644/5947043 (mysqli exception handling) — ADyson, Mar 12 '20 at 14:40
When a query does not work as you expect, you should check for [mysqli errors](http://php.net/manual/en/mysqli.error.php) to find out why. A query can look correct, but may be throwing a database error. — aynber, Mar 12 '20 at 14:40
P.S. if you think you messed up due to some changes you made, then the sensible thing would be to look back at what you changed. Hopefully you either keep backups of your code, or check your code into a source control system regularly (or both!), either of which would allow you to compare your current code to previous versions. With both this and the debugging stuff I wrote about, this is an example of where taking advantage of all the fantastic tools available to programmers can really help you to investigate and solve problems rapidly yourself. — ADyson, Mar 12 '20 at 14:42
Thanks, I know I haven't secured my website for sql injections yet, I'll make sure to go through every single character of code and try to debug. EDIT: Unfortunately I haven't got any backups of my previous code :( — Benjamin Nevalainen, Mar 12 '20 at 14:42
You are wide open for SQL injection as @aynber says. Besides that, this part of your query has wrong quatation marks(you are missing some of them) , VALUES ('$username', $fileNameNew', '$user_school', '$user_class, '$user_motto');";. You should change it to **VALUES ('$username', '$fileNameNew', '$user_school', '$user_class', '$user_motto');";** — nacho, Mar 12 '20 at 16:00
THANK YOU, I literally didn't realize the quatation marks were missing. I should get glasses for sure. — Benjamin Nevalainen, Mar 12 '20 at 20:17
@BenjaminNevalainen if you had used prepared statements and parameterised queries (as per universally accepted best practice), this issue would not have arisen - because you don't have to use quote marks at all. You simply type in a parameter placeholder and the database takes care of the rest. So there are other benefits to it as well as protection from injection attacks - it can also help you prevent tedious and trivial syntax errors! — ADyson, Mar 13 '20 at 09:51

Backend PHP code will not submit data to database

0 Answers0