Trying to create entries into Database via form using PHP

Question

I just don't know where I'm going wrong. Tried with multiple tables and was unsuccessful.

<?php

if(isset($_POST['submit'])){
    // create sql
    $catName = $_POST['category_name'];
    $sql = "INSERT INTO Categories(c_name) VALUES($catName)";
    

    }
if($catName->query($sql) === TRUE) {
    echo "success";
} else {
    echo "error" . $sql . "<br>" . $catName->error;
}
    
?>

<?php include ('templates/footer.php')?>

I get no error, but also no success. It just goes blank and no entry in the table is made.

See how to get [PHP errors to display](https://stackoverflow.com/questions/1053424/how-do-i-get-php-errors-to-display). Just because you aren't seeing errors, doesn't mean there aren't any. — El_Vanja, Feb 23 '21 at 17:01
Though one thing I can tell you for sure is that running a query on a string will most certainly raise an error: `$catName->query($sql)`. You have initialized `$catName = $_POST['category_name'];`, meaning it is the string from the form. Where do you connect to your database? Also, your entire logic should be inside `if(isset($_POST['submit']))`, not just the variable initialization. — El_Vanja, Feb 23 '21 at 17:03

score 1 · Accepted Answer · answered Feb 23 '21 at 18:33

Problem

There are a few problems with your code...

You don't connect to a database
You're trying to use a mysqli|pdo method on a string (i.e. not a mysqli|pdo)
Using variables directly inside of queries is bad practice and leaves you open to SQL injection
- Additionally, in this case, your variable appears to be a string so needs to be in quotes even if you were to use it directly in the query
Having two separate if statements would mean that even if this code worked otherwise sometimes you would run a query with not SQL statement
You need to enable error reporting
- Currently you're getting a BLANK page because there is an uncaught error. If you enable error reporting then you will get a message saying what caused the issue
Setting $catName as you have could result in Notice messages appearing in your log file

Solution

The key things to remember are:

Use Prepared Statements for variables
Enable error reporting
- Display & log in dev environments
- Hide & log on production

Code

// Enable error reporting in PHP; making errors output to page
error_reporting(E_ALL);
ini_set('display_errors', TRUE);
ini_set('display_startup_errors', TRUE);

// Database credentials:
//   You need to change these to your DB / DB User
$db_host = '127.0.0.1';
$db_user = 'db_username';
$db_pass = 'db_password';
$db_name = 'db_name';

// Database connection
//   - Setting error reporting mode in options
$pdo = new \pdo(
    "mysql:host={$db_host};dbname={$db_name}",
    $db_user,
    $db_pass,
    [
        \PDO::ATTR_ERRMODE          => \PDO::ERRMODE_EXCEPTION,
        \PDO::ATTR_EMULATE_PREPARES => FALSE
    ]
);

// Initialise the variable from the form
//   ?? null   => if the variable doesn't exist then the value will be null
$catName = $_POST["category_name"] ?? null;

// Check to see if the variable exists (and isn't false)
// Warning:
//    If false equivalent values can be entered then you should
//    use a different condition (e.g. `!empty($catName)` )
if ($catName) {

    // The SQL statement with ? as a placeholder for the
    // variable we want to insert
    $sql   = "INSERT INTO categories (c_name) VALUES (?)";  

    $query = $pdo->prepare($sql); // Prepare the query
    $query->execute([$catName]);  // Run the query; passing in the variable to bind

    // Ternary logic to check if "rows were inserted" and echo an appropriate
    // "success" or "failure" message
    echo $query->rowCount() ?
        "Success" :
        "Error, something went wrong!";
}

Code, no comments

error_reporting(E_ALL);
ini_set('display_errors', TRUE);
ini_set('display_startup_errors', TRUE);

$db_host = '127.0.0.1';
$db_user = 'db_username';
$db_pass = 'db_password';
$db_name = 'db_name';

$pdo = new \pdo(
    "mysql:host={$db_host};dbname={$db_name}",
    $db_user,
    $db_pass,
    [
        \PDO::ATTR_ERRMODE          => \PDO::ERRMODE_EXCEPTION,
        \PDO::ATTR_EMULATE_PREPARES => FALSE
    ]
);


$catName = $_POST["category_name"] ?? null;

if ($catName) {
    $sql   = "INSERT INTO categories (c_name) VALUES (?)";
    $query = $pdo->prepare($sql);
    $query->execute([$catName]);

    echo $query->rowCount() ?
        "Success" :
        "Error, something went wrong!";
}

Great, this has solved my problem! Thank you. – Philip Bos Feb 23 '21 at 21:59 — Philip Bos, Feb 23 '21 at 21:59

score 0 · Answer 2 · answered Feb 24 '21 at 11:43

My main issue with this was not in the PHP, even though some of the answers above have been tremendously helpful for improving my code.

Turns out that the issue was in the form. After redoing the whole thing, it suddenly worked.

Thanks for all the answers.

Trying to create entries into Database via form using PHP

2 Answers2

Problem

Solution