0

I have been developing a website form on localhost (xampp). But it only showing single input from a user (on PHPMyAdmin). And is accepting all the inputs from the user without showing any error. Already have tried all the valid solutions provided online. Any help would be really appreciated. Have been stuck on this issue for +2 months.

Here is the php+mysqli code I have been using:

<?php

$con = mysqli_connect('localhost','root');

if($con){
    echo "Connection Successful";
} else {
    echo "No Connection";
}

mysqli_select_db($con, 'animatesite');

$user = $_POST['user'];
$email = $_POST['email'];
$mobile = $_POST['mobile'];
$comments = $_POST['comments'];

$query = "insert into userinfodata (user, email, mobile, comment)
values ('$user', '$email', '$mobile', '$comments')";

mysqli_query($con, $query);

echo "$query";

header('location:index.php');

?>
ADyson
  • 57,178
  • 14
  • 51
  • 63
Alisha kumari
  • 9
  • 1
  • 1
    **Warning:** Your code is vulnerable to SQL Injection attacks. You should use parameterised queries and prepared statements to help prevent attackers from compromising your database by using malicious input values. http://bobby-tables.com gives an explanation of the risks, as well as some examples of how to write your queries safely using PHP / mysqli. **Never** insert unsanitised data directly into your SQL. The way your code is written now, someone could easily steal, incorrectly change, or even delete your data. – ADyson Mar 01 '21 at 09:18
  • 1
    https://phpdelusions.net/mysqli also contains good examples of writing safe SQL using mysqli. Parameterising your queries will also greatly reduce the risk of accidental syntax errors as a result of un-escaped input values. – ADyson Mar 01 '21 at 09:18
  • 1
    Additionally, if you are not seeing errors when trying to insert data, but the data is not appearing in the database, then maybe you have errors which don't show up. Make sure PHP error reporting is on and that mysqli is set to throw errors when SQL problems occur. See these guides to set it up: https://stackify.com/php-error-logs-guide/ (php error logging/reporting) https://stackoverflow.com/a/14578644/5947043 (mysqli error handling) – ADyson Mar 01 '21 at 09:19
  • `Already have tried all the valid solutions provided online`...no, you haven't. See my comments above. – ADyson Mar 01 '21 at 09:19
  • Also, **never** get your web app to login to the database as root. Root can do whatever it likes, so on top of the SQL injection vulnerabilities this just leaves your database an open book for hackers. Instead create a separate user account specifically for this application which has only the permissions it actually _needs_ in order to work properly. Don't even use the root account as a shortcut during development or testing, because you need to test your account permissions as well - otherwise when you go live you might have unexpected errors relating to the user account setup. – ADyson Mar 01 '21 at 09:20
  • Thank you for these guidelines. But this is only for study purposes. I am new to development. :) – Alisha kumari Mar 01 '21 at 09:25
  • 1
    Well then please study the correct way to write your code, then you won't get into bad habits and have to re-learn it all later. Now is the perfect time to take note of what I'm saying and go and write your code correctly. It's not really any more difficult than the way you've been doing it, you just have to learn slightly different commands instead. Also, depending on what your underlying error is, you might even solve it by implementing these recommendations - as I said above, it can cure more than just security problems. – ADyson Mar 01 '21 at 09:27
  • Also can you clarify something from your description? When you say `it only showing single input from a user `...do you mean a) "it inserts a row each time but only one of the values is entered into the database and the other fields are blank", or do you mean b) "there's only one row in the database and it will never insert any more, no matter what inputs I give"? It wasn't really clear. If you mean (a) then please tell us what field is successful, and whether the others are null, or just blank strings, or what. – ADyson Mar 01 '21 at 09:33
  • 1
    Provide your complete code , the form that have created and how you are submitting it. And what actually gets stored in database ? with the current information provided it is not useful – nshah143 Mar 01 '21 at 09:46

0 Answers0