1

I am trying to work on a contact form with PHP, HTML and MYSQL. Everything works except for the radiobuttons. When i select the button 'male' it doesnt show that in the database. I tried to specify the radiobuttons with an ID, unfortunately that did not worked out for me. Could you guys help me with this? Thanks!

HTML

<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Contact formulier</title>
</head>

<body>
<fieldset>
<legend>Contact Form</legend>
<form name="frmContact" method="post" action="contact.php">
<p>
<label for="Name">Name </label>
<input type="text" name="txtName" id="txtName">
</p>
<p>
    <input type="radio" name="gender" value="Male">Male</br>
    <input type="radio" name="gender" value="Female">Female
</p>
<p>
<label for="phone">Phone</label>
<input type="text" name="txtPhone" id="txtPhone">
</p>
<p>
<label for="message">Message</label>
<textarea name="txtMessage" id="txtMessage"></textarea>
</p>
<p>&nbsp;</p>
<p>
<input type="submit" name="Submit" id="Submit" value="Submit">
</p>
</form>
</fieldset>
</body>
</html> ```

PHP

// database connection code
// $con = mysqli_connect('localhost', 'database_user', 'database_password','database');

$con = mysqli_connect('localhost', 'root', '','db_connect');

// get the post records
$txtName = $_POST['txtName'];
$gender = $_POST['gender'];
$txtPhone = $_POST['txtPhone'];
$txtMessage = $_POST['txtMessage'];

// database insert SQL code
$sql = "INSERT INTO `tbl_contact` (`Id`, `fldName`, 'gender', `fldPhone`, `fldMessage`) VALUES ('0', '$txtName', '$gender', '$txtPhone', '$txtMessage')";

// insert in database 
$rs = mysqli_query($con, $sql);

if($rs)
{
    echo "Contact Records Inserted";
}else{
  echo "Contact records failed";
}

?> ```
Cplay
  • 29
  • 1
  • 1
    **Warning:** Your code is vulnerable to SQL Injection attacks. You should use parameterised queries and prepared statements to help prevent attackers from compromising your database by using malicious input values. http://bobby-tables.com gives an explanation of the risks, as well as some examples of how to write your queries safely using PHP / mysqli. **Never** insert unsanitised data directly into your SQL. The way your code is written now, someone could easily steal, incorrectly change, or even delete your data. – ADyson Jul 28 '21 at 20:14
  • 1
    https://phpdelusions.net/mysqli also contains good examples of writing safe SQL using mysqli. See also the [mysqli documentation](https://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php) and this: [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) . Parameterising your queries will also greatly reduce the risk of accidental syntax errors as a result of un-escaped or incorrectly quoted input values. – ADyson Jul 28 '21 at 20:14
  • 1
    Also, never configure your web app to login to the database as root. Root can do whatever it likes, so on top of the SQL injection vulnerabilities this just leaves your database an open book for hackers. Instead create a separate user account specifically for this application which has only the permissions it actually _needs_ in order to work properly. Don't even use the root account as a shortcut during development or testing, because you need to test your account permissions as well - otherwise when you go live you might have unexpected errors relating to the user account setup. – ADyson Jul 28 '21 at 20:14
  • 1
    Anyway there is nothing in your code which suggests that it would not save the "gender" value specifically. You might have other problems - due to the lack of parameters, and the fact you're inserting the same ID value (0) every time, but I can't see anything specifically which would prevent the gender value from being submitted and saved. Are you getting any errors? Have you actually enabled error reporting (both for PHP and mysqli) - see [How to get the actual mysqli error](https://stackoverflow.com/questions/22662488/mysqli-fetch-assoc-expects-parameter-call-to-a-member-function-bind-param) – ADyson Jul 28 '21 at 20:18

1 Answers1

0

Your should change the quotation mark from ' to `

// database insert SQL code
$sql = "INSERT INTO `tbl_contact` (`Id`, `fldName`, `gender`, `fldPhone`, `fldMessage`) VALUES ('0', '$txtName', '$gender', '$txtPhone', '$txtMessage')";

Or you can completely leave them:

// database insert SQL code
$sql = "INSERT INTO tbl_contact (Id, fldName, gender, fldPhone, fldMessage) VALUES ('0', '$txtName', '$gender', '$txtPhone', '$txtMessage')";
Zoltan
  • 21
  • 3