Why is the condition not right with my code?

Question

I'm a beginner in PHP and MySQL and I want to add values that come from an input in HTML, to a MySQL database.

I have to find some things on the Internet but this doesn't work and so I tried to learn a little bit more PHP but I still don't understand why the condition in the code below is not valid:

<!DOCTYPE html>
<html>
<head>
    <link rel="stylesheet" type="text/css" href="style.css">
    <meta charset="utf-8">
    <title>SHAR-APP</title>
</head>
<body>
    <div class='div1'>
        <div class='div2'>
            <label for="name">Name of the user:</label>

            <input class ='in'type="text" id="name" name="name" size="20">
        </div>

        <div class='div2'>
            <label class = 'label' for="name">Code:</label>

            <input class='in' id ='code' type="text" name="code" size="20">
            
        </div>
        <div class="div2" id='b'>
            <input type="submit" value="send" class='button'>
            
        </div>

        
    </div>
    <?php
        echo "test1";
        if (isset($_POST['name'])) {
            echo "test2";
            $mtsqli = mysqli_connect('localhost','the_name_of_my_project','my_password');
            mysqli_select_db('project_database', $msqli);
            $requete = 'INSERT INTO the_name_of_the_database's_table VALUES(NULL,"' . $_POST['name'] . '","' . $_POST['code'] . '")';
            $query = "SELECT * FROM the_name_of_the_database's_table";
            echo $_POST['name'];
            echo "test3";
        }
    ?>
    
</body>
</html>

I'm on this for 3 days and I'm really blocked. Maybe I have others mistake in the PHP code. If I can do that with another language i prefer to stay on PHP because I don't want to learn too much languages. If I can do a bridge between HTML and MySQL with Python or JavaScript I'm OK to know that.

THIS PART IS GOOD but another problem is come ... when i want to connect on my database this error message is display

C:\Users\titou>set PATH=$PATH$;C:\Program Files\MySQL\MySQL Server 8.0\bin

C:\Users\titou>mysql -h localhost -u root -p
Enter password: **********
ERROR 1045 (28000): AccŠs refus‚ pour l'utilisateur: 'root'@'@localhost' (mot de passe: OUI)

its in french but you can see that there is two @ instand of one ('root'@'localhost')

You never ever execute the sql statements... And you are using string interpolation to construct the sql statements leaving your page vulnerable to sql injection attacks once you do execute the sql staments. — Shadow, Aug 16 '21 at 14:15
@Shadow sorry i'm a beginner ... I don't want to make a protect page, just something like an exercice .. but if you have the time you can explain me that! I really want to understand ! — titoo, Aug 16 '21 at 14:20
I know that I can't let that code into my html page because other people can see this but I'm not a professional and I have thought to put this code into an other files on a protect folder on the server. but like I said I'm a beginner so don't say I'm bad ... because I already know that. sorry for bad english cause i'm french — titoo, Aug 16 '21 at 14:27
You may be a bit over your head here, @titoo. You aren't even submitting the queries identified by `$requete` and `$query`, and there can be a number of other reasons nothing would work, even if you did submit those queries -- there may be no `POST`'ed data, there may be no MySQL server listening on localhost, the password may be wrong, or the database or table name or layout are. You are not giving us much to go by here. — Armen Michaeli, Aug 16 '21 at 14:28
**Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/5741187) — Dharman, Aug 16 '21 at 17:20

score 0 · Accepted Answer · answered Aug 16 '21 at 14:27

0

First you need to add a Form Method

<form action="" method="POST">
    <div class='div2'>
        <label for="name">Name of the user:</label>

        <input class ='in'type="text" id="name" name="name" size="20">
    </div>

    <div class='div2'>
        <label class = 'label' for="name">Code:</label>

        <input class='in' id ='code' type="text" name="code" size="20">
        
    </div>
    <div class="div2" id='b'>
        <input type="submit" value="send" class='button'>
        
    </div>
</form>

The is some kind of class that tells the browser to expect inputs and then on the button click- to treat them. The Action="" is for initializing where to treat the given inputs. In your case, since your php code is in the same class as the form, you can leave it blank, either way you should initialize the path you want to send those data. The Method="POST" is just a Method for treating your data on the web. It is also more secure than GET method which it works too but it's more sensitive since all the data from the inputs it's going to be exposed also in the URL.

Furthermore, I hope you have already installed XAMPP and already created a database in MySQL.

answered Aug 16 '21 at 14:27

Leo Ramadani

223
1
11

ok thank you but I have tried the form but this change the style of my inputs and make all of them in the same size ... how I can fix that ? – titoo Aug 16 '21 at 14:30
and I have wamp for the server and yes my mysql database and my database's table have been created before – titoo Aug 16 '21 at 14:32
Also you have to give your button a name since the whole action it's going to happen when the button is pressed. So let's say it's called "btn_Send". Now your php code should be like: **if (isset($_POST['btn_Send']))**. – Leo Ramadani Aug 16 '21 at 14:32
You can style that in your style.css class with `form #inputID { width:70% ; font-size:15px; } – Leo Ramadani Aug 16 '21 at 14:34
I just want to remove all the css style for the form because they have the priority on my css for the input – titoo Aug 16 '21 at 14:40
You can add the same style for every input or button or label or anything in form too, just use the prefix **form** in front your element and that's it. Btw, is your php code working now? – Leo Ramadani Aug 16 '21 at 14:45
yes but my mysql don't I have tried to connecct on my database with php and with the terminal but there is an error of pasword ... ```AccŠs refus‚ pour l'utilisateur: 'root'@'@localhost' ``` it's in french but you can see that there are two @ instead of one ... – titoo Aug 16 '21 at 15:17
this must be that 'root'@'localhost' – titoo Aug 16 '21 at 15:18
[link](https://www.w3schools.com/php/php_mysql_connect.asp) Try this link to get your connection string correctly. – Leo Ramadani Aug 17 '21 at 07:06

Mr Dany · Answer 2 · 2021-08-16T15:21:11.850

Add the form attribute to your form and in it add a method and an action. Method is needed to tell the form to post, and action is needed to tell the form what to do when you submit.

<!DOCTYPE html>
<html>
<head>
    <link rel="stylesheet" type="text/css" href="style.css">
    <meta charset="utf-8">
    <title>SHAR-APP</title>
</head>
<body>
    <form method="post" action="">
    <div class='div1'>
        <div class='div2'>
            <label for="name">Name of the user:</label>

            <input class ='in'type="text" id="name" name="name" size="20">
        </div>

        <div class='div2'>
            <label class = 'label' for="name">Code:</label>

            <input class='in' id ='code' type="text" name="code" size="20">
            
        </div>
        <div class="div2" id='b'>
            <input type="submit" value="send" class='button'>
            
        </div>

        
    </div>
</form>
    <?php
        if (isset($_POST['name'])) {
$db = mysqli_connect($dbhost, $dbuser, $dbpass, $dbname);
            $requete = 'INSERT INTO the_name_of_the_database's_table VALUES(NULL,"' . $_POST['name'] . '","' . $_POST['code'] . '")';
            mysqli_query($db, $requete);
            $query = "SELECT * FROM the_name_of_the_database's_table";
            $Data = mysqli_query($db, $query);
var_dump[$Data];
        }
    ?>
    
</body>
</html>

Now an important thing to note, never use this in a live website as it would open up your website to SQL injection. You should use prepared statements instead, but for learning purposes, this is fine.

Why is the condition not right with my code?

2 Answers2