-2

working with php and mysql as well. I have following create.php page and need save data to mysql table.

<?php
include "config.php";

if(isset($_POST['submit'])) {
    $first_name = $_POST['firstname'];
    $last_name = $_POST['lastname'];
    $email = $_POST['email'];
    $password = $_POST['password'];
    $gender = $_POST['gender'];
}

$sql = "INSERT INTO 'users' ('firstname','lastname','email','password','gender') VALUES ('$first_name','$last_name','$email','$password','$gender')"; // this is line 12

$result = $conn->query($sql);

if($result == TRUE) {
    echo "New record has created successfully";
} 
else {
    echo "error:" . $sql . "<br>". $conn->error;
}

$conn->close();


?>

but got following error message

Undefined variable: first_name in C:\wamp64\www\simple\create.php on line 12 <br> error:INSERT INTO 'users' ('firstname','lastname','email','password','gender') VALUES ('','','','','') You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''users' ('firstname','lastname','email','password','gender') VALUES ('','','',''' at line 1

how to fix this?

RiggsFolly
  • 93,638
  • 21
  • 103
  • 149
Okurawa
  • 23
  • 2
  • 9
  • Read up on when to use single quotes and backticks in mysql – brombeer Mar 13 '22 at 11:25
  • 2
    Your script is open to [SQL Injection Attack](http://stackoverflow.com/questions/60174). Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187) You should always use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) in either the `MYSQLI_` or `PDO` API's instead of concatenating user provided values into the query. Never trust ANY user input! – RiggsFolly Mar 13 '22 at 11:28
  • 2
    **Warning!** Never store passwords in plain text! You should only store password hashes generated using [password_hash()](https://www.php.net/manual/en/function.password-hash.php) and to verify a password againts a hash, use [password_verify()](https://www.php.net/manual/en/function.password-verify.php). – M. Eriksson Mar 13 '22 at 11:28
  • You shouldn't have single quotes round the field/table names - use backticks if required to. – Nigel Ren Mar 13 '22 at 11:29
  • [When to use single quotes, double quotes, and backticks in MySQL](https://stackoverflow.com/questions/11321491/when-to-use-single-quotes-double-quotes-and-backticks-in-mysql) – M. Eriksson Mar 13 '22 at 11:32
  • SO where/how do you redirect to this page? Or is the HTML `
    ` in the same page
     – RiggsFolly Mar 13 '22 at 11:38

1 Answers1

2

You need to put the whole code logic inside the if(isset($_POST['submit'])) condition

What's happening right now is: if there is no $_POST['submit'], your if won't run, thus no variables are declared, but your SQL and rest of the code will still run and that's why it says var not defined

if(isset($_POST['submit'])) { ... }

Coming to the next issue is of using backticks. You really shouldn't have single quotes around the field name. You can use backticks (`) for table and column names, single quotes (') for strings. There is already an answer for it: When to use single quotes, double quotes, and backticks in MySQL

Tushar Gupta
  • 15,504
  • 1
  • 29
  • 47
  • 3
    That won't fix the mysql error though – brombeer Mar 13 '22 at 11:28
  • yes while I was editing, SO gave me a maintenance error and the site was not accessible. I have updated it , yet, the site sometimes won't load. I hope the changes are reflected to everyonr – Tushar Gupta Mar 13 '22 at 11:36