-3

I am trying to create a from which takes input from the user and stores its a database called patientappointment_db. I created the following form in html:

<form id="form1" name="form1" method="post" action="doctor.php">
<label for="EmployeeID">EmployeeID</label><input type="text" name="EmployeeID" id="EmployeeID" />
<br class="clear" /> 
<label for="Name">Name</label><input type="text" name="Name" id="Name" />
<br class="clear" /> 
<label for="Specialty">Specialty</label><input type="text" name="Specialty" id="Specialty" />
<br class="clear" /> 
<label for="Department">Department</label><input type="text" name="Department" id="Department" />
<br class="clear" /> 
<label for="HospitalID">HospitalID</label><input type="text" name="HospitalID" id="HospitalID" />
<br class="clear" /> 
<label for="LicenseNo">LicenseNo</label><input type="text" name="LicenseNo" id="LicenseNo" />
<br class="clear" /> 
<input type="submit" name="suibmit" id="suibmit" value="suibmit" />
<br class="clear" /> 
</form>

My connect file:

<?php
$servername = "localhost";
$database = "patientappointment_db";
$username = "root";
$password = "";
// Create connection
$conn = mysqli_connect($servername, $username, $password, $database);
// Check connection
if (!$conn) {
    die("Connection failed: " . mysqli_connect_error());
}
echo "Connected successfully";
mysqli_close($conn);
?>

Finally my PHP query

<?php include 'connect.php';?>


<?php //Post Params 
$EmployeeID = $_POST['EmployeeID'];  
$Name = $_POST['Name'];  
$Specialty = $_POST['Specialty'];  
$Department = $_POST['Department'];  
$HospitalID = $_POST['HospitalID'];  
$LicenseNo = $_POST['LicenseNo'];  

?>

<?php //Query 

 //INSERT 
 $query = " INSERT INTO doctor ( EmployeeID, Name, Specialty, Department, HospitalID, LicenseNo )  VALUES ( '$EmployeeID', '$Name', '$Specialty', '$Department', '$HospitalID', '$LicenseNo' ) "; 
 $result = mysql_query($query); 

 if( $result )
 {
    echo 'Success';
 }
 else
 {
    echo 'Query Failed';
 }

?>

When I am hitting the submit button my output is the the below html code and not the success message and no value is being entered in the database.

<?php include 'connect.php';?>


<?php //Post Params 
$EmployeeID = $_POST['EmployeeID'];  
$Name = $_POST['Name'];  
$Specialty = $_POST['Specialty'];  
$Department = $_POST['Department'];  
$HospitalID = $_POST['HospitalID'];  
$LicenseNo = $_POST['LicenseNo'];  

?>

<?php //Query 

 //INSERT 
 $query = " INSERT INTO doctor ( EmployeeID, Name, Specialty, Department, HospitalID, LicenseNo )  VALUES ( '$EmployeeID', '$Name', '$Specialty', '$Department', '$HospitalID', '$LicenseNo' ) "; 
 $result = mysql_query($query); 

 if( $result )
 {
    echo 'Success';
 }
 else
 {
    echo 'Query Failed';
 }

?>

I am not sure where my problem is and what to do to solve this error.

raptorzee
  • 151
  • 1
  • 11
  • 3
    _Side note:_ There is no such thing as a "phpmyadmin database". PHPMyAdmin is just a web based management tool for managing MySQL databases. Your application connects directly to MySQL and has nothing to do with PHPMyAdmin. – M. Eriksson Mar 14 '22 at 08:57
  • 2
    If you're just getting started, I would recommend that you rather use [PDO](https://phpdelusions.net/pdo) instead of MySQLi, since it has a cleaner API and has more really useful features. When reading that page, also read the part about protecting against SQL injections (important) – M. Eriksson Mar 14 '22 at 09:01
  • ok . ill try that. thanks – raptorzee Mar 14 '22 at 09:02
  • **Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/32391315) – Dharman Mar 14 '22 at 11:04

1 Answers1

-2

you mix mysql and mysqli function in your code.

In connect.php you use mysqli functions and in your insert script doctor.php you call :

$result = mysql_query($query);

Replace by:

$result = mysqli_query($query);

You should really use mysqli because mysql is deprecated.

You also need to escape datas you insert in database because without, you are exposed to SQL injections

Alaindeseine
  • 3,260
  • 1
  • 11
  • 21
  • Im sorry I am new to sql and php. If you dont ming can you show me how its done on the code. thanks – raptorzee Mar 14 '22 at 08:59
  • I changed the connect file to this and I am still getting the same result. – raptorzee Mar 14 '22 at 09:03
  • Are you shure your apache (or nginx) server execute PHP code ? If you get PHP code in you browser after validating the HTML form, i guess not. – Alaindeseine Mar 14 '22 at 09:07
  • I think it is. I am not sure – raptorzee Mar 14 '22 at 09:13
  • Just checked. its connecting. Now I am getting this error: Connected successfully Fatal error: Uncaught Error: Call to undefined function mysql_query() in C:\xampp\htdocs\patientappointment\php\doctor.php:18 Stack trace: #0 {main} thrown in C:\xampp\htdocs\patientappointment\php\doctor.php on line 18 – raptorzee Mar 14 '22 at 09:20
  • 1
    That's what i say in my response, you shoud replace mysql_query by mysqli_query – Alaindeseine Mar 14 '22 at 09:28
  • change $result = mysql_query($query); to $result = mysqli_query($query); – Isha Mar 14 '22 at 09:54
  • This answer won't work since `mysqli_query()` needs the connection as the first argument. You can't just replace `mysql_` with `mysqli_`. Those are different API's with different interfaces. – M. Eriksson Mar 14 '22 at 11:01
  • And it's good that you mention SQL injections, but you shouldn't escape the data, you should rather use prepared statements with placeholders which currently is the best way to protect yourself against SQL injections attacks. – M. Eriksson Mar 14 '22 at 11:08