0

I am unable to add values from input boxes to a database I created manually. My index form is below.

  <!DOCTYPE html>
     <Header>
     </header>
     <body>
     <form action="includes/signup.inc.php" method="POST">
         <input type="text" name="inputName" placeholder="First Name">
         <br>
         <input type="text" name="inputLastname" placeholder="Last Name">
         <br>
         <input type="text" name="inputGender" placeholder="Gender">
         <br>
         <button type="submit" name="submit"> Sign up </button>
     </form> 
     </body>

I have a signup.inc.php file inside an "includes" folder where the heavy lifting is supposed to occur. See below

<?php
    require_once 'dbh.inc.php';

    /* Variables from input form for SQL */
    $inputName = $_POST['inputName'];
    $inputLastname = $_POST['inputLastname'];
    $inputGender = $_POST['inputGender'];

    /* Using said variables from form to insert into SQL database */
    $sql = "INSERT INTO tbl_users (first_name, last_name, gender) 
            VALUES ('$inputName,' '$inputLastname', '$inputGender');";
    mysqli_query($conn, $sql);

    /* If this page runs successfully, URL bar should have success */
    header("location: ../index.php?signup=success");
?>

From what I understand, I created the variables and slotted them into my SQL statement, pulling values from the form, as seen below. $conn is a variable from dbh.inc.php that is the connection between my PHP project and the database.

The error below is what I get:

Fatal error: Uncaught mysqli_sql_exception: Column count doesn't match value count at row 1 in G:\xampp\htdocs\phptutorial\includes\signup.inc.php:10 Stack trace: #0 G:\xampp\htdocs\phptutorial\includes\signup.inc.php(10): mysqli_query(Object(mysqli), 'INSERT INTO tbl...') #1 {main} thrown in G:\xampp\htdocs\phptutorial\includes\signup.inc.php on line 10

I tried removing altering where DBH was being pulled from and the error changes so I know I'm pulling information from the right file. My database only has users_id which is Auto Increment so I doubt that could be an issue.

Arleigh Hix
  • 9,990
  • 1
  • 14
  • 31
Anthony
  • 1
  • 4
  • There is a problem in your $sql variable, the closing single quote for $inputName is after the comma. – Sergio Rinaudo Mar 31 '22 at 12:52
  • 1
    **Warning:** Your code is vulnerable to SQL Injection attacks. You should use parameterised queries and prepared statements to help prevent attackers from compromising your database by using malicious input values. http://bobby-tables.com gives an explanation of the risks, as well as some examples of how to write your queries safely using PHP / mysqli. **Never** insert unsanitised data directly into your SQL. The way your code is written now, someone could easily steal, incorrectly change, or even delete your data. – ADyson Mar 31 '22 at 12:53
  • https://phpdelusions.net/mysqli also contains good examples of writing safe SQL using mysqli. See also the [mysqli documentation](https://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php) and this: [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) . Parameterising your queries will also greatly reduce the risk of accidental syntax errors as a result of un-escaped or incorrectly quoted input values. If you learnt your current technique from a tutorial or book, please don't use it again. – ADyson Mar 31 '22 at 12:53
  • 2
    very very bad idea putting your user input directly into your query. – Phaelax z Mar 31 '22 at 12:53
  • 1
    Right now even a simple `'` in one of the input fields (`Mr O'Brien`, anyone?) will crash your SQL query! And that's before we even start talking about the SQL injection security problem. Also if you'd written the query properly using parameters it would have been impossible to make the specific typo (`,' ` instead of `', `) that you've committed in this case, because you wouldn't have the SQL string littered with unnecessary quote marks. Instead your SQL would simply read `INSERT INTO tbl_users (first_name, last_name, gender) VALUES (?,?,?)` and the variables would be passed in the param list – ADyson Mar 31 '22 at 12:54

1 Answers1

-1

You have an error with your SQL Query. Always use "." when you are adding custom PHP values. try use

    $sql = "INSERT INTO tbl_users (first_name, last_name, gender) 
            VALUES('" . $inputName. "','" . $inputLastname. "','" . $inputGender. "');"

Instead Of

$sql = "INSERT INTO tbl_users (first_name, last_name, gender) 
        VALUES ('$inputName,' '$inputLastname', '$inputGender');";
Hishan_98
  • 194
  • 1
  • 2
  • 12