0

i had write a html file which will request some information from user and send it to another php file. The php file will establish the connection to database and insert the value to database.
My database name = testdb
table name = table1
I had do some testing on both file by calling an alert message, the alert messages was able to display in the html file,it's seen like the request from the html file cant send to the php file,so the code for inserting data to database can't execute

My Html form as show below

<form id="firstPrize" method="POST" action="firstPrize.php">

<label> Number 1</label>
<input type="text" name="num1"><br>
<label> Number 2</label>
<input type="text" name="num2"><br>
<label> Number 3</label>
<input type="text" name="num3"><br>
<label> Number 4</label>
<input type="text" name="num4"><br><br><Br>
<input type="button" value="enter" name="btnSubmit" onclick="show()">

</form>

firstPrize.php sample code 

 <?php

   $host = "localhost";
   $user =  "root";
   $password = "";
   mysql_connect($host,$user,$password);
   mysql_select_db("testdb") or die(mysql_error());
   Session_Start();
   echo("yeah");
   if(isset($_POST["btnSubmit"]))
   {
      $num1 = $_POST["num1"];
      $num2 = $_POST["num2"];
      $num3 = $_POST["num3"];
      $num4 = $_POST["num4"];

      mysql_query("insert into table1(num1,num2,num3,num4) values ('num1','num2','num3','num4')");
?>
Improve this question
15
  • 1
    You're missing a closing curly bracket. I'm not sure if that's related but it could be throwing a syntax error. Commented Aug 4, 2016 at 14:56
  • 1
    you're just ASSUMING that the query is succeeding. BAD assumption. Never assume success. always assume failure and treat success as a pleasant surprise: mysql_query(...) or die(mysql_error()). And you're vulnerable to sql injection attacks as well. Commented Aug 4, 2016 at 14:56
  • 1
    you forgot to close your IF statement Commented Aug 4, 2016 at 14:58
  • 1
    Plus, ('num1','num2','num3','num4') you're literally entering those string values rather than the variables for the POST arrays. Commented Aug 4, 2016 at 15:00
  • 2
    @Fred-ii- at least that way it's not an SQL injection vulnerability! :-) Commented Aug 4, 2016 at 15:05

5 Answers 5

Reset to default
1

First, your query can produce SQL Injection. Use Mysqli Prepared Statement :

    $servername = "localhost";
    $username = "root";
    $password = "";
    $dbname = "testdb";

    // Create connection
    $conn = new mysqli($servername, $username, $password, $dbname);

 if(isset($_POST["btnSubmit"]))
 {
    $num1 = $_POST["num1"];
    $num2 = $_POST["num2"];
    $num3 = $_POST["num3"];
    $num4 = $_POST["num4"];

    // prepare and bind
    $query = $conn->prepare("INSERT INTO table1 (num1, num2, num3, num4) VALUES (?, ?, ?, ?)");
    $stmt->bind_param("ssss", $num1, $num2, $num3, $num4);
}

This function binds the parameters to the SQL query and tells the database what the parameters are. The "ssss" argument lists the types of data that the parameters are. The s character tells mysql that the parameter is a string.

The argument may be one of four types:

i - integer
d - double
s - string

Second, your if statement misses a closing bracket }

Third, your variable $num1 is never used. You use num1, num2, but you miss the '$'

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Noble, yet you didn't outline what was wrong with their code to start with.
You also have only 3x ? with 4 binds.
You mention PDO but you show code using mysqli. Okay, now you've edited to correct it.
i tested your code also not working, it's a bit similar with @Nana Partykar solution
1

First, your if statement is missing a closing }.

Second, your SQL query is not inserting the variables you've set above. You've got variables like $num1, but then you are inserting the value just 'num' in your SQL insert. You have to change 'num1', 'num2'... to '$num1', '$num2'...

Third, please do some research on PHP Data Objects (PDO) or MYSQLi (reference links at bottom of post). mysql_ is deprecated and completely vulnerable to malicious injection.

Edit: In addition, please see fred -ii-'s comments below for some sound advice on better INSERT queries. It's safe practice to verify that the values are of the type you're expecting prior to running them against your database.

fred -ii- says:

What if one of those values happens to contain an injection such as '123?

[Use]... (int)$_POST["num1"] and check to see firsthand if the input entered is an integer. There are a few functions that will do that.

Use error reporting and error checking against your query during testing and assuming that you are able to use the MySQL_ API.

References:

Otherwise, you will need to resort to either using the MySQLi_ or PDO API.

References:

Improve this answer

7 Comments

What if one of those values happens to contain an injection such as '123?
@Fred-ii- Quite honestly, it didn't seem like injection was a concern. And if it were, I've included links to both PDO and MYSQLi.
It's best to inform them of that (potential error/injection), since they may not know about it ;-)
@Fred-ii- Would you suggest splitting the string like so: "... VALUES ('".$num1."', '".$num2."' ...? I haven't done PHP in quite a few years.
More like (int)$_POST["num1"] and checking to see firsthand if the input entered is an integer. There are a few functions that will do that.
|
1

.Change your query to;

mysql_query("insert into table1(`num1`,`num2`,`num3`,`num4`) values ('".$num1."','".$num2."','".$num3."','".$num4."')");

followed by the closing bracket ( } ) for your if statement.

Improve this answer

8 Comments

What if one of those values happens to contain an injection such as '123?
You are right @Fred-ii-, but that wasn't the question.
Sure I'll agree. However, if the OP doesn't know about that, then they might not be a happy camper, if and when it ever happens to them ;-)
Indeed, but one thing at the time! ;) I don't want to scare the OP!
Rather scare them now instead for them to be scared "to death" later ;-) "Where's my database???!!" lol
|
0 
<?php
   session_start();
   // always start your session before any other code

   $host = "localhost";
   $user =  "root";
   $password = "";
   mysql_connect($host,$user,$password);
   mysql_select_db("testdb") or die(mysql_error());


   if(isset($_POST["btnSubmit"]))
   {
      $num1 = mysql_real_escape_string($_POST["num1"]);
      $num2 = mysql_real_escape_string($_POST["num2"]);
      $num3 = mysql_real_escape_string($_POST["num3"]);
      $num4 = mysql_real_escape_string($_POST["num4"]);

      // mysql isn't the safest way to put your code out, however if you do, escape it. You may be better off by using prepared statements, but thats up to you, i am just fixing this code 

      mysql_query("insert into table1(num1,num2,num3,num4) 
                   values ('$num1','$num2','$num3','$num4')");

    }
?>

I made a few tweaks in your code and this should do it. Note my additional comments in the code, including the propper escaping your variables, because of the injection danger. Its not my place to judge you on your code, but you would be better off by using prepared statements.

This is a very good topic on this here on stack, I suggest you read it: How can I prevent SQL injection in PHP?

Improve this answer

2 Comments

Little Bobby says your script is at risk for SQL Injection Attacks.. Even escaping the string is not safe! Don't believe it?
As I said in my comments and in my text, he is better off with simply using prepared statements, but since Q is not asking for that, he asks why his code aint working.
0

As you clearly mentioned in your question,

" I had do some testing on both file by calling an alert message, the alert messages was able to display in the html file, it's seen like the request from the html file cant send to the php file ,so the code for inserting data to database can't execute ~@Heart Break KID "

For That,

1) Change

<input type="button" value="enter" name="btnSubmit" onclick="show()">

To

<input type="submit" value="enter" name="btnSubmit" onclick="show()">

here, type='submit' is required to submit form data..

2) Closing curly brackets are not available. Close if condition.

if(isset($_POST["btnSubmit"]))
{
    // Your query.
}

Now, data will go to next page. But, read this question How can I prevent SQL-injection in PHP?

The mysql extension is deprecated and will be removed in the future: use mysqli or PDO instead

UPDATED CODE (using mysqli)

Html form

<form id="firstPrize" method="POST" action="firstPrize.php">
  <label> Number 1</label>
  <input type="text" name="num1"><br>
  <label> Number 2</label>
  <input type="text" name="num2"><br>
  <label> Number 3</label>
  <input type="text" name="num3"><br>
  <label> Number 4</label>
  <input type="text" name="num4"><br><br><Br>
  <input type="submit" value="enter" name="btnSubmit" onclick="show()">
</form>

firstPrize.php

<?php
$host = "localhost";
$user =  "root";
$password = "";
$connect = mysqli_connect($host, $user, $password, "testdb");
session_start();

if(isset($_POST["btnSubmit"]))
{
  $num1 = $_POST["num1"];
  $num2 = $_POST["num2"];
  $num3 = $_POST["num3"];
  $num4 = $_POST["num4"];

  $stmt = mysqli_prepare($connect, "INSERT INTO table1(num1,num2,num3,num4) VALUES (?, ?, ?, ?)");
  mysqli_stmt_bind_param($stmt, 'ssss', $num1, $num2, $num3, $num4);

  $query123 = mysqli_stmt_execute($stmt);
}
?>
Improve this answer

3 Comments

hi,i tested your solution but the alert message in my php code still not able to display
Data is saving or not @HeartBreakKID? Because, previously It was not saving.
yes,data still not saving, I try to move to window environment and test it out, because the current testing environment is Ubuntu, not sure is it the installation problem of LAMP

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.