2

I am trying to insert into column "UserId" in my sql database, using php, text that the user inputs in the HTML form. Below is a basic example to help me figure out what I am doing wrong.

HTML

<html>
<form action="index1.php" method ="post" name="trial">

    <input type="text" name="testName" id="testId">
    <br>
    <input type="submit" value="Submit">

</form>
</html>

PHP

$servername = "localhost";
$username = "root";
$password = "xx";
$dbname = "wp";

$conn = new mysqli($servername, $username, $password, $dbname);

if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
} 

$UserId = $_POST['testName'];

$sql = "INSERT INTO UserProfile (UserId) VALUES ('$testName')";

if ($conn->query($sql) === TRUE) {
    echo "New record created successfully";
} else {
    echo "Error: " . $sql . "<br>" . $conn->error;
}

$conn->close();

Some notes:

  1. I can connect to database and insert in the correct columns checkbox and radio values from the form

  2. I cannot find a way to insert in the database the user text input from the form (UserProfile is the table and UserId the column). Would using a javascript variable, like below one, help?

    var testVar = document.getElementById("testId").value;

  3. I know I am opening myself to hacking using the above code, I would like to improve it later on but I think I need to first figure out the basics (ie: how to get the user text input added to the database)

Than you in advance for any help!

Improve this question
13
  • 1
    you have $UserId not $testName Commented Sep 26, 2017 at 16:19
  • 1
    You are declaring $UserId but you're trying to insert $testName. Which is whats wrong! Commented Sep 26, 2017 at 16:22
  • 1
    should be : $sql = "INSERT INTO UserProfile (UserId) VALUES ('$UserId')"; Commented Sep 26, 2017 at 16:22
  • 4
    "I know I am opening myself to hacking using the above code, I would like to improve it later on but I think I need to first figure out the basics" — Doing it the right way (with prepared statements and bound variables) means throwing out a large portion of the code you are writing. It's a false economy, you are just teaching yourself bad habits. Commented Sep 26, 2017 at 16:24
  • 1
    @JigarShah Thank you!! Now it works! Commented Sep 26, 2017 at 16:27

2 Answers 2

Reset to default
4

you are storing the value in $UserId, not in $testName:

Change your SQL Query to

$sql = "INSERT INTO UserProfile (UserId) VALUES ('$UserId')";

I think this will help. BTW: Think about SQL-Injection! Look here: How can I prevent SQL injection in PHP?

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

Look here 

$sql = "INSERT INTO UserProfile (UserId) VALUES ('$testName')";

Change $testName to $UserId in sql statement because it's the name of your new variable in php:

$UserId = $_POST['testName'];
$sql = "INSERT INTO UserProfile (UserId) VALUES ('$UserId')";

But I advice you to:

1- use PDO for any sql handling in php

2- use mysqli_real_escape_string to protect your code from threats.

make it like:

$UserId = mysqli_real_escape_string($con, $_POST['testName']);
Improve this answer

4 Comments

Please do not give answers with security vulnerabilities
what is wrong in security in my code sample? explain to me please i'm confused now!!!!
Google prepared statements using mysqli
Thank you, i am editing it to explain him how to protect the insert

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.