1

i am learning pdo and i tried to play with CRUD method. I am trying to insert data into database using pdo but it isn't inserting. Below is my code

        <?php 
    $username = $_POST['username'];
$password = password_hash($_POST['password'], PASSWORD_BCRYPT ));
try {
    $query = $connect->prepare("INSERT INTO users(username, password) VALUES(?,?)");
        $query->execute(array($username, $password));
        echo "data";
    }
    catch (PDOException $event) {
        echo $event->getMessage();
    }
    ?>

i have this index file named as index.php

<?php 
require_once 'db.php';
session_start();
session_regenerate_id();
?>
<!DOCTYPE html>
<html>
<head>
  <title>Sign-Up/Login Form</title>
</head>
<?php
if ($_SERVER['REQUEST_METHOD'] == '$_POST') {
    if (isset($_POST['login'])) {
        require 'login.php';
    }
    elseif (isset($_POST['register'])) {
        require 'register.php';
    }
}
?>
<body>
    <form action="index.php" method="POST">
        <input type="text" name="username">
        <input type="password" name="password">
        <input type="submit" name="register" value="Submit">
    </form>
</body>
</html>

my db.php looks like

<?php 
try {
$connect = new PDO('mysql:dbname=pdologin;host=localhost', 'root', '$$$$'); 
$connect->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
} catch (Exception $event) {
    $event->getMessage();

}
?>
Improve this question
25
  • 2
    Is $connect a PDO connection or mysqli? Don't escape with prepared statements you are suppose to parameterize the query. VALUES(?, ?) Commented Sep 2, 2018 at 3:23
  • What's with the mysqli_real_escape_string calls then? Where's the error_reporting? Commented Sep 2, 2018 at 3:24
  • $connect is pdo connection Commented Sep 2, 2018 at 3:27
  • Okay, so you can't use any mysqli functions. Remove those. Parameterize the query and bind the values you were escaping. The driver will escape them for you. You can bind with bindparam, or by passing them in the execute function. Commented Sep 2, 2018 at 3:29
  • i removed them but not working Commented Sep 2, 2018 at 3:30

3 Answers 3

Reset to default
2

The problem is that your code never reaches your require scripts (login.php or register.php) because your conditional is incorrect.

You have: if ($_SERVER['REQUEST_METHOD'] == '$_POST')

It should be if ($_SERVER['REQUEST_METHOD'] == 'POST')

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

You're going to end up with something like below while learning or doing some small script that will need a connection, in the long run wrapping this stuff in a function or using a small helper or framework can make this a little easy. Great idea to learn but its still tedious boiler plate no matter how many years you write this stuff. 

<?php
//db settings that are typically in a config somewhere
$db_servername = "localhost";
$db_username = "username for your database";
$db_password = "password for your database";
$db_name = "your_db_name";        

try {
    $connect = new PDO("mysql:host=$db_servername;dbname=$db_name, $db_username, $db_password");
    // set the PDO error mode to exception
    $connect->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
    //echo "Connected successfully";
 }catch(PDOException $e){
    //echo "Connection failed: " . $e->getMessage();
 }
 $sth = $connect->prepare("INSERT INTO users(username, password) VALUES(:username,:password)");

 $username = $_POST['username'];
 $password = password_hash($_POST['password'], PASSWORD_BCRYPT );

 $sth->bindValue(':username', $username, PDO::PARAM_STR);
 $sth->bindValue(':password', $password, PDO::PARAM_STR);
 $sth->execute();

as a example my team now just writes database binding code like

<?php
//array of ids to insert
$binds['ids'] = array(1,3,4,5,6,7,9,08098);
//Database class is auto included with every script
$success = Database::query('insert into my_table (id) values(:ids)',$binds);
Improve this answer

Comments

0

connect first

$connect = mysqli_connect("localhost","root","root","my_db");

then remove the parameters when executing

$query->execute();

try this

   <?php 
    $connect = mysqli_connect("localhost","root","root","my_db");
    $username = $_POST['username'];
    $password = password_hash($_POST['password'], PASSWORD_BCRYPT );
    try {
        $query = $connect->prepare("INSERT INTO users(username, password) VALUES('$username', '$password')");
        $query->execute();
    }
    catch (PDOException $e) {
        echo $e->getMessage();
    }
    ?>
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.