daniel kanyi daniel kanyi - 4 months ago 9
SQL Question

How do I insert form data into my database

I am trying to insert form data into a mysql database. The connection page works

But I don't know what the issue is in the code.

I've gone through the code over and over and I can't find the error but it didn't work.

How do I insert data into the mysql table after I try to register.

I'm working in Windows.

This is my source code:

<?php

$con = mysql_connect("localhost", "root", "", "tut");


?>

<?php

if(isset($_POST['Submit'])){



$FName= $_POST['First_name'];
$LName = $_POST['Last_name'];
$Email = $_POST['Email'];
$PW = $_POST['Password'];

$sql = mysql_query("INSERT INTO users VALUES('', {$FName}','{$LName}','{$Email}','{$PW}')", $con);

if(isset($_POST['First_name'])){$FName = $_POST['First_name'];}

}

?>

<!DOCTYPE html>
<html>
<head>
<title>Register</title>
<link rel="stylesheet" type="text/css" href="style.css">
<link rel="stylesheet" type="text/css" href="menu.css">
</head>
<body>
<div class="container">
<div class="header">
<img src="index.jpg" style="width: 20%;height: 65px; align: center;">
</div>
<div class="menu" id="menu">
<nav>
<ul class="cssmenu">
<li><a href="#">Register</a></li>
<li><a href="#">Log In</a></li>
</ul>
</nav>
</div>
<div class="leftbody">
<img src="index.jpg">
</div>
<div class="rightbody">
<form action="register.php" method="POST" id="registerform">
<div class="Formelement">
<input type="text" name="First_name" class="tfield" required="required" placeholder="First_Name">
</div><br>

<div class="Formelement">
<input type="text" name="Last_name" class="tfield" required="required" placeholder="Last_Name">
</div><br>

<div class="Formelement">
<input type="text" name="Email" class="tfield" required="required" placeholder="Email">
</div><br>

<div class="Formelement">
<input type="password" name="Password" class="tfield" required="required" placeholder="Password">
</div><br>

<input type="submit" name="Submit" value="Register">
</form>
</div>
<div class="footer"></div
>
</div>
</body>
</html>

Answer

While jophab's answer might help solve your current situation, there are a few things you should be aware of.

1. mysql_error

With proper use of this method, you may not have even needed to post a question. This method returns the text message of the error thrown and can give you details such as Unknown column 'xx' in 'field list'.

Use with your current setup may be something like:

$sql = mysql_query("INSERT INTO users VALUES('', {$FName}','{$LName}','{$Email}','{$PW}')", $con);
if (!$sql) die(mysql_error($con));

This would have let you know that you had a syntax error, as can be seen here: VALUES('', {$FName}' <- notice there is a missing quote just before the first {?

2. SQL Injection

You need to be aware that the method you are following is deprecated and with good reason. What you're doing is allowing any user with the know how to very easily hack your DB and get all the info they need. The best next step forward is to immediately stop using these methods and learn about MySQLi.

MySQLi allows for a thing called Prepared Statements, which strongly help to reduce your vulnerability. Using a MySQLi, your code may look like:

$mysqli = new mysqli("localhost", "root", 'ge7@P@s$w04D', "tut");
if (mysqli_connect_errno()) die("Connect failed: " . mysqli_connect_error());

if (!($stmt = $mysqli->prepare("INSERT INTO users (name_first, name_last, email, pass) VALUES (?, ?, ?, ?)"))) die("Preperation failed: " . mysqli_error($mysqli));

$FName= $_POST['First_name'];
$LName = $_POST['Last_name'];
$Email = $_POST['Email'];
$PW = $_POST['Password'];

if (!($bind = mysqli_stmt_bind_param($stmt, "ssss", $FName, $LName, $Email, $PW))) die("Bind failed: " . E_USER_ERROR);

if (!($exec = mysqli_stmt_execute($stmt))) die("Failed to execute query: " . mysqli_stmt_error($stmt));

That's just shooting from the hip, but you will get the idea better once you study a bit more.


More Reading: Choosing an API


As an alternative, you might also consider PDO.


Final Note of Caution: Password Hashing

Never use text of password / Always hash it in some manner. This is extremely important if you want to maintain any user security. You and your database should never know what a user's password is. If they don't remember, then you come up with a verification process for them to reset it. A local bank to my old hometown did this and I warned them for 2 years why it was bad. Finally, after ignoring all my warnings, I walked in with a laptop, sat down, unannounced, in the manager's office, and began pulling everyone's password and showing them to him. Of course, at first, he scolded me and threatened to call police. Within just a couple minutes I had convinced him of the problem and ended up getting a thank you with substantial compensation for bringing the error to his attention. This is, without a doubt, on the top 5 list of things to Never Do.

Please take a long look on how to use something like password_hash

Use in a manner such as:

/** 
 *  This code will benchmark the server to determine how high of a cost i can
 *  afford. I want to set the highest cost that I can without slowing down
 *  the server too much. 8-10 is a good baseline, and more is good if the servers
 *  are fast enough. The code below aims for ≤ 50 milliseconds stretching time,
 *  which is a good baseline for systems handling interactive logins.
 *  */
function getCost() {
   $timeTarget = 0.05; // 50 milliseconds
   $cost = 8;
   do {
       $cost++;
       $start = microtime(true);
       password_hash("test", PASSWORD_BCRYPT, ["cost" => $cost]);
       $end = microtime(true);
   } while (($end - $start) < $timeTarget);
   return $cost;
}

/** getHash($username, $password)
 *  Get hash of username and password in combination.
 *  Both are run through "transformer" simply for a little further diffusion
 *  */
function getHash($pass) {
    return password_hash($pass, PASSWORD_DEFAULT, [ 'cost' => getCost() ]);
}

$hashPass = getHash($_POST['Password']);