0

hi everyone. I have just started to program in php. I tried to develop a php code to retrieve data from a form and insert into a table created in Mysql. Here is my php code. This code gets executed when the user submits the form.

<html>
<body>
<?php
 $con = mysql_connect("localhost","####","####");
 if(!$con){
  die('Could not connect:  '.mysql_error());}

 mysql_select_db("wb", $con);

 $sql="INSERT INTO users (username,password,mail,address,phone) VALUES  ('$_POST[username]','$_POST[pwd]','$_POST[mail]','$_POST[Address]','$_POST[Phone]')";

 if(!mysql_query($sql,$con)){
   die('Error:  '.mysql_error());}
echo "Successfully Registered!";
mysql_close($con);
?>
</body>
</html>

I neither get "Successfully registered" message nor the data gets inserted into the table. My page is blank after i press the submit button. What is wrong with the code??

5
Contributors
5
Replies
6
Views
4 Years
Discussion Span
Last Post by broj1
0

I suspect you should quote the index values of the $_POST's, like this:

('$_POST["username"]','$_POST["pwd"]','$_POST["mail"]','$_POST["Address"]','$_POST["Phone"]

0

Also while developing scripts it is useful to have error reporting switched on so instead of a blank screen you get some useful information. You can do this either in your script (each of them):

ini_set('display_errors',1); 
error_reporting(E_ALL);

or in the php.ini file if you have access to it:

error_reporting = E_ALL

Other options are in the manual:

http://php.net/manual/en/function.error-reporting.php

Once your scripts go to production turn error reporting off and log errors in a log file.

Edited by broj1

0

$sql="INSERT INTO users (username,password,mail,address,phone) VALUES ('$_POST[username]','$_POST[pwd]','$_POST[mail]','$_POST[Address]','$_POST[Phone]')";

i think you have problem with this code...... try to check syntax of your VALUES....

0

A note on security in web apps:

You never stick request variables directly to your database! You always first sanitize them. You expect user to enter their username in the username field but they might enter evil SQL code instead which will go directly to your query and potentialy do a lot of damage to the data in the database. Google for SQL injection attack to learn more.

The proper way wuld be at least escaping values of $_POST (or $_GET or $_COOKIE...) using MySql mysql_real_escape_string() function to render possible entered quotes and the like useless:

$username = mysql_real_escape_string($_POST[username]);
$pwd = mysql_real_escape_string($_POST[pwd]);
$mail = mysql_real_escape_string($_POST[mail]);
$Address = mysql_real_escape_string($_POST[Address]);
$Phone = mysql_real_escape_string($_POST[Phone]);

// query now uses escaped values and is also more readable
$sql="INSERT INTO users (username,password,mail,address,phone) VALUES ('$username','$pwd','$mail','$Address','Phone')";

http://www.w3schools.com/php/func_mysql_real_escape_string.asp

Another way is using prepared statements:

http://blog.ulf-wendel.de/2011/using-mysql-prepared-statements-with-php-mysqli/

Hmm, at the moment PHP.net server does not work so I cant paste links to there. Anyway, have look at it too, it is wealth of information.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.