Member Avatar for sarah49

hi everyone. I have just started to program in php. I tried to develop a php code to retrieve data from a form and insert into a table created in Mysql. Here is my php code. This code gets executed when the user submits the form.

<html>
<body>
<?php
 $con = mysql_connect("localhost","####","####");
 if(!$con){
  die('Could not connect:  '.mysql_error());}

 mysql_select_db("wb", $con);

 $sql="INSERT INTO users (username,password,mail,address,phone) VALUES  ('$_POST[username]','$_POST[pwd]','$_POST[mail]','$_POST[Address]','$_POST[Phone]')";

 if(!mysql_query($sql,$con)){
   die('Error:  '.mysql_error());}
echo "Successfully Registered!";
mysql_close($con);
?>
</body>
</html>

I neither get "Successfully registered" message nor the data gets inserted into the table. My page is blank after i press the submit button. What is wrong with the code??

  • 5 Contributors
  • 5 Replies
  • 230 Views
  • 7 Hours Discussion Span
  • Latest Post Latest Post by broj1

Recommended Answers

All 5 Replies

Member Avatar for velizar.velkov

I do believe your parametres should be $_POST["username"] instead of $_POST[username]?

Member Avatar for jwer

I suspect you should quote the index values of the $_POST's, like this:

('$_POST["username"]','$_POST["pwd"]','$_POST["mail"]','$_POST["Address"]','$_POST["Phone"]

Member Avatar for broj1

Also while developing scripts it is useful to have error reporting switched on so instead of a blank screen you get some useful information. You can do this either in your script (each of them):

ini_set('display_errors',1); 
error_reporting(E_ALL);

or in the php.ini file if you have access to it:

error_reporting = E_ALL

Other options are in the manual:

http://php.net/manual/en/function.error-reporting.php

Once your scripts go to production turn error reporting off and log errors in a log file.

Edited by broj1
Member Avatar for ome2012

$sql="INSERT INTO users (username,password,mail,address,phone) VALUES ('$_POST[username]','$_POST[pwd]','$_POST[mail]','$_POST[Address]','$_POST[Phone]')";

i think you have problem with this code...... try to check syntax of your VALUES....

Member Avatar for broj1

A note on security in web apps:

You never stick request variables directly to your database! You always first sanitize them. You expect user to enter their username in the username field but they might enter evil SQL code instead which will go directly to your query and potentialy do a lot of damage to the data in the database. Google for SQL injection attack to learn more.

The proper way wuld be at least escaping values of $_POST (or $_GET or $_COOKIE...) using MySql mysql_real_escape_string() function to render possible entered quotes and the like useless:

$username = mysql_real_escape_string($_POST[username]);
$pwd = mysql_real_escape_string($_POST[pwd]);
$mail = mysql_real_escape_string($_POST[mail]);
$Address = mysql_real_escape_string($_POST[Address]);
$Phone = mysql_real_escape_string($_POST[Phone]);

// query now uses escaped values and is also more readable
$sql="INSERT INTO users (username,password,mail,address,phone) VALUES ('$username','$pwd','$mail','$Address','Phone')";

http://www.w3schools.com/php/func_mysql_real_escape_string.asp

Another way is using prepared statements:

http://blog.ulf-wendel.de/2011/using-mysql-prepared-statements-with-php-mysqli/

Hmm, at the moment PHP.net server does not work so I cant paste links to there. Anyway, have look at it too, it is wealth of information.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.