0
<html>
<body>
<?php
$con = mysql_connect("localhost","root","");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db("mydb", $con);

$sql="INSERT INTO users(firstname, lastname)
VALUES
('$_POST[firstname]','$_POST[lastname]')";

if (!mysql_query($sql,$con))
  {
  die('Error: ' . mysql_error());
  }
echo "1 record added";

mysql_close($con)
?>
</body>
</html>
2
Contributors
22
Replies
39
Views
4 Years
Discussion Span
Last Post by broj1
0

Check first whether $_POST values exist (they usually do not on the first page load). And also it is very important to escape the values before inserting into the database.

// check if values exist
if(isset($_POST[firstname]) and isset($_POST[lastname])) {

    $con = mysql_connect("localhost","root","");
    if (!$con)
    {
        die('Could not connect: ' . mysql_error());
    }
    mysql_select_db("mydb", $con);

    // escape the values (to minimize a chance of SQL injection)
    $firstname = mysql_real_escape_string($_POST[firstname]);
    $lastname = mysql_real_escape_string($_POST[lastname]);

   // then use escaped values in your query
   $sql="INSERT INTO users(firstname, lastname) VALUES ('$firstname','$lastname')";
    ...
    ...
    mysql_close($con);
}

Also ASAP switch to more up to date DB extension such as mysqli or PDO.

Edited by broj1

0

thanks.but am now getting a new error use of undefined constants on line 2.what might be the problem

Edited by SirMahlon

0

Sory, my mistake, forgot the quotes in array indexes. This is correct:

$firstname = mysql_real_escape_string($_POST['firstname']);
$lastname = mysql_real_escape_string($_POST['lastname']);
0

OK, the quotes are missing in this line also. Try:

if(isset($_POST['firstname']) && isset($_POST['lastname'])) {
0

now i don't get any error but no data is sent into the tables users with databse name mydb.
thanks a lot by the way

0

Echo the query and test it in phpmyadmin (or post it here). Put this temporary debug line somewhere (like line 11 in your original post):

die("INSERT INTO users(firstname, lastname) VALUES ('$firstname','$lastname')");

This will display the constructed query and stop the script. Now copy it to phpmyadmin and see what happens. You can post the output here.

0
<?php
// check if values exist
 if(isset($_POST['firstname']) && isset($_POST['lastname'])) {
    $con = mysql_connect("localhost","root","");
    if (!$con)
    {
        die('Could not connect: ' . mysql_error());
    }
    mysql_select_db('mydb', $con);
    // escape the values (to minimize a chance of SQL injection)
    $firstname =  mysql_real_escape_string($_POST['firstname']);
    $lastname = mysql_real_escape_string($_POST['lastname']);
   // then use escaped values in your query
   $sql='INSERT INTO users(firstname,lastname) VALUES ("$firstname","$lastname")';
   if (!mysql_query($sql,$con))
  {
    echo $sql;
    }
    else
    {
      die('Error: ' . mysql_error());
  }
echo "1 record added";
    mysql_close($con);
    }
?>
0
<html>
<body>
<h1>A small example page to insert some data in to the MySQL database using PHP</h1>
<form action="insert.php" method="post">
Firstname: <input type="text" name="fname" /><br><br>
Lastname: <input type="text" name="lname" /><br><br>

<input type="submit" />
<?php

?>
</form>
</body>
</html>
0

The input name attributes should be the same as indexes in the $_POST array so change the form to:

Firstname: <input type="text" name="firstname" /><br><br>
Lastname: <input type="text" name="lastname" /><br><br>

(or if you prefer change the indexes in the $_POST array).

Edited by broj1

0

not working still sir.i want to post both codes for you to examine pls.

0
<?php
// check if values exist
 if(isset($_POST['fname']) && isset($_POST['lname'])) {
    $con = mysql_connect("localhost","root","");
    if (!$con)
    {
        die('Could not connect: ' . mysql_error());
    }
    mysql_select_db('mydb', $con);
    // escape the values (to minimize a chance of SQL injection)
    $fname =  mysql_real_escape_string($_POST['fname']);
    $lname = mysql_real_escape_string($_POST['lname']);
   // then use escaped values in your query
   $sql="INSERT INTO users(fname,lname) VALUES ('$_POST[fname]','$_POST[lname]')";
   if (!mysql_query($sql,$con))
  {
    echo $sql;
    }
    else
    {
      die('Error: ' . mysql_error());
  }
echo "1 record added";
    mysql_close($con);
    }
?>
0

this is for the form.my browser echo's my sql statement but does not get into the database

0
<html>
<body>
<h1>A small example page to insert some data in to the MySQL database using PHP</h1>
<form action="insert.php" method="post">
Firstname: <input type="text" name="fname" /><br><br>
Lastname: <input type="text" name="lname" /><br><br>
 <input type="submit" />
</form>
</body>
</html>

x

0

What is the output of the echo command on line 17?

And change the query to use escaped values:

$sql="INSERT INTO users(fname,lname) VALUES ('$fname','$lname')";

And to be on safe side put a space after database name:

$sql="INSERT INTO users (fname,lname) VALUES ('$fname','$lname')";

Edited by broj1

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.