0

I am having trouble inserting data to my table via PHP. The "cc_connect.php" is the file that connects the database. The form is there but when I submit it, no data is added to my table. I've followed several tutorials and matched their methods without success. Is something not set up in my db?

the function $dbcon is associated with my connection

<form method="post" action="cc_registration.php">
<input type="hidden" name="submitted" value="true" />

    First Name: <input type="text" name="first_name" />
    Last Name: <input type="text" name="last_name" />

<br />
<input type="submit" value="submit" />


  <?php

   if(isset($_POST['submit'])) {

   include ('cc_connect.php');

   if (!$dbcon) {

   die("Can not Connect: " . mysql_error());

}

   mysql_select_db("cooperstown",$dbcon);

$sql = "INSERT INTO cobra_registration (first_name,last_name) VALUES ('$_POST[first_name]', '$_POST[last_name]')";

mysql_query($sql,$dbcon);



mysql_close($dbcon);

}

  ?>

Improve this question
10
  • 1
    so what values are you inserting? Commented Jul 10, 2014 at 21:15
  • $sql = "INSERT INTO cobra_registration (first_name,last_name) VALUES --- You haven't sent any values... Commented Jul 10, 2014 at 21:16
  • 5
    Doesn't answer the question, but this is wide open to SQL Injection attacks. Commented Jul 10, 2014 at 21:17
  • ok, VALUES? where are the values you passing to the statement?, needs to be something like this, VALUES( value i am trying to pass, value i am trying to pass), also please go read about sql injection and try to prevent it in your code Commented Jul 10, 2014 at 21:17
  • the values are inserted from the form 'first_name', 'last_name'... for some reason, if I change the "if(isset($_POST['submit']));" to "if($_POST);", I can add information. not sure why that is. Commented Jul 10, 2014 at 21:19

2 Answers 2

Reset to default
3

$_POST['submit'] is never set because you are passing submitted.

change:

<input type="hidden" name="submitted" value="true" />

to:

<input type="hidden" name="submit" value="true" />

As a side note your current query can easily be hacked. Use Prepared statements instead like PDO or MysQLi, here is an example in PDO:

$fName = isset($_POST['first_name']) ? $_POST['first_name'] : '';
$lName = isset($_POST['last_name']) ? $_POST['last_name'] : '';

if ($fName && $lName) {
   $stmt = $db->prepare('
      INSERT INTO cobra_registration (first_name,last_name) 
      VALUES (:fname, :lname)
   ');

   $stmt->bindParam(':fname', $fName, PDO::PARAM_STR);
   $stmt->bindParam(':lname', $lName, PDO::PARAM_STR);

   $res = $stmt->execute();

   if ($res) {
      echo 'Success';
   } else {
      echo 'Failure';
   }
}
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

I missed the submitted, good catch! However, he should be getting errors with that insert statement. +1
good grief!!! thanks. changed the isset to isset($_Post['submitted'] and it is working!!!
@jd5 If it solved your problem, please mark it as answer. Then this question will be off the "Unanswered question" list.
2

The mysql_* functions are deprecated, and should no longer be used. Look into mysqli or PDO.

IMPORTANT NOTE

This is WIDE open to SQL Injection attacks. You should use prepared statements to protect against such attacks.

GGio nailed his answer, it was the submitted, but checking for submit. He also provided a PDO example, so I'll demonstrate the same thing in mysqli:

$firstName = isset($_POST['first_name']) ? $_POST['first_name'] : '';
$lastName = isset($_POST['last_name']) ? $_POST['last_name'] : '';

if ($firstName && $lastName) {
    $stmt = $mysqli->prepare("INSERT INTO cobra_registration (first_name,last_name) 
  VALUES (?, ?)"); 
    $stmt->bind_param("ss", $firstName, $lastName);
    $stmt->execute();  

}
Improve this answer

14 Comments

@VMai His version is missing the single quote around the post variable name. He has $_POST[first_name], whereas it should be $_POST['first_name'], GGio has it though, the submitted` isn't checked correctly.
Inside of double quotes you don't have to quote a string as key of an array: "$_POST[first_name]" is perfectly valid PHP, even if I don't use this.
So it is! Just got through testing that, thanks for teaching me something new! I'll be deleting the answer shortly.
Edit your answer. I see no need to delete it. The most important part holds true: "This is WIDE open to SQL Injection attacks ...". This should be repeated as often as possible, if such code appears. And learning by answering and getting corrected is great. Especially by testing by yourself and not believing everything any other said.
I saw it, remove my first comment that wasn't relevant anymore and gave you +1. You both deserved it.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.