2

I have created a forms page named "employee.php" for taking in user data. Also I have another file named SQLConnectionProcess.php which contains the code for linking forms in employee.php to sql table. The name of the database is "employee information" and the table's name is "employee info". I am using phpmyadmin and XAMPP for local server testing.

employee.php code:

<html>
<body>

<form name="EmployeeDatabase" action="SQLConnectionProcess.php" method="post">

<link rel="stylesheet" href="css.css">

<h1>EMPLOYEE DATABASE</h1>

Employe Card NO: <input type="text" name="cardNO" ><br><br>
Employee NO: <input type="text" name="employeeNO" ><br><br>
Employee Name: <input type="text" name="employeename"><br><br>
Nationality: <input type="text" name="nationality"><br><br>
Profession: <input type="text" name="profession"><br><br>
DOB: <input type="text" name="DOB"><br><br>
DOJ: <input type="text" name="DOJ"><br><br>
DOA(VisitVisa): <input type="text" name="DOA"><br><br>
Company Code: <input type="text" name="companycode"><br><br>
Sponsor Code: <input type="text" name="sponsorcode"><br><br>
Visa Type: <input type="text" name="visatype"><br><br>
Status: <input type="text" name="status"><br><br>

<input type="submit" name="formSubmit" value="Submit">

</form>

</body>
</html>

SQLConnectionProcess.php code:

  <?php
if(isset($_POST['formSubmit'])){
  $cardNO= isset($_POST['cardNO']) ? $_POST['cardNO'] : 0;
  $employeeNO= isset($_POST['employeeNO']) ? $_POST['employeeNO'] : 0;
  $employeename= isset($_POST['employeename']) ? $_POST['employeename'] : "";
  $nationality= isset($_POST['nationality']) ? $_POST['nationality'] : "";
  $profession= isset($_POST['profession']) ? $_POST['profession'] : "";
  $DOB= isset($_POST['DOB']) ? $_POST['DOB'] : "";
  $DOJ= isset($_POST['DOJ']) ? $_POST['DOJ'] : "";
  $DOA= isset($_POST['DOA']) ? $_POST['DOA'] : "";
  $companycode = isset($_POST['companycode']) ? $_POST['companycode'] : 0;
  $sponsorcode= isset($_POST['sponsorcode']) ? $_POST['sponsorcode'] : 0;
  $visatype= isset($_POST['visatype']) ? $_POST['visatype'] : "";
  $status= isset($_POST['status']) ? $_POST['status'] : "";
  $con = mysqli_connect('localhost','root','','employee information');
  $sql = sprintf("INSERT INTO table_employee info(Employee Card NO,Employee NO,Employee Name,Nationality,Profession,DOB,DOJ,DOA(VisitVisa),Company Code,Sponsor Code,Visa Type,Status) VALUES ('','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s')",$cardNO,$employeeNO,$employeename,$nationality,$profession,$DOB,$DOJ,$DOA,$companycode,$sponsorcode,$visatype,$status);
  mysqli_query($con,$sql);
}
?>

But when I submit my forms from employee.php I get the following errors:

Notice: Undefined variable: emplo‌​yeeNO in C:\xampp\htdocs\test1\SQLConnectionProcess.php on line 16

Notice: Undefined variable: sponsor‌​code in C:\xampp\htdocs\test1\SQLConnectionProcess.php on line 16

I am unable to find the source of the errors. Kindly help me

Improve this question
5
  • Did you enter data for emplo‌​yeeNO & sponsorcode? Commented May 3, 2016 at 7:11
  • yeah, try to submit your form by entering all the data, if you receives it make some validation at your client end. Secondly, try to debug the problem and use var_dump($_POST);exit; to see what's coming in the post request. Commented May 3, 2016 at 7:14
  • I tried entering data in all the forms. Same errors persist... Commented May 3, 2016 at 7:15
  • See my edited code again. I am now just getting a white screen Commented May 3, 2016 at 7:18
  • yes because you have not echo anywhere in your code. Please check your query data will be inserted. Commented May 3, 2016 at 7:22

2 Answers 2

Reset to default
4

Use isset() to prevent from above error.

<?php
if(isset($_POST['formSubmit'])){
  $cardNO= isset($_POST['cardNO']) ? $_POST['cardNO'] : 0;
  $employeeNO= isset($_POST['employeeNO']) ? $_POST['employeeNO'] : 0;
  $employeename= isset($_POST['employeename']) ? $_POST['employeename'] : "";
  $nationality= isset($_POST['nationality']) ? $_POST['nationality'] : "";
  $profession= isset($_POST['profession']) ? $_POST['profession'] : "";
  $DOB= isset($_POST['DOB']) ? $_POST['DOB'] : "";
  $DOJ= isset($_POST['DOJ']) ? $_POST['DOJ'] : "";
  $DOA= isset($_POST['DOA']) ? $_POST['DOA'] : "";
  $companycode = isset($_POST['companycode']) ? $_POST['companycode'] : 0;
  $sponsorcode= isset($_POST['sponsorcode']) ? $_POST['sponsorcode'] : 0;
  $visatype= isset($_POST['visatype']) ? $_POST['visatype'] : "";
  $status= isset($_POST['status']) ? $_POST['status'] : "";
  $con = mysqli_connect('localhost','root','','employee information');
  $sql = sprintf("INSERT INTO employee_info info(EmployeeCardNO,EmployeeNO,EmployeeName,Nationality,Profession,DOB,DOJ,DOA(VisitVisa),CompanyCode,SponsorCode,VisaType,Status) VALUES ('','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s')",$cardNO,$employeeNO,$employeename,$nationality,$profession,$DOB,$DOJ,$DOA,$companycode,$sponsorcode,$visatype,$status);
  mysqli_query($con,$sql);
}
?>
Improve this answer
Sign up to request clarification or add additional context in comments.

8 Comments

Thank you. I used the above code. No more errors. Just empty page. does it mean its working?
I am still learning to use phpmyadmin so I don't know yet if the database is receiving input from forms
my tables name is "employee info" and database name is "employee information". should I worry about "table_employee info" that we have used in our code. what does table_ do? is it syntax or name given to the table in my code?
give table name employee_info and remove space from all column names. I have edited sprintf line use that after doing changes in phpmyadmin. @Gotham
we need to use isset() for preventing from above error it will check that data is exist in post or not and if not exist then it will set with null or 0. @SanzeebAryal
|
1

Don't rely on data expected from client. First ensure every data read from $_POST array is set. If a value is not important you can chose a default value. You can simplify it with a short function

function get(&$var, $default = null)
{
  return isset($var) ? $var : $default;
}

$cardNO = get($_POST['cardNO'], 0);

If a required input is not present, you have to notify the user instead.

Then never ever mix strings coming from unsafe source (e.g. the client) into SQL statements. Use prepared statements instead.

$query_string = 'INSERT INTO `tablename` (`fieldname1`, `fieldname2`) VALUES (?,?);';
if($statement =  $mysqli_connection->prepare( $query_string ))
{ $statement->bind_param('s', $variable1);
  $statement->bind_param('s', $variable2);
  $statement->execute();
  // fetch the result...
}

For further information see also PHP manual.

Emulated prepared statements should be turned off by options on connect since otherwise under circumstances encoding attacks are still possible.

If you need to access a database that contains whitespaces in identifiers, you can surround those in backticks:

SELECT * FROM `table name with whitespaces`;
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.