HTML Form Submits, Data Not Showing in Database

Question

I've set up a very simple HTML form to post a First Name and Surname into a MySQL database using mysqli, however the form redirects to my php script just fine, and I get no errors, but my data isn't showing in my table. Any clues? I haven't touched this in a while so I was sort of copying some university projects so please correct any mistakes.

HTML:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" 
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
    <meta http-equiv="content-type" content="text/html; charset=UTF-8" />
    <title>Adam Short</title>
    <link href = "style.css" rel = "stylesheet" type = "text/css" media = "screen" />
</head>
<body>
    <div id = "wrapper">
        <form name="addAthlete" action="submit.php" method="POST">
            <label>First Name:</label>
            <input type="text" name="firstName" required="required"><br>
            <label>Surname:</label>
            <input type="text" name="surname" required="required"><br>
            <input type="submit" value="Submit">
        </form>
    </div>
</body>
</html>

PHP:

<?php
$mysql_host = "***";
$mysql_database = "***";
$mysql_user = "***";
$mysql_password = "***";  
con = mysqli_connect($mysql_host, $mysql_user, $mysql_password, $mysql_database);

// Check connection
if (mysqli_connect_errno()) {
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
}

$firstName = mysqli_real_escape_string($con, $_POST["firstName"]);
$surname = mysqli_real_escape_string($con, $_POST["surname"]);

$sql = "INSERT INTO Athlete (FirstName, Surname) VALUES 
    ('$firstName','$surname')";

if (!mysqli_query($con, $sql)) {
  die('Error: ' . mysqli_error($con));
}
echo "1 record added";

mysqli_close($con);
?>

**Danger**: You are **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that you need to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. — Quentin, Sep 03 '14 at 13:32
`DOCTYPE string` is [obsolete](http://www.w3.org/html/wg/drafts/html/master/syntax.html#obsolete-permitted-doctype-string). Also, [`HTML`](http://www.w3.org/html/wg/drafts/html/master/semantics.html#the-html-element) element cannot have `xmlns` attribute. — , Sep 03 '14 at 13:40
@JohnConde actually he's not mixing the mysql and mysqli functions as you can see it's just a a variable name except for the mysql_error — John Robertson, Sep 03 '14 at 13:41
Look at `mysql_error()`. That will cause them to not get an error message — John Conde, Sep 03 '14 at 13:42
@John Robertson There is no `@` before `mysql_error` function, which is deprecated btw. — , Sep 03 '14 at 13:44
@John Robertson `@` before `mysqli_connect` will not work after `or` in this line, so there is need to type another `@` after `or`, but much better just to replace `mysql_error` with `mysqli_error` function. — , Sep 03 '14 at 13:57

score 2 · Accepted Answer · edited Jun 20 '20 at 09:12

2

Why your code is not working

In mysqli_connect, you have to specify database as fourth parameter; you're using mysql_error instead of mysqli_error.

SQL injection

Your code is opened to sql injection. You can use mysqli_real_escape_string to solve this problem.

Solution

Replace

$con = @mysqli_connect($mysql_host, $mysql_user, $mysql_password)or die(mysql_error());

$firstName = $_POST["firstName"];
$surname = $_POST["surname"];

mysqli_select_db($con, $mysql_database)or die("cannot select database");

With

$con = @mysqli_connect($mysql_host, $mysql_user, $mysql_password,$mysql_database)or die(mysqli_error($con));

$firstName = mysqli_real_escape_string($con,$_POST["firstName"]);
$surname = mysqli_real_escape_string($con,$_POST["surname"]);

edited Jun 20 '20 at 09:12

Community

1
1

answered Sep 03 '14 at 13:33

I replaced with your code and it still doesn't show up. I also get an error with mysqli_error as it requires a parameter. What do I pass through mysqli_error? – Adam Short Sep 03 '14 at 13:43
Yeah, I forgot to add it, sorry: you have to pass $con – Sep 03 '14 at 13:45
Now the error: mysqli_error expects parameter to be mysqli, instead boolean given. I did change it to mysqli_connect_error() instead and it then complained Host is not allowed to connect to this MySQL server. – Adam Short Sep 03 '14 at 13:46
That means you passed the wrong parameters to mysqli_connect. Check them. If they seem to be right, remove the "@" before mysqli_connect and add error_reporting(E_ALL); on the top of the document, then see if some errors show up. – Sep 03 '14 at 13:48
`Call to undefined function mysqli__error() in /home/a8117390/public_html/dbForms/submit.php on line 7` and `Warning: mysqli_connect() [function.mysqli-connect]: (HY000/1130): Host '31.170.160.103' is not allowed to connect to this MySQL server in /home/a8117390/public_html/dbForms/submit.php on line 7` – Adam Short Sep 03 '14 at 13:55
It seems like there's a second underscore between "mysqli" and "error": remove it. The second warning tells you that your host can't connect to the database. Lots of free hostings forbid external connections to the database. – Sep 03 '14 at 13:59
Hi, I'm still having issues. I changed my PHP code to that of the example given of W3Schools here: [link](http://www.w3schools.com/php/php_mysql_insert.asp) I'm getting the error mysqli_real_escape_string() expects parameter 1 to be mysqli, boolean given - yet I have followed their example to the letter. I have edited my code above to what I have now. – Adam Short Sep 04 '14 at 15:50
Have you checked if login data for the database is correct? – Sep 04 '14 at 16:10
I'm sure they're correct. I'm going to create the database from scratch so I can 100% get the correct details and report back. – Adam Short Sep 04 '14 at 16:13
I looked with more attention your code: it seems like is missing a "$" before "con" – Sep 04 '14 at 18:00
Hmmm, well, I've managed to get it sorted by recreating the database. Seemed I was missing part of the host address, I thought it was something different! Thanks for your help. – Adam Short Sep 04 '14 at 18:06

HTML Form Submits, Data Not Showing in Database

1 Answers1

Why your code is not working

SQL injection

Solution