Adding a new row to a sql table using a form submit button

Question

I am trying to add a new user to a table. I've created the form, connected to the database and created the query. When I press the submit button it takes me to the next page but a new row isn't made and the data is lost. Note: Connection details are right, just changed to show you :). Also the tables User_ID column is set to auto increment. Please help. (I have looked at other similar questions but I still can't get it working)

<html>
<head>
</head>
<body>

<div>
<form action ="/Product.php" method="post">
<label><h1>Add User</h1></label><br>
 <label>Username</label>
 <input type="text" name="Username"><br>
 <label>Password</label>
 <input type="text" name="Password"><br>
 <label>User type</label>
<select multiple>
  <option value="Admin">Admin</option>
  <option value="Registered user">Registered user</option>
  <option value="Guest">Guest</option>
</select>
 <input name="Submit" type="Submit"/><br>
</form>
</div> 


<?php

$connection = mysqli_connect('host', 'username', 'password', 'database');

if (mysqli_connect_error()){ 
 echo "Failed to connect to MySQL: " . mysqli_connect_error();
} else {

if(isset($_POST['Submit'])){

        $Username=$_POST['Username'];
        $Password=$_POST['Password'];
        $User_Type=$_POST['User_Type'];

    $query = "INSERT INTO Login (User_ID, Username, Password, User_Type)         VALUES('','$Username','$Password','$User_Type')";

    $result = mysqli_query($query);      
    }
}
?>

</body>
</html>

That's because you're telling the form to go to `/Product.html` instead of your page that handles the database stuff. If you change `action ="/Product.html"` to `action ="#"` You'll probably see the insert. — IsThisJavascript, Nov 27 '17 at 12:59
Your query is vulnerable to MySQL injection; you should consider using [prepared statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) — IsThisJavascript, Nov 27 '17 at 12:59
@WillParky93 Product.html *might* contain the PHP *as shown above*. — Jay Blanchard, Nov 27 '17 at 13:01
After your insertion to reload the page. So kindly remove the action filed in your form — Kmg Kumar, Nov 27 '17 at 13:01
Yes, you can have your web server process HTML pages as if they were PHP. Pro's do it all of the time. — Jay Blanchard, Nov 27 '17 at 13:01
@WillParky93 in your .htaccess file `AddType application/x-httpd-php .html .htm` — Jay Blanchard, Nov 27 '17 at 13:02
@JayBlanchard sounds like security thru obscurity. I'll just stick to .php — IsThisJavascript, Nov 27 '17 at 13:03
**Never store plain text passwords!** Please use ***PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html)*** to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). ***It is not necessary to [escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. — Jay Blanchard, Feb 05 '18 at 13:32

score 1 · Answer 1 · edited Jun 20 '20 at 09:12

1

Your input for the submit button needs name=Submit:

<input name="Submit" type="Submit"/>

If you don't name it, it will not be in the $_POST array. So when you check:

if(isset($_POST['Submit'])){

It will not be set.

Warning!

Little Bobby says your script is at risk for SQL Injection Attacks. Learn about prepared statements for MySQLi. Even escaping the string is not safe!

edited Jun 20 '20 at 09:12

Community

1
1

answered Nov 27 '17 at 13:00

Jay Blanchard

33,530
16
73
113

Thanks, made the change but a new record still doesn't appear in the table – Luke G Nov 27 '17 at 13:14
Try changing the file extension for Product.html to Product.php. You will need to change both the file's extension and the form's action. – Jay Blanchard Nov 27 '17 at 13:18

score 0 · Answer 2 · answered Nov 27 '17 at 13:01

The file you posted is .html file, please rename the file to Product.php and in the form also, like below:

<html>
<head>
</head>
<body>

<div>
<form action ="/Product.php" method="post">
<label><h1>Add User</h1></label><br>
 <label>Username</label>
 <input type="text" name="Username"><br>
 <label>Password</label>
 <input type="text" name="Password"><br>
 <label>User type</label>
<select multiple>
  <option value="Admin">Admin</option>
  <option value="Registered user">Registered user</option>
  <option value="Guest">Guest</option>
</select>
 <input type="Submit" name="Submit"/><br>
</form>
</div> 


<?php

$connection = mysqli_connect('host', 'username', 'password', 'database');

if (mysqli_connect_error()){ 
 echo "Failed to connect to MySQL: " . mysqli_connect_error();
} else {

if(isset($_POST['Submit'])){

        $Username=$_POST['Username'];
        $Password=$_POST['Password'];
        $User_Type=$_POST['User_Type'];

    $query = "INSERT INTO Login (User_ID, Username, Password, User_Type)         VALUES('','$Username','$Password','$User_Type')";

    $result = mysqli_query($query);      
}
?>

</body>
</html>

Turn the tide against teaching/propagating sloppy and dangerous coding practices. If you post an answer without prepared statements [you may want to consider this before posting](http://meta.stackoverflow.com/q/344703/). Additionally [a more valuable answer comes from showing the OP the right method](https://meta.stackoverflow.com/a/290789/1011527). — Jay Blanchard, Feb 05 '18 at 13:32

Adding a new row to a sql table using a form submit button

2 Answers2

Warning!