0

I have a problem with inserting data from form into a sql database.

I tried inserting data with unsafe way using only $-variables, it worked but when I try to insert it on sql injection proof way, I can't make it work.

I think there is a problem with "mysqli_stmt_bind_param" function, but I am not sure.

Please Help!

HERE IS MY CODE:

<?php 

if (isset($_POST['submit'])) {

    require 'baza.php';

    $conn -> set_charset("utf8");

    $pid = $_POST['pid'];
    $uid = $_POST['uid'];
    $name = $_POST['n'];
    $surname = $_POST['s'];
    $weigh = $_POST['w'];
    $height = $_POST['h'];
    $birthDay = $_POST['bd'];

    // EROOR CHECK

    if (!preg_match("/^[a-zA-Z0-9]*$/", $name)) { // Pregleda če username vsebuje nedovoljene znake
        header("Location: ../orderFormLF.php?error=ivalidname&name=".$name);
        exit();
    }
    else if (!preg_match("/^[a-zA-Z0-9]*$/", $surname)) { // Pregleda če username vsebuje nedovoljene znake
        header("Location: ../orderFormLF.php?error=ivalidsurname&surname=".$surname);
        exit();
    }
    else { // če ni error-jev

        $sql = "INSERT INTO naročila (ime, priimek, teza, visina, datum_r, program_id, uporabnik_id) VALUES (?, ?, ?, ?, ?, ?, ?);";
        $stmt = mysqli_stmt_init($conn);

        if (!mysqli_stmt_prepare($stmt, $sql)) { // Če stavek ne dela
            header("Location: ../orderFormLF.php?error=sqlerror"); 
            exit();
        }
        else { // Če stavek dela

           mysqli_stmt_bind_param($stmt, 'ssiisii', $name, $surname, $weight, $height, $birthDay, $pid, $uid); // vzamemo podatke in jih kasneje poslemo v databazo
           mysqli_stmt_execute($stmt); // Executa stavek v bazi

           header("Location: ../orderFormLF.php?inforamtionsent=successfully"); // Izpiše success
           exit();
        }
    }
} 
else { // Če uporabnik pride do strani na drug način kot pa preko gumba submit
    header("Location: ../orderForm.php"); // ga pošljemo nazaj na registracijo
    exit();
}
AquaBalls
  • 71
  • 6
  • 1
    What happens? Do you get errors? How far through the code does it get? Also, typo in creating the `$weight` variable. – droopsnoot Jun 04 '20 at 18:21
  • We need some more specific info than "doesn't work". What debugging have you done? Where exactly does the code reach before failing? I notice you aren't checking whether bindparam success or whether execute succeeds, so you need to add error checking for those – ADyson Jun 04 '20 at 18:22
  • It displays message in URL ---> "header("Location: ../orderFormLF.php?inforamtionsent=successfully")". But nothing insert's into a database. As I said, I tried with only executing sql statement and it worked. I dont get any errors. – AquaBalls Jun 04 '20 at 18:25
  • So you have to get the error first – Your Common Sense Jun 04 '20 at 18:31
  • 1
    I used sql error display command and it displayed this error: "Uncaught mysqli_sql_exception: Column 'teza' cannot be null ". – AquaBalls Jun 04 '20 at 18:36
  • 2
    no wonder as there is no such variable defined. turn on FULL php error reporting and pay attention to error messages PHP sending you – Your Common Sense Jun 04 '20 at 18:41
  • `$weigh` should be `$weight`. So looks like just a typo after all that. That's why you need to log errors properly – ADyson Jun 04 '20 at 22:43

0 Answers0