PHP form doesn't always seem to write to database

Question

On a form I've built, the form is validated with Javascript spry validation and then after that it is sent to a php form which pulls in the post fields with the POST method.

There is then a sql query as below to submit the data to the database.

$title = $_POST["title"];
$first_name = $_POST["first_name"];
$surname = $_POST["surname"];
$address1 = $_POST["address1"];
$address2 = $_POST["address2"];
$town = $_POST["town"];
$county = $_POST["county"];
$country = $_POST["countries"];
$telephone_home = $_POST["telephone-home"];
$telephone_mobile = $_POST["telephone-mobile"];
$comments = $_POST["comments"];
$letter = $_POST["q1-letter"];
$updates = $_POST["q1-updates"];
$paye = $_POST["PAYE"];

//establish connection
$con= mysqli_connect("localhost","#######","###########","############"); 
// Check connection
if (mysqli_connect_errno())
  {
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
  } 


mysqli_query($con,"INSERT INTO wp_donations (prefix, first_name, second_name, amount, address1, address2, citytown, county, country, email, comments, letter, updates, paye)
    VALUES ('$title','$first_name','$surname','$amount2','$address1','$address2','$town','$county','$country','$email','$comments','$letter','$updates','$paye')");
mysqli_close($con);

?>

Now most of the time this appears to be working perfectly fine, and any tests I've done work as well. However my client is reporting that there is entries of the form which aren't showing up in the database. This form is used to process a payment, and the client cross checks the payments with the information in the database and the payment processors logs.

I can't for the life of me figure out how some of them might not be showing up in the database, as there is no way to process the payment without going via this php page (it also contains the payment processing components)

Could there be something I'm missing here that could allow a payment to be processed, but not show up in the database?

Your help is always much appreciated

Answer 1

You need to look into mysqli prepared statements

You are just taking post variables as you get them, which is a bad idea. But aside the potential for sql injection, let's take a look at a basic example which I believe is what's happening in your case:

$x = $_POST['x'];

$sql = "INSERT INTO `table` (`address`) VALUES ('$x')";

Now let's suppose $x is 1234 Captain's Creek rd

Your query will now look like this:

$sql = "INSERT INTO `table` (`address`) VALUES ('Captain's Creek rd')";

Do you see the problem there? That ' in the string terminates that field and the lingering string trailing the quoted value is a syntax error, which will cause your query to fail.

If you bind the parameters, you can have mysqli escape the input values:

$sql = $mysqli->prepare("INSERT INTO `table` (`address`) VALUES (?)");
$sql->bind_param("s", $x);
$sql->execute();

If you have questions feel free to ask and I may update.

Answer 2

You need to concatenate variables

Like this...

mysqli_query($con, "INSERT INTO wp_donations (prefix, first_name, second_name, amount, address1, address2, citytown, county, country, email, comments, letter, updates, paye)
                                      VALUES ('".$title."','".$first_name."','".$surname."','".$amount2."','".$address1."','".$address2."','".$town."','".$county."','".$country."','".$email."','".$comments."','".$letter".','".$updates."','".$paye."')");