Why does my php form keep yielding empty rows in mysql?

Question

So I am trying to create a form that puts data in a table, and I got it to work, but when it goes to the table, it just creates empty rows. Here is my code, please help me out.

form.php

<form action="tableinsert.php" method="post">
    First Name:<input type="text" name="fname"> <br/>
    Last Name:<input type="text" name="lname"><br/>
    Username:<input type="text" name="uname"><br/>
    Password:<input type="text" name="password"><br/>
    Email:<input type="text" name="email"><br/>
</form>

tableinsert.php

<?php
$sc = mysqli_connect ("localhost" , "dbname" , "password");

if (mysqli_errno($sc))
{
    echo "Sorry, I couldn't connect to the database. If you keep getting this error, please email the webmaster at natashaharrell@hotmail.com " . mysql_error;
}

$si = "INSERT INTO sdb_users (fname, lname, uname, password, email)
VALUES ('$_POST[fname]' , '$_POST[lname]' , '$_POST[uname]' , '$_POST[password]' , '$_POST[email]' )";

if (!mysqli_query($sc, $si))
{
    echo "Sorry there seems to be a problem: " . mysqli_errno($sc) ;
}

else
{
    echo "1 record added.";
}

    mysqli_close($sc);

?>

Answer 1

Firstly, it is a a convention to store the values obtained from the form fields into variables. Do that. Then after that you must clean up the values you got from the text fields. Basically you must clear it of all unexpected stuff like SQL injections (complex stuff). To do that you must use MySQL real escape string. After that is done, substitute the variables in the place of your earlier variables such as $_POST['fname'] or $_POST['lname'].

Hopefully after this you will have a script that works fully.

Answer 2

Replace this

$si = "INSERT INTO sdb_users (fname, lname, uname, password, email)
VALUES ('$_POST[fname]' , '$_POST[lname]' , '$_POST[uname]' , '$_POST[password]' , '$_POST[email]')";

With this:

$si = 'INSERT INTO sdb_users (fname, lname, uname, password, email)
VALUES ("' . $_POST['fname'] . '", "' . $_POST['lname'] . '" , "' . $_POST['uname'] . '", "' . $_POST['password'] . '", "' . $_POST['email'] . '")';

That fixes your actual problem, but as an aside, wrap each of those POST values in MySQLi's string escaping function (I'm a PDO user, but I believe it's MySQLi::real_escape_string). That helps protect you from SQL injection.

The reason it wasn't working is you didn't put the array key in quotes. I changed from double quotes to single, because it's easier to escape values and saves PHP having to process the magic-quoted string.

Answer 3

Use mysqli prepare() http://php.net/manual/en/mysqli.prepare.php to insert data into your SQL queries. There are a lot of simple mistakes that novices can make, to render their code vunerable to security issues, thats why mysql_* has been depreciated

<?php

/* create a prepared statement */
if ($stmt = $mysqli->prepare("INSERT INTO sdb_users (fname, lname, uname, password, email) VALUES ( ?, ?, ?, ?, ? )")) {

/* bind parameters for markers */
$stmt->bind_param("s", $_POST["fname"]);
$stmt->bind_param("s", $_POST["lname"]);
$stmt->bind_param("s", $_POST["uname"]);
$stmt->bind_param("s", $_POST["password"]);
$stmt->bind_param("s", $_POST["email"];

/* execute query */
$stmt->execute();
?>

Answer 4

you might be getting empty row because the form is getting filled with empty values and gets submitted automatically each time you load the page. you should use submit button.

Answer 5

The values you are using in the query are not correct. Try it this way.

$fname = $_POST['fname'];
$lname = $_POST['lname'];
$uname = $_POST['uname'];
$pwd =   $_POST['password'];
$email = $_POST['email']

$si = "INSERT INTO sdb_users (fname, lname, uname, password, email)
        VALUES ('$fname' , '$lname' , '$uname' , '$pwd' , '$email' )";

EDIT: Use mysql_real_escape_string() function to sanatize the data before inserting.

Answer 6

Try that

$si = "INSERT INTO sdb_users (fname, lname, uname, password, email)
VALUES ('".$_POST["fname"]."' , '".$_POST["lname"]."' , '".$_POST["uname"]."' , '".$_POST["password"]."' , '".$_POST["email"]."' )";