inserting into mysql with php

Question

I am trying my hand at inserting into a mysql db via a php form and im running into an issue where only the second form field is being entered but not the first.

EDIT

Here is the code after rewrite.

HTML

<form action="submit.php" method="post">
First Name: <input name="first_name" type="text" size="20" maxlength="25"><br>
Last Name: <input name="last_name" type="text" size="20" maxlength="25"><br>
</form> 

PHP

$dbhost  = 'xx';
$dbname  = 'xx';
$dbuser  = 'xx';
$dbpass  = 'xx'; 
$con = mysqli_connect($dbhost, $dbuser, $dbpass);


$first_name = mysqli_real_escape_string($con, $_POST['first_name']);
$last_name = mysqli_real_escape_string($con, $_POST['last_name']);


$query = "INSERT INTO tbl_customerinfotest VALUES ('$first_name','$last_name');";
echo $query;

mysqli_close($con)

The database is connecting fine.. but still the same issue. First name is giving a null value. Doing a print on the $post gives me: Array ( [first_name] => [last_name] => collingwood

EDIT I changed the form name to firstname without the _ and now it works?

Also, Is this more secure now that it is sqli? Would the next step in security be to use a prepared statement?

Answer 1

From what I see it should work but I think there is a part of code that you haven't posted that is messing things up.

While coding PHP you should always have PHP warnings enabled!

Like others mentioned you needs to sanitise your data before using it, this means you have to test it for any unwanted input (this is where regular expressions functions are very handy)

Also your HTML code has unclosed tags!

<input name="first_name" type="text" size="20" maxlength="25"><br>

should be

<input name="first_name" type="text" size="20" maxlength="25" /><br />

Answer 2

EDIT:

In response to OP's edit this works fine for me:

Index.html

<form action="submit.php" method="post">
First Name: <input name="first_name" type="text" size="20" maxlength="25"><br>
Last Name: <input name="last_name" type="text" size="20" maxlength="25"><br>
<input type="submit" value="Submit">
</form>

Submit.php

<?php 
    $dbhost  = '';
    $dbname  = '';
    $dbuser  = '';
    $dbpass  = ''; 
    $con = mysqli_connect($dbhost, $dbuser, $dbpass);


    $first_name = mysqli_real_escape_string($con, $_POST['first_name']);
    $last_name = mysqli_real_escape_string($con, $_POST['last_name']);


    $query = "INSERT INTO test.tbl_customerinfotest VALUES ('$first_name','$last_name');";
    echo $query;

    mysqli_query($con, $query);
    echo mysqli_error();

    mysqli_close($con)
?>

It is much better that you use mysqli functions now instead of the deprecated mysql_* ones. Read the docs here https://www.php.net/manual/en/mysqli.overview.php for a more detailed explanation of why you should use mysqli_* over mysql_*.

Answer 3

I would first get the posted data into variables, like this (I'm also adding real_escape_string function which is really important):

$first_name = mysql_real_escape_string($_POST['first_name']);
$last_name = mysql_real_escape_string($_POST['last_name']);

Please note the single quotes inside $_POST array

And then try the query:

INSERT INTO tbl_customerinfotest (first_name, last_name) VALUES ('$first_name','$last_name')";

Lastly, you shoud use mysqli or PDO functions, as mysql_* are deprecated.

If it still doesn't work, add print_r($_POST); add the beginning of your PHP script, to see if posted data is correct and has correct names.