PHP not inserting into tables

Question

I'm having trouble getting a practice signup form to submit data to my database ...

<!DOCTYPE HTML> 
<html>
<head>
</head>
<body> 

<?php
$name = $email = $password = "";
?>

<form method="post"> 
Name: <input type="text" name="name">
<br><br>
E-mail: <input type="text" name="email">
<br><br>
Password: <input type="text" name="password">
<br><br>
<input type="submit" value="Submit" name="submit">
</form>

<?php
if(isset($_POST['submit'])){
    $name = fix_input($_POST["name"]);
    $email = fix_input($_POST["email"]);
    $password = fix_input($_POST["password"]);
    mysqli_connect("localhost","username","password","dbname") or                 die(mysql_error()); 
    mysql_query("INSERT INTO ('username','password') VALUES ('$name', md5('$password'))"); 
    Print "You've been signed up successfully"; } 


function fix_input($data)
{   
    $data = trim($data);
    $data = stripslashes($data);
    $data = htmlspecialchars($data);
    return $data;
}
?>

</body>
</html>

Answer 1

In addition to Ugur's answer, you are mismatching mysqli commands and mysql commands. Here's how to do this in an object oriented fashion:

// create mysqli database object
$mysqli = new mysqli_connect("localhost","username","password","database");
// store your query in a variable. question marks are filled by variables
$sql = "INSERT INTO table_name ('username','password') VALUES (?,?)";
// prepare command uses $sql variable as query
$stmt = mysqli->prepare($sql);
// "ss" means your 2 variables are strings, then you pass your two variables.
$stmt->bind_param("ss",$name,md5($password));
// execute does as it seems, executes the query.
$stmt->execute();
// then print your success message here.

Using prepared statements removes the need to sanitize user input, as harmful input is not substituted into the query directly. For more reading:

http://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php

There are some good tips for using prepared statements in many different scenarios, as well as towards the bottom, there is an explanation on how prepared statements prevent SQL injection.

Answer 2

you don't have table name in your query! also do not use quotation in your column name :)

you have mixed up mysqli and mysql.
Change

  mysql_query("INSERT INTO ('username','password') VALUES ('$name', md5('$password'))"); 

to

mysqli_query("INSERT INTO yoour_table(username',password) VALUES ('$name', md5('$password'))"); 

Answer 3

You're mixing mysql_* with mysqli_* functions, i.e.: mysqli_connect and mysql_query and you're wrapping your column names in quotes, plus you're missing the table name to insert into.

Try the following, fixed code:

if(isset($_POST['submit'])){
$name = fix_input($_POST["name"]);
$email = fix_input($_POST["email"]);
$password = fix_input($_POST["password"]);
mysqli_connect("localhost","username","password","dbname") or die(mysql_error()); 
mysqli_query("INSERT INTO `your_table` (`username`,`password`) VALUES ('$name', md5('$password'))"); 
Print "You've been signed up successfully"; }

You're also using password storage technology that dates back to 1996. MD5 is no longer considered safe to use.

I suggest you look into PHP's password function: http://php.net/password

And if you're having problems with your fix_input() function, you should consider using the mysqli_real_escape_string() function.

then setting up a DB connection while passing a variable to it.

$DB_HOST = "xxx";
$DB_NAME = "xxx";
$DB_PASS = "xxx";
$DB_USER = "xxx";

$db = new mysqli($DB_HOST, $DB_USER, $DB_PASS, $DB_NAME);
if($db->connect_errno > 0) {
  die('Connection failed [' . $db->connect_error . ']');
}

and instead of using:

$name = fix_input($_POST["name"]);

use the following:

$name= mysqli_real_escape_string($db, $_POST['name']);

and do the same for the rest.

Answer 4

Missing table name

mysql_query("INSERT INTO ......  ('username','password') VALUES ('$name', md5('$password'))");