How do I insert data in a mySQL database from a form using PHP?

Question

I need to insert students into my database.

The Students table has 3 fields. id_Students, Student_firstname and Student_surname

I want the user to insert the data into a form, press a submit button and then the data be added to the database, but I'm not having much luck.

Here is what I have done so far:

The form:

<form method="POST">
First name: <input type="text" name="firstname"><br>
Surname: <input type="text" name="surname">
<input type="submit" name="action"></button>
</form>

The function to add the student:

function addStudent()
{
$data = "INSERT INTO Students (Student_firstname, Student_surname)
VALUES('$_POST['firstname']', '$_POST['surname']')";
if(!$data)
{
die("Invalid Query: " . mysql_error());
}
}

if( isset($_POST['action']))
        {
            addStudent();
        }

My first thought is that I am not asking the user to input the student id number, but this is set to auto-incrementing, which made me think I could add the other 2 fields and the id would be filled in automatically.

Furthermore, I do not recieve my error message, the data is simply not put into the table.

Answer 1

You haven't executed the Query. After

$data = "INSERT INTO Students (Student_firstname, Student_surname)
VALUES('$_POST['firstname']', '$_POST['surname']')";

You should execute your SQL query by,

 $exec = mysql_query( $data, $con );

where $data is your query & $con is estabilishing mysql connection.

Answer 2

• First thing below is not correct

  $data = "INSERT INTO Students (Student_firstname, Student_surname) VALUES('$_POST['firstname']', '$_POST['surname']')";

• it should be as

  $data = "INSERT INTO Students (Student_firstname, Student_surname) VALUES('".$_POST['firstname']."', '".$_POST['surname']."')";

• 2nd thing

You are not executing the query you need use mysql_query() learn here https://www.php.net/mysql_query

• 3rd thing your code is vulnerable to sql injection so use mysqli_* functions or PDO with prepare statement.

Answer 3

You should use prepared statements so you can combat SQL Injection from malicious users, and a conditional statement in order to evaluate whether or not our insertion was successful.

function addStudent(){
    $mysqli = new mysqli('host', 'user', 'password', 'database');
    $stmt = $mysqli->prepare('INSERT INTO Students (Student_firstname, Student_surname) VALUES(?, ?)');
    $stmt->bind_param('ss', $_POST['firstname'], $_POST['surname']);
    if($stmt->execute()):
        echo 'We have successfully added this student.';
    else:
        exit('execute() failed: ' . $stmt->error);
    endif;
    $stmt->close();
}

Answer 4

-- You need to execute query.
-- your query is not correct

try like this:

function addStudent()
{
 $data = "INSERT INTO Students (Student_firstname, Student_surname)
 VALUES('".$_POST['firstname']."', '".$_POST['surname']."')";
 $mysqli = new mysqli("host", "my_user", "my_password", "db_name");
 if ($mysqli->connect_errno) {
    printf("Connect failed: %s\n", $mysqli->connect_error);
     exit();
 }


 if(!$mysqli->query($data))
 {
   die("Invalid Query: " . $mysqli->error());
  }
}

Answer 5

you have to run the query using mysql_query

$sql = "INSERT INTO Students (Student_firstname, Student_surname)
VALUES('$_POST['firstname']', '$_POST['surname']')";
$result=mysql_query($sql);

also its better to use mysqli than mysql as its being deprecated. You may also need to read a bit about SQL injection also