Insert data to database via html form in the same page

Question

<!doctype html>
<html>
<head>
<title>Lab03</title>
</head>
<form id="signin" action="lab_03.php" method="post">
Name: <input type="text" name="name">
<br />
First Name: <input type="text" name="fn">
<br />
SID: <input type="text" name="sid">
<br />
Email Address: <input type="text" name="email">
<input type="submit" value="Submit">
</form>

<?php
include ("connection.php");

mysqli_query($con,"INSERT INTO lab_03 (name, fname, sid, email) VALUES ($POST_[name], $POST_[fn], $POST_[sid], $POST_[email]");



?>
<body>
</body>
</html>

I want to insert data to database via html form. But i don't want to make another file to insert data. I the above code gives me the following error.

Answer 1

Try this:

<!doctype html>
<html>
<head>
  <title>Lab03</title>
</head>
<body>
  <form id="signin" action="" method="post">
    Name: <input type="text" name="name"><br />
    First Name: <input type="text" name="fn"><br />
    SID: <input type="text" name="sid"><br />
    Email Address: <input type="text" name="email">
    <input type="submit" value="Submit" name="submit">
  </form>
<?php
  if (isset($_POST['submit'])) {
    include ("connection.php");
    $con = mysqli_connection('server', 'user', 'password', 'db');
    if (mysqli_query($con,"INSERT INTO lab_03 (name, fname, sid, email) VALUES  ({$_POST['name']}, {$_POST['fn']}, {$_POST['sid']}, {$_POST[email]}") === true) {
      echo "OK, Query Success";
    }
  }

?>
</body>
</html>

Answer 2

ry this way, your error will not be appear.

<!doctype html>
<html>
<head><title>Lab03</title></head>
<form id="signin" action="" method="post">
Name: <input type="text" name="name">
<br />
First Name: <input type="text" name="fn">
<br />
SID: <input type="text" name="sid">
<br />
Email Address: <input type="text" name="email">
<input type="submit" value="Submit">
</form>

<?php
if(isset($_POST)) {
include ("connection.php");
mysqli_query($con,"INSERT INTO lab_03 (name, fname, sid, email) VALUES ('".$_POST['name']."', '".$_POST['fn']."', '".$_POST['sid']."', '".$_POST['email']."'");
}


?>
<body>
</body>
</html>

Answer 3

Put all your PHP code above HTML, and you have used wrong variable for getting POST values. It should be $_POST not $POST_

It is ideal to use mysqli_real_escape_string to escapes special characters that may be in POST data values

<?php
include ("connection.php");

mysqli_query($con,"INSERT INTO lab_03 (name, fname, sid, email) VALUES ('".mysqli_real_escape_string($con, $_POST['name'])."', '".mysqli_real_escape_string($con, $_POST['fn'])."', '".mysqli_real_escape_string($con, $_POST['sid'])."', '".mysqli_real_escape_string($con, $_POST['email'])."'");
?>

Answer 4

your query should like this:

mysqli_query($con,"INSERT INTO lab_03 (name, fname, sid, email) VALUES ('".$_POST['name']."', '".$_POST['fn']."',". $_POST['sid'].", '".$_POST['email']."'");

Answer 5

Using this answer as a reference, I'd like to point out a major flaw in your code.

You need to put a check if your $_POST variable exists or not, else it'll still throw errors.

Put it like this:

if(isset($_POST['name'])) {
    mysqli_query($con,"INSERT INTO lab_03 (name, fname, sid, email) VALUES ('".$_POST['name']."', '".$_POST['fn']."',". $_POST['sid'].", '".$_POST['email']."'");
}

Also, I suggest you call your PHP code before the form, cause that's the way to do it.

Answer 6

This is a good way to do it:

mysqli_query(
    $con,
    "INSERT INTO lab_03 (
        name, 
        fname, 
        sid, 
        email
    ) 
    VALUES (
        '{$_POST['name']}',
        '{$_POST['fn']}',
        '{$_POST['sid']}',
        '{$_POST['email']}'
    "
);

To make sure it works, remove the single quotes around {$_POST['something']} if your field in the database is an integer (or anything else not requiring quotes).

Also, keep in mind that currently your code is vulnerable to SQL injections, since you're not sanitizing the input data. Take a look at this question to see how to prevent it.

Answer 7

Change your query part to this one:

mysqli_query($con,"INSERT INTO lab_03 (name, fname, sid, email) VALUES ('".$_POST['name']."', '".$_POST['fn']."',". $_POST['sid'].", '".$_POST['email']."'");