Reputation: 64
html forms to sql table
I have created a forms page named "employee.php" for taking in user data. Also I have another file named SQLConnectionProcess.php which contains the code for linking forms in employee.php to sql table. The name of the database is "employee information" and the table's name is "employee info". I am using phpmyadmin and XAMPP for local server testing.
employee.php code:
<html>
<body>
<form name="EmployeeDatabase" action="SQLConnectionProcess.php" method="post">
<link rel="stylesheet" href="css.css">
<h1>EMPLOYEE DATABASE</h1>
Employe Card NO: <input type="text" name="cardNO" ><br><br>
Employee NO: <input type="text" name="employeeNO" ><br><br>
Employee Name: <input type="text" name="employeename"><br><br>
Nationality: <input type="text" name="nationality"><br><br>
Profession: <input type="text" name="profession"><br><br>
DOB: <input type="text" name="DOB"><br><br>
DOJ: <input type="text" name="DOJ"><br><br>
DOA(VisitVisa): <input type="text" name="DOA"><br><br>
Company Code: <input type="text" name="companycode"><br><br>
Sponsor Code: <input type="text" name="sponsorcode"><br><br>
Visa Type: <input type="text" name="visatype"><br><br>
Status: <input type="text" name="status"><br><br>
<input type="submit" name="formSubmit" value="Submit">
</form>
</body>
</html>
SQLConnectionProcess.php code:
<?php
if(isset($_POST['formSubmit'])){
$cardNO= isset($_POST['cardNO']) ? $_POST['cardNO'] : 0;
$employeeNO= isset($_POST['employeeNO']) ? $_POST['employeeNO'] : 0;
$employeename= isset($_POST['employeename']) ? $_POST['employeename'] : "";
$nationality= isset($_POST['nationality']) ? $_POST['nationality'] : "";
$profession= isset($_POST['profession']) ? $_POST['profession'] : "";
$DOB= isset($_POST['DOB']) ? $_POST['DOB'] : "";
$DOJ= isset($_POST['DOJ']) ? $_POST['DOJ'] : "";
$DOA= isset($_POST['DOA']) ? $_POST['DOA'] : "";
$companycode = isset($_POST['companycode']) ? $_POST['companycode'] : 0;
$sponsorcode= isset($_POST['sponsorcode']) ? $_POST['sponsorcode'] : 0;
$visatype= isset($_POST['visatype']) ? $_POST['visatype'] : "";
$status= isset($_POST['status']) ? $_POST['status'] : "";
$con = mysqli_connect('localhost','root','','employee information');
$sql = sprintf("INSERT INTO table_employee info(Employee Card NO,Employee NO,Employee Name,Nationality,Profession,DOB,DOJ,DOA(VisitVisa),Company Code,Sponsor Code,Visa Type,Status) VALUES ('','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s')",$cardNO,$employeeNO,$employeename,$nationality,$profession,$DOB,$DOJ,$DOA,$companycode,$sponsorcode,$visatype,$status);
mysqli_query($con,$sql);
}
?>
But when I submit my forms from employee.php I get the following errors:
Notice: Undefined variable: employeeNO in C:\xampp\htdocs\test1\SQLConnectionProcess.php on line 16
Notice: Undefined variable: sponsorcode in C:\xampp\htdocs\test1\SQLConnectionProcess.php on line 16
I am unable to find the source of the errors. Kindly help me
Upvotes: 2
Views: 129
Answers (2)
Reputation: 6702
Don't rely on data expected from client. First ensure every data read from $_POST array is set. If a value is not important you can chose a default value. You can simplify it with a short function
function get(&$var, $default = null)
{
return isset($var) ? $var : $default;
}
$cardNO = get($_POST['cardNO'], 0);
If a required input is not present, you have to notify the user instead.
Then never ever mix strings coming from unsafe source (e.g. the client) into SQL statements. Use prepared statements instead.
$query_string = 'INSERT INTO `tablename` (`fieldname1`, `fieldname2`) VALUES (?,?);';
if($statement = $mysqli_connection->prepare( $query_string ))
{ $statement->bind_param('s', $variable1);
$statement->bind_param('s', $variable2);
$statement->execute();
// fetch the result...
}
For further information see also PHP manual.
Emulated prepared statements should be turned off by options on connect since otherwise under circumstances encoding attacks are still possible.
If you need to access a database that contains whitespaces in identifiers, you can surround those in backticks:
SELECT * FROM `table name with whitespaces`;
Upvotes: 1
Reputation: 4166
Use isset() to prevent from above error.
<?php
if(isset($_POST['formSubmit'])){
$cardNO= isset($_POST['cardNO']) ? $_POST['cardNO'] : 0;
$employeeNO= isset($_POST['employeeNO']) ? $_POST['employeeNO'] : 0;
$employeename= isset($_POST['employeename']) ? $_POST['employeename'] : "";
$nationality= isset($_POST['nationality']) ? $_POST['nationality'] : "";
$profession= isset($_POST['profession']) ? $_POST['profession'] : "";
$DOB= isset($_POST['DOB']) ? $_POST['DOB'] : "";
$DOJ= isset($_POST['DOJ']) ? $_POST['DOJ'] : "";
$DOA= isset($_POST['DOA']) ? $_POST['DOA'] : "";
$companycode = isset($_POST['companycode']) ? $_POST['companycode'] : 0;
$sponsorcode= isset($_POST['sponsorcode']) ? $_POST['sponsorcode'] : 0;
$visatype= isset($_POST['visatype']) ? $_POST['visatype'] : "";
$status= isset($_POST['status']) ? $_POST['status'] : "";
$con = mysqli_connect('localhost','root','','employee information');
$sql = sprintf("INSERT INTO employee_info info(EmployeeCardNO,EmployeeNO,EmployeeName,Nationality,Profession,DOB,DOJ,DOA(VisitVisa),CompanyCode,SponsorCode,VisaType,Status) VALUES ('','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s')",$cardNO,$employeeNO,$employeename,$nationality,$profession,$DOB,$DOJ,$DOA,$companycode,$sponsorcode,$visatype,$status);
mysqli_query($con,$sql);
}
?>
Upvotes: 4
Related Questions
- How can I prevent SQL injection in PHP?
- How to truncate a foreign key constrained table?
- How to import an SQL file using the command line in MySQL?
- How do you parse and process HTML/XML in PHP?
- MySQL Error 1093 - Can't specify target table for update in FROM clause
- Insert into a MySQL table or update if exists
- How do I see all foreign keys to a table or column?
- Duplicating a MySQL table, indices, and data
- SQL injection that gets around mysql_real_escape_string()