Problems creating a php form that sends data to database

Question

I'm new to php, trying to make this simple form but I keep finding different examples of how to do it but they're all done with mysql and I've been told to switch to mysqli.

<html>
<head>
    <title>

    </title>
</head>
<body>
<form action="process.php" method="post">
<table>
    <tr><th>Student Details</th></tr>
        <tr>
        <td><label for="student_name">Student Name</label></td>
        <td><input type="text" name="student_name" id="student_name"/> </td>
    </tr>
    <tr>
        <td><label for="student_email">Student Email</label></td>
        <td><input type="email" name="student_email" id="student_email"/> </td>
    </tr>
    <tr>
        <td><label for="student_city">Student City</label></td>
        <td><input type="text" name="student_city" id="student_city"/> </td>
    </tr>
    <tr>
        <td><button name= "submit"type="submit">Submit</button></td>

    </tr>

</table>
</form>
</body>
</html>

Could someone please look at this code and tell me how to:

A) Avoid the following errors:

Undefined variable: insert in C:\Users\CEO\Google Drive\Form\process.php on line 30

Warning: mysqli_query() expects parameter 1 to be mysqli, null given in C:\Users\CEO\Google Drive\Form\process.php on line 30

B) Apparently this form is a total security risk, what should I add to fix that?

  <?php
    $server = 'localhost';
    $user = 'root';
    $pass = '';
    $db = 'college';
    $conn = mysqli_connect($server, $user, $pass, $db); //Connect to Database

    if(isset($_POST['submit'])){
        $name = $_POST['student_name'];
        $email = $_POST['student_email'];
        $city = $_POST['student_city'];
    if($name != "" || $email != "" || $city != ""){
    $insert = "INSERT INTO students(student_name, student_email,student_contact) VALUES ('$name','$email','$city')";
    $query = mysqli_query($conn,$insert);
        echo "Data inserted";
        }else{
            echo "Failed to insert data";
        }
    }

    if (!mysqli_query($insert, $conn)) {
        die('Error: ' . mysqli_error($conn));
    }
    echo "1 record added";
    mysqli_close($conn);

Answer 1

You assign to $insert inside the if block. But then you try to perform the query outside the if block. So if the if condition is not met, you'll still try to call mysqli_query(), but with an uninitialized variable. You should move that into the if.

if(isset($_POST['submit'])){
    $name = $_POST['student_name'];
    $email = $_POST['student_email'];
    $city = $_POST['student_city'];

    if($name != "" || $email != "" || $city != ""){
        $insert = "INSERT INTO students(student_name, student_email, student_contact)
          VALUES ('$name','$email','$city')";
        if (mysqli_query($conn,$insert)) {
            echo "Data inserted";
        }else{
            echo "Failed to insert data: " . mysqli_error($conn);
        }
    } else {
        echo "You have to fill in name, email, or city";
    }
}

But it's better to use prepared statements.

if(isset($_POST['submit'])){
    $name = $_POST['student_name'];
    $email = $_POST['student_email'];
    $city = $_POST['student_city'];

    if($name != "" || $email != "" || $city != ""){
        $insert = mysqli_prepare("INSERT INTO students(student_name, student_email, student_contact)
          VALUES (?, ?, ?)") or die(mysqli_error($conn));
        mysqli_stmt_bind_param($insert, "sss", $name, $email, $city);
        if (mysqli_stmt_execute($insert)) {
            echo "Data inserted";
        }else{
            echo "Failed to insert data: " . mysqli_error($conn);
        }
    } else {
        echo "You have to fill in name, email, or city";
    }
}