How do I insert form data into my database

Question

I am trying to insert form data into a mysql database. The connection page works

But I don't know what the issue is in the code.

I've gone through the code over and over and I can't find the error but it didn't work.

How do I insert data into the mysql table after I try to register.

I'm working in Windows.

This is my source code:

<?php 

        $con = mysql_connect("localhost", "root", "", "tut"); 

?>

<?php

    if(isset($_POST['Submit'])){



        $FName= $_POST['First_name'];
        $LName = $_POST['Last_name'];
        $Email = $_POST['Email'];
        $PW = $_POST['Password'];

        $sql = mysql_query("INSERT INTO users VALUES('', {$FName}','{$LName}','{$Email}','{$PW}')", $con);

        if(isset($_POST['First_name'])){$FName = $_POST['First_name'];}

    }

?>

<!DOCTYPE html>
<html>
<head>
    <title>Register</title>
    <link rel="stylesheet" type="text/css" href="style.css">
    <link rel="stylesheet" type="text/css" href="menu.css">
</head>
<body>
    <div class="container">
        <div class="header">
            <img src="index.jpg" style="width: 20%;height: 65px; align: center;">   
        </div>
        <div class="menu" id="menu">
            <nav>
                <ul class="cssmenu">
                    <li><a href="#">Register</a></li>
                    <li><a href="#">Log In</a></li>
                </ul>
            </nav>
        </div>
        <div class="leftbody">
            <img src="index.jpg">
        </div>
        <div class="rightbody">
            <form action="register.php" method="POST" id="registerform">
                <div class="Formelement">
                    <input type="text" name="First_name" class="tfield" required="required" placeholder="First_Name">
                </div><br>

                <div class="Formelement">
                     <input type="text" name="Last_name" class="tfield" required="required" placeholder="Last_Name">
                </div><br>

                <div class="Formelement">
                    <input type="text" name="Email" class="tfield" required="required" placeholder="Email">
                </div><br>

                <div class="Formelement">
                     <input type="password" name="Password" class="tfield" required="required" placeholder="Password">
                </div><br>

                <input type="submit" name="Submit" value="Register">
            </form>
        </div>
        <div class="footer"></div
        >
    </div>
</body>
</html>

Answer 1

While jophab's answer might help solve your current situation, there are a few things you should be aware of.

1. mysql_error

With proper use of this method, you may not have even needed to post a question. This method returns the text message of the error thrown and can give you details such as Unknown column 'xx' in 'field list'.

Use with your current setup may be something like:

$sql = mysql_query("INSERT INTO users VALUES('', {$FName}','{$LName}','{$Email}','{$PW}')", $con);
if (!$sql) die(mysql_error($con));

This would have let you know that you had a syntax error, as can be seen here: VALUES('', {$FName}' <- notice there is a missing quote just before the first {?

2. SQL Injection

You need to be aware that the method you are following is deprecated and with good reason. What you're doing is allowing any user with the know how to very easily hack your DB and get all the info they need. The best next step forward is to immediately stop using these methods and learn about MySQLi.

MySQLi allows for a thing called Prepared Statements, which strongly help to reduce your vulnerability. Using a MySQLi, your code may look like:

$mysqli = new mysqli("localhost", "root", 'ge7@P@s$w04D', "tut");
if (mysqli_connect_errno()) die("Connect failed: " . mysqli_connect_error());

if (!($stmt = $mysqli->prepare("INSERT INTO users (name_first, name_last, email, pass) VALUES (?, ?, ?, ?)"))) die("Preperation failed: " . mysqli_error($mysqli));

$FName= $_POST['First_name'];
$LName = $_POST['Last_name'];
$Email = $_POST['Email'];
$PW = $_POST['Password'];

if (!($bind = mysqli_stmt_bind_param($stmt, "ssss", $FName, $LName, $Email, $PW))) die("Bind failed: " . E_USER_ERROR);

if (!($exec = mysqli_stmt_execute($stmt))) die("Failed to execute query: " . mysqli_stmt_error($stmt));

That's just shooting from the hip, but you will get the idea better once you study a bit more.

---

More Reading: Choosing an API

---

As an alternative, you might also consider PDO.

---

Final Note of Caution: Password Hashing

Never use text of password / Always hash it in some manner. This is extremely important if you want to maintain any user security. You and your database should never know what a user's password is. If they don't remember, then you come up with a verification process for them to reset it. A local bank to my old hometown did this and I warned them for 2 years why it was bad. Finally, after ignoring all my warnings, I walked in with a laptop, sat down, unannounced, in the manager's office, and began pulling everyone's password and showing them to him. Of course, at first, he scolded me and threatened to call police. Within just a couple minutes I had convinced him of the problem and ended up getting a thank you with substantial compensation for bringing the error to his attention. This is, without a doubt, on the top 5 list of things to Never Do.

Please take a long look on how to use something like password_hash

Use in a manner such as:

/** 
 *  This code will benchmark the server to determine how high of a cost i can
 *  afford. I want to set the highest cost that I can without slowing down
 *  the server too much. 8-10 is a good baseline, and more is good if the servers
 *  are fast enough. The code below aims for ≤ 50 milliseconds stretching time,
 *  which is a good baseline for systems handling interactive logins.
 *  */
function getCost() {
   $timeTarget = 0.05; // 50 milliseconds
   $cost = 8;
   do {
       $cost++;
       $start = microtime(true);
       password_hash("test", PASSWORD_BCRYPT, ["cost" => $cost]);
       $end = microtime(true);
   } while (($end - $start) < $timeTarget);
   return $cost;
}

/** getHash($pass)
 *  */
function getHash($pass) {
    return password_hash($pass, PASSWORD_DEFAULT, [ 'cost' => getCost() ]);
}

$hashPass = getHash($_POST['Password']);

Answer 2

Your String concat is wrong. In order to paste a variable correctly, you have to use an other syntax.
BUT I would not recommend fixing and using this kind of code. You would have a sql injection problem. Try using PDO objects instead. They are not only save, but also easier to use.