CODEWITHSUNDEEP
phpmysqldatabasemysqli
Ryan
Ryan

Reputation: 31

Inserting form data into mysql table (safely)

Here is the edited code? I still receive a 404 error and nothing is sent to the database table. I see dbhh.php (which is the following file) after the url on the 404 page after the form is submitted 

<?php
$servername = "localhost";
$username = "username";
$password = "password";
$dbname = "dbname";

try {
    $conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
    // set the PDO error mode to exception
    $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

    // prepare sql and bind parameters
    $stmt = $conn->prepare("INSERT INTO user_input(first_name1, last_name1, email1) 
    VALUES (:first_name1, :last_name1, :email1)");

    // insert a row

    $stmt->execute([
    ':first_name1' => $_POST["first_name1"],
    ':last_name1'  => $_POST["last_name1"],
    ':email1'      => $_POST["email1"]
]);

        echo "New records created successfully";
    }
catch(PDOException $e)
    {
    echo "Error: " . $e->getMessage();
    }
$conn = null;

?>

Upvotes: 0

Views: 512

Answers (3)

PHP Geek
PHP Geek

Reputation: 4033

try this. i hope it will help you.

<?php
$servername = "localhost";
$username = "username";
$password = "password";
$dbname = "dbname";

$conn = new mysqli($servername, $username, $password, $dbname);
 $stmt = $mysqli->prepare("INSERT INTO user_input (first_name1, last_name1,email1) VALUES (?, ?)");
$stmt->bind_param("si", $_POST['first_name1'], $_POST['last_name1'],$_POST['email1']);
$stmt->execute();
echo "New records created successfully";
$stmt->close();
$conn->close();

?>

Upvotes: 0

mario
mario

Reputation: 145472

What @david said. Albeit a more compact approach is just skipping the manual binding, and passing params per PDO::execute right away:

$stmt->execute([
    ':first_name1' => $_POST["first_name1"],
    ':last_name1'  => $_POST["last_name1"],
    ':email1'      => $_POST["email1"]
]);

Upvotes: 0

david
david

Reputation: 3218

You have declared the POST variable after you prepare the query. First, make sure that the POST values get assigned to variables.

// insert a row
$first_name1 = $_POST["first_name1"];
$last_name1 = $_POST["last_name1"];
$email1 = $_POST["email1"];

$stmt = $conn->prepare("INSERT INTO user_input(first_name1, last_name1, email1) 
VALUES (:first_name1, :last_name1, :email1)");
$stmt->bindParam(':first_name1', $first_name1);
$stmt->bindParam(':last_name1', $last_name1);
$stmt->bindParam(':email1', $email1);
$stmt->execute();

Notice the difference. I put the POST one before the query. When the bindParam get executed, it can get the values.

Upvotes: 1

Related Questions