Post to php database does not work

raoul.k · May 21, 2021, 12:10pm

Hi guys,

So I’ve trying to post a Colour hexa code, a name and surname to a database but I think I’m missing something. Because the execution to the data base does not work. The connection to the right server is made but I cannot execute the data.

// input


if(isset($_POST['submit'])){


	$color = $_POST['favcolor'];
	$name = $_POST['name'];
	$surname = $_POST['surname'];
	
	$sql = "INSERT INTO STUDENTEN(color, name, surname) values( $color, '$name','$surname')";
	
}	


if(mysqli_query($conn,$sql)){

    echo "Records inserted successfully.";

} else{

    echo "ERROR: Could not able to execute $sql. " . mysqli_error($conn);

}

Thank you

skawid · May 21, 2021, 1:11pm

What error do you see?

raoul.k · May 21, 2021, 3:34pm

connection succesfull ERROR: Could not able to execute . 0 results

This one.

phdr · May 21, 2021, 5:30pm

If that’s the literal output you are getting, where there is no $sql or mysqli_error(…) value, it means that a) the form processing code is not being executed and possibly b) that $conn doesn’t actually contain the connection. It also indicates that php’s error_reporting and display_errors settings are not set up to report and display all errors. You would be getting a number of warning and notice error messages about undefined variables and empty/null parameter values.

So, several points -

Find the php.ini that php is using and set error_reporting to E_ALL and set display_errors to ON, so that php will help you. Stop and start your web server to get any changes made the php.ini to take effect.
Don’t attempt to test if the submit button is set. There are cases where it won’t be and it’s also possible that your form has a mistake in it where there is no $_POST[‘submit’] value. Instead, just detect if a post method form was submitted.
ALL the form processing code must be inside the conditional statement that has detected if the form has been submitted. The existing code is building the sql query statement when it thinks the form has been submitted, but the code executing the query is after and outside of the form processing code and is always being executed, meaning it will produce an error (the output you are current getting) simply because the page was requested.
Don’t copy variables to other variables for nothing. This is just a waste of typing. Keep the form data as an array and use elements in the array throughout the rest of the code.
You should trim, then validate all inputs before using them, storing validation errors in an array, using the field name as the array index. After all the validation, if there are no errors (the array will be empty), use the submitted data.
Don’t put external, unknown, dynamic values directly into an sql query statement. This is not safe. Instead, use a prepared query. You might also want to switch to the much simpler PDO extension, since the mysqli extension is overly complicated and inconsistent, especially when dealing with prepared queries.
The ‘favcolor’ value is a string, as far as the database is concerned. For your current sql query statement, you would need to put single-quotes around it, to avoid getting a query error. This problem will go away when you switch to use a prepared query, because you no longer clutter up the sql query statement with single-quotes and php variables, just simple ? place-holders.
Don’t bother with hard-code error handling logic, that will actually help hackers when they intentionally trigger errors. Instead, use exceptions for database errors and in most cases let php catch and handle the exception, where php will use its error related settings (see item #1 on this list) to control what happens with the actual error information. The exception to this rule is when inserting/updating user submitted data, which is actually what you are doing here. In this case, your code should catch the exception, detect if the error number is for something your code is designed to handle (a unique index for something about the data being inserted that identifies who the student is), and set up a message telling the user what was wrong with the data they submitted. For all other error numbers, just re-throw the exception and let php handle it.
Upon successful completion of the form processing code, redirect to the exact same url of the current page to cause a get request for that page. This will stop the browser from trying to re-submit the form data if you reload that page or browse away from and back to it. To display a one-time success message, store it in a session variable, then test, display, and clear the session variable at the appropriate point in the html document.
Use the same name for an item throughout the code. If color is what you are calling the column in the database table, use color everywhere. If favcolor is a more appropriate name, use favcolor everywhere, even for the column name.

devac9039 · May 22, 2021, 4:01am

$sql = "INSERT INTO STUDENTEN(color, name, surname) values( $color, $name,$surname)";