Insert from form to database

webchambers · December 18, 2019, 6:57am

Hi guys i am trying to insert into a database from my form. my form has 2 fields which are name and email the form is sent to a file called promoteemail1.php

Its not working please help.

here is my code to promoteemail1.php
I have put " befroe php so that you can see the code in a list

<?php
$servername = "localhost";
$username = "username";
$password = "password";
$dbname = "dbname";

// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
}


if(isset($_POST['name']) && isset($_POST['email']))
{
    $sql = "INSERT INTO inv1 (name, email)
    VALUES ('".$_POST["name"]." , ".$_POST["email"]."')";

    $result = mysqli_query($conn,$sql);
}

?>

astonecipher · December 18, 2019, 12:45pm

Start here and try again.

thinsoldier · December 19, 2019, 1:37am

$sql = "INSERT INTO inv1 (name, email)
    VALUES ('".$_POST["name"]." , ".$_POST["email"]."')";

Do not concatenate php variables into a database query string. It leaves you vulnerable to SQL injection attacks.

PHP’s mysqli & pdo api’s have a feature called Prepared Statements that you should use instead to be safe: https://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php

My personal opinion is that beginners should do no less than 24 different PDO and mysqli_ tutorials before actually trying to use either in a real project. But if you absolutely must work on a real project while still learning you should use a good database library that handles most of the database work for you and does it safely by using prepared statements internally. My suggestion for beginners is to use Idiorm.
https://idiorm.readthedocs.io/en/latest/models.html#creating-new-records

The idiorm version of this would be something like

<?php
require_once 'idiorm.php';

ORM::configure('mysql:host=localhost;dbname=dbname');
ORM::configure('username', 'username');
ORM::configure('password', 'password');
ORM::configure('driver_options', array(PDO::MYSQL_ATTR_INIT_COMMAND => 'SET NAMES utf8'));
ORM::configure('error_mode', PDO::ERRMODE_WARNING);

$person = ORM::for_table('inv1')->create();

$person->name  = $_POST["name"];

$person->email = $_POST["email"];

$person->save();

You should also not put your database username and password in the actual php files or in any file accessible via a url. Use https://github.com/vlucas/phpdotenv#why-env and keep your credentials in a file outside of the website root folder.

astonecipher · December 19, 2019, 5:58pm

Interesting. I am not a fan of ORM’s for beginners, it abstracts too much away and makes reliance on them. I worked for a company where out of 20 or so devs, only three of us knew anything about databases or how they really worked. I had to assist many times when queries got complex, because the ORM couldn’t handle it and you can’t tweak performance. Now, they are great for simple queries, but that’s pretty much where I feel their value ends.

thinsoldier · December 21, 2019, 12:18am

Just because someone writes sql query strings instead of using a class doesn’t mean you actually understand databases. I wrote SQL for like 13 years before trying Eloquent and other things and I guarantee you those 13 years did nothing to improve my knowledge of databases.

astonecipher · December 21, 2019, 1:12am

When I say didn’t understand databases, I think you are limiting what I said. We had a query that should have been a stored proc, I suggest it, the team lead asked me what a stored procedure was. It was that bad!

thinsoldier · December 21, 2019, 1:14am

Outside of the highest paid people in the biggest cities in first world countries it is probably that bad everywhere. I’ve never used a stored procedure either but I’ve also never worked on anything with more than a few hundred thousand records.

astonecipher · December 21, 2019, 1:23am

But you have heard of them and know where they are used, correct? It depends on the work environments you have been exposed to and what technologies they rely on. I worked for a company that used sp’s that were micro-programs unto themselves, 10,000 lines in some cases.

My records sets are a bit bigger than that and my user bases are probably larger than you’ve dealt with as well. The performance issue that I verified today was dealing with single ETL process that involved migrating 3m+ records between two different systems.