Why is this not working

Can i use this to send data form to database?

$fname = null;
$lname = null;
$address = null;
$city = null;
$zip = null;
$phone = null;
$email = null;
$total = null;

if(isset($_POST['submit'])) {
$fname = $_POST['fname'];
$lname = $_POST['lname'];
$address = $_POST['address'];
$city = $_POST['city'];
$zip = $_POST['zip'];
$phone = $_POST['phone'];
$email = $_POST['email'];

$query_params = array(
':fname' => $_POST['fname'],
':lname' => $_POST['lname'],
':address' => $_POST['address'],
':city' => $_POST['city'],
':zip' => $_POST['zip'],
':phone' => $_POST['phone'],
':email' => $_POST['email'],
':total' => $_POST['total']
        );

$query = mysqli_query($connect, $sql);

 echo"Your message has been sent! <br>";
 }


$sql = "INSERT INTO delivery(id,fname,lname,address,city,zip,phone,email)
VALUES('',':fname',':lname',':address',':city',':zip',':phone',':email')";

This code doesn’t work because it is a random collection of different, out of order things.

You should be getting at least an undefined error message for the $sql variable being used in the msyqli_query() statement that would help point out a serious problem with the arrangement of the code. The $sql variable is being assigned a value after the point where it is being used and in fact its after the end and outside of the the form processing code. The sql query statement must be built inside of the form processing code and come before the point where you try to execute the query.

So, specifically what’s wrong with this code -

  1. All the variable = null assignment statements were an attempt at making errors go away without actually solving the problem causing the errors. The problem causing the original undefined error messages was because there was code referencing those variables that was not inside the post method form processing code. The correct solution would have been to move the part of the code that is outside of and after the end of the form processing code to be inside of and in the correct order in the form processing code.
  2. All lines copying $_POST variables to other variables are a waste of time, as nothing useful is accomplished by doing this, and in fact the current code isn’t even using the copies of the post data. If you did have a good reason to modify a copy of the post data, such as if you were trimming it, you would do this using a single statement, not write out a line of code for each possible form field.
  3. The $query_params array is part of using a prepared query with the PDO extension, and is again done using an overly complicated waste of typing time. You should use ? (positional) place-holders and just produce an array of the input data in the proper order to match the column order in the query. However, since you are still apparently using the mysqli extension in the code, the $query_params array is not compatible.
  4. You are using the mysqli_query() statement to execute the query, but you haven’t yet defined the $sql variable holding the sql query. It’s define later and therefore doesn’t exist at the point where you are trying to execute it.
  5. You are ending the form processing code, the closing }, so the rest of the code is not part of the form processing code and is being executed each time the page gets requested.
  6. The syntax being used in the sql query statement is that for a PDO prepared query and won’t work with the mysqli extension.

So, what should post method form processing code do -

  1. Detect that a post method form has been submitted and all the form processing code should be inside of a conditional statement so that it is only executed if the form has been submitted.
  2. Trim all the form data at once, then use the trimmed copy in the rest of the code.
  3. Validate all input data before using it, storing validation errors in an array.
  4. If there are no validation errors (the errors array will be empty) use the submitted form data.
  5. Use the PDO extension, instead of the mysqli extension. The PDO extension is simpler and more consistent than the mysqli extension.
  6. Use exceptions for database errors and in most cases let php catch and handle the exception where it will use its error related settings to control what happens with the actual error information (database errors will get displayed or logged the same as php errors.) The exception to this rule is when inserting/updating user submitted data and you need to detect duplicate or out of range values. In this case, your code should catch the exception, detect if the error number is one that it can handle, and setup a user error message telling the user what was wrong with the submitted data. If the error number is not one that your code can handle, re-throw the exception and let php handle it.
  7. Use a prepared query when supplying external/unknown data to an sql query statement. Use ? place=holders, and use implicate binding (supply an array of the data values as a call-time parameter in the execute([…]) call.)
  8. After the submitted form data has been processed, if there are no errors, perform a redirect to the exact same URL of the form processing code to cause a GET request. If there are errors, you would let the code continue, display the errors in the html document, and re-display the form, populating the fields with the previously submitted data values so that the user doesn’t need to keep re-entering data.
  9. Any dynamic value that gets output onto a web page needs to have htmlentities() applied to it to help prevent cross site scripting.
  10. As a more advanced subject, when you have more than about 2-3 form fields, you should dynamically process them, rather than to write out bespoke code for each field, by defining the expected fields in an array, along with any validation steps, and any permitted query usage.
    .
    You are probably thinking that this is a lot of work. Yes, writing code that is secure, provides a good user experience, and either works or displays/logs why it isn’t working, does take a lot of work.
1 Like
Sponsor our Newsletter | Privacy Policy | Terms of Service