1

I'm trying to insert data from simple register form into MySQL. I have my db hosted on Amazon AWS RDS, using DBeaver to edit it. When I run the code I get the following

affected_rows." data inserted into database."; } else { echo "An error has occurred. The items were not added."; } $db->close(); ?>

How do i fix this? Is my PHP wrong? I'm confused whether or not I can use MySQLi, how would i determine that? I'm assuming Amazon RDS MySQL is compatible.

<?php
// create short variable names
$name=$_POST['name'];
$birthdate=$_POST['birthdate'];
$email=$_POST['email'];
$password=$_POST['password'];
$address=$_POST['address'];
$city+$_POST['city'];

if (!get_magic_quotes_gpc()) {
    $name = addcslashes($name);
    $birthdate = addslashes($birthdate);
    $email = addcslashes($email);
    $password = addcslashes($password);
    $address = addcslashes($address);
    $city = addcslashes($city);
}

$host='xxxxxx'
$user='admin'
$password='xxxxx'
$dbname='users'
@ $db = mysqli_connect($host,$user,$password,$dbname)

if (mysqli_connect_errno()) {
    echo 'Error: Could not connect to database. Please try again later.';
    exit;
}

// Execute the query
$query = "INSERT INTO vestorinfo (name,birthdate,email,password,address,city)
    VALUES ('$_POST[name]','$_POST[birthdate]','$_POST[email]','$_POST[password]','$_POST[address]','$_POST[city]')";
$result = mysqli_query($query)
        or die ("Couldn't execute query."};

if ($result) {
    echo $db->affected_rows." data inserted into database.";
} else {
    echo "An error has occurred. The items were not added.";
}

$db->close();
?>

Here is the form from the html page

    <div id="registerform">
    <form action="php/registerprocess.php" method="post" class="form-horizontal">

<fieldset>

<!-- Form Name -->

<!-- Text input-->
<div class="form-group">
  <label class="col-md-4 control-label" for="name">Name</label>  
  <div class="col-md-4">
  <input id="name" name="name" placeholder="Your name" class="form-control input-md" required="" type="text">

  </div>
</div>

<!-- Text input-->
<div class="form-group">
  <label class="col-md-4 control-label" for="birthdate">Birth Date</label>  
  <div class="col-md-4">
  <input id="birthdate" name="birthdate" placeholder="07/04/1950" class="form-control input-md" required="" type="text">

  </div>
</div>

<!-- Text input-->
<div class="form-group">
  <label class="col-md-4 control-label" for="email">Email</label>  
  <div class="col-md-4">
  <input id="email" name="email" placeholder="" class="form-control input-md" required="" type="text">

  </div>
</div>

<!-- Password input-->
<div class="form-group">
  <label class="col-md-4 control-label" for="password">Password</label>
  <div class="col-md-4">
    <input id="password" name="password" placeholder="" class="form-control input-md" required="" type="password">
    <span class="help-block">Must be &gt;= 8 characters including at least 1 number</span>
  </div>
</div>

<!-- Text input-->
<div class="form-group">
  <label class="col-md-4 control-label" for="email">Address</label>  
  <div class="col-md-4">
  <input id="address" name="address" placeholder="" class="form-control input-md" required="" type="text">
  </div>
</div>

<!-- Text input-->
<div class="form-group">
  <label class="col-md-4 control-label" for="email">City</label>  
  <div class="col-md-4">
  <input id="city" name="city" placeholder="" class="form-control input-md" required="" type="text">
  </div>
</div>
</div>

</fieldset>
Improve this question
7
  • 3
    It looks like your PHP isn't running and why not echo out the real error? Commented Jun 22, 2017 at 16:32
  • 1
    You are wide open for SQL injection. Since you're using mysqli, take advantage of prepared statements and bind_param. This will fix any pesky quoting issues you may be having. Also check for mysqli errors along the way. Commented Jun 22, 2017 at 16:33
  • $city+$_POST['city']; should be $city=$_POST['city']; Also after having set all these values, why do you fall back to using the $_POST values in your insert? Commented Jun 22, 2017 at 16:41
  • Aside from the already mentioned issues mysqli_query won't work with just a query, you need to pass in the connection object as well. Commented Jun 22, 2017 at 16:45
  • 1
    Possible duplicate of PHP code is not being executed, instead code shows on the page Commented Jun 22, 2017 at 16:47

1 Answer 1

Reset to default
1

Your code is at risk for sql injection and you should use param binding instead of var as $_POST anyway respect to you question the missing insert values could be because are related to the fact you are referring to the index of $_POST in wrong way

eg : using a concatenation you should 

  $query = "INSERT INTO vestorinfo (name,birthdate,email,password,address,city)
      VALUES ('" . $_POST['name'] ." , " . $_POST['birthdate'] .", " . 
      $_POST['email'] . "," . $_POST['password'] . "," .
         $_POST['address'] . "," . $_POST['city'] . ")";
Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

There are numerous other issues though, such as the PHP not even being executed.
@chris85 . could be . I gave just a first glimpse.
I'd like to at least get the PHP to execute before I start handling the injection issues
if for this that i have posted my answer .. once you have undertsand why don't work you can improve the code for sql injection .. but is important remember this

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.