Insert into a database table

**trnghosh** · 02-11-2013, 12:51 PM

Being a new one in php I am trying to learn simple login example from the video from "TheProgrammingSchool.com" but this code to insert data in the table named "user_info" in the database "users" is not working. But in his video it seems it is working, may be I am doing something wrong. can anyone looked into the code below.
"user_info" table consists of "user_id","username","password" and "email. Here is the code

Code:

<?php
mysql_connect('localhost','root','');
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title> USERS LOGIN SYSTEM</title>
</head>

<body>

<?php 

if(!isset($_POST['submit'])) {
?>
        <form action="index.php" method="post">
        <table border="1">
        <tr>
        <td>Username</td><td><input type="text" name="username"></td>
        </tr>
        <tr>
        <td>Password</td><td><input type="password" name="password"></td>
        </tr>
        <tr>
        <td>Password Confirm</td><td><input type="password" name="passwordconf"></td>
        </tr>
        <tr>
        <td>Email</td><td><input type="text" name="email"></td>
        </tr>
        <tr>
        <td colspan="2" align="center">
        <input type="submit" value="CreateUser" name="submit"></td>
        </tr>
        </table>
        </form>
<?php
   }
   else {
      $username=$_POST['username'];
      $password = $_POST['password'];
      $passwordconf = $_POST['passwordconf'];
      $email = $_POST['email'];
      $errors = array();
      if(!$username) {
      $errors[1] = "You have not entered your username.";}
      if(!$password) {
      $errors[2] = "You have not entered your password.";}
      if(!$passwordconf) {
      $errors[3] = "You have not enetered your password confirmation.";}
      if($password !=$passwordconf) {
      $errors[4] = "You password and password confirmation mismatched.";}
      if(!$email) {
      $errors[5] = "You have not enetered your email.";
   }
   
      if( count($errors)>0) {
      foreach($errors as $error){
      echo "$error<br>";
   }
   }
   
   else{
      
      mysql_query("INSERT INTO 'users'.'user_info'
      
      ('username','password','email')
      
      VALUES('".$username."', '".md5($password)."','".$email."');");
       
       }
}

?>
</body>
</html>

**NogDog** · 02-11-2013, 01:35 PM

Before diving into the code, have you in fact created the necessary database and tables for this?

Secondly, add some debugging stuff to have PHP tell you everything it knows, plus let's make sure you're really connecting:

PHP Code:


<?php
ini_set('display_errors', true);
error_reporting(E_ALL);

if(mysql_connect('localhost', 'root', '') == false) {
    die("DB connx error: ".mysql_error());
}

// rest of code
?>

**trnghosh** · 02-11-2013, 08:25 PM

I have created database named "users" and one table for this database named "user_info". Is the rest of the code ok. I will follow your instruction as well. Thanks for the reply.

**NogDog** · 02-11-2013, 09:43 PM

Here's one problem:

PHP Code:


   else{

      

      mysql_query("INSERT INTO 'users'.'user_info'

      

      ('username','password','email')

      

      VALUES('".$username."', '".md5($password)."','".$email."');");

       

       }

}

In MySQL the character for quoting table/column names is the left quote or back-tick: `
You have a 'normal' quote around them: '
That 'normal' (or straight) quote is only for literal character values, such as you have around the variables in the VALUES() clause.

On a side note, you are inserting the $username and $email values without any sort of escaping, leaving your script open to SQL injection. (The md5() of the password should take care of any issues in that case, though you really should be using at least sha1() with a "salt" for better security.) So....

PHP Code:


else{

      $sql = sprintf(

            "INSERT INTO `users`.`user_info`

            (`username`,`password`,`email`)

            VALUES('%s', '%s', '%s'",

            mysql_real_escape_string($username),

            md5($password),

            mysql_real_escape_string($email)

      );

      if(mysql_query($sql) == false) {

            $error = "Query failed: ".mysql_error().PHP_EOL.$sql;

            if(ini_get('display_errors')) {

                  die($error);

            }

            else {

                  error_log($error);

                  die("Sorry, an unexpected database error occurred and has been logged.");

            }

      }

}

And while we're at it, the MySQL extension is now officially deprecate in the latest PHP release, so you really should be moving on to either the MySQLi extension, or even the PDO extension (preferably getting all object-oriented with them and making use of prepared statements to take care of SQL injection issues.

)

**trnghosh** · 02-11-2013, 11:09 PM

Thanks for the information and I am really thankful to you for this valuable advise. However at present I could not insert the data in the table "user_info"( having four place naming "user_id", "username", "password", "email" ) in the database "users". Can you test this and check why the data from the form is not inserted into the table (user_info).
Thanks for the reply.

Thread: Insert into a database table

Thread Tools

Display

Insert into a database table

Thread Information

Users Browsing this Thread

Bookmarks

Bookmarks

Posting Permissions