Information
I made a PHP script that connects to my database and creates a record in my database. This works. Now, I added a simple form to this page and I want to make a record in my database based on the input that a user gives.
The PHP script without the form:
<?php
$servername = "localhost";
$username = "root";
$password = "";
$dbname = "detachering";
// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
$sql = "INSERT INTO medewerkers (voornaam, achternaam, leeftijd, uurloon, opleidingsniveau)
VALUES ('test', 'user', '20', '192', 'HBO')";
if ($conn->query($sql) === TRUE) {
echo "Medewerker is aangemaakt";
} else {
echo "Error: " . $sql . "<br>" . $conn->error;
}
$conn->close();
?>
This is the form that I want to add to it:
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title></title>
</head>
<body>
<form class="" action="index.html" method="post">
<input type="text" name="voornaam" placeholder="Voornaam">
<input type="text" name="achternaam" placeholder="Achternaam">
<input type="text" name="leeftijd" placeholder="Leeftijd">
<input type="text" name="uurloon" placeholder="Uurloon">
<input type="text" name="opleidingsniveau" placeholder="Opleidingsniveau">
<button type="submit" name="button">Save</button>
</form>
</body>
</html>
I personally think that it should be something like:
INSERT INTO medewerkers (voornaam, achternaam, leeftijd, uurloon, opleidingsniveau)
VALUES ('POST_['voornaam']', 'POST_['achternaam']', 'POST_['leeftijd']', 'POST_['uurloon']', 'POST_['opleidingsniveau']');
I haven't done much in PHP, so any help is greatly appreciated!
Use prepared statements for this. Unfortunately, with mysqli you'll have to use references and cannot just use the POST array directly.
$stmt = $conn->prepare('INSERT INTO medewerkers (voornaam, achternaam, leeftijd, uurloon, opleidingsniveau) VALUES(?, ?, ?, ?, ?)');
if ($stmt) {
$voornaam = $_POST['voornaam'];
$achternaam = $_POST['achternaam'];
$leeftijd = $_POST['leeftijd']
$uurloon = $_POST['uurloon'];
$opleidingsniveau = $_POST['opleidingsniveau'];
$stmt->bind_param('sssss', $voornaam, $achternaam, $leeftijd, $uurloon, $opleidingsniveau);
$stmt->execute();
}
edit: Since we are talking about it, here is the PDO example (with connection):
try {
$dsn = 'mysql:host=localhost;dbname=test';
$pdo = new PDO($dsn, 'root', 'passwd');
$pdo->exec('SET CHARACTER SET UTF8');
$pdo->setAttribute(PDO::ATTR_DEFAULT_FETCH_MODE, PDO::FETCH_ASSOC);
$pdo->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );
$sql = "INSERT INTO medewerkers (voornaam, achternaam, leeftijd, uurloon, opleidingsniveau) VALUES(?, ?, ?, ?, ?)";
$stmt = $pdo->prepare($sql);
if ($stmt) {
$params = [$_POST['voornaam'], $_POST['achternaam'], $_POST['leeftijd'], $_POST['uurloon'], $_POST['opleidingsniveau']];
$stmt->execute($params);
}
} catch(Exception $e) {
echo $e->getMessage();
}
Note that I'm creating a new array for the parameters since I'm not sure if there are more values in the POST.