<?php
...........
$connection = mysqli_connect('......com', 'login', 'password',
'dbname');
if (!$connection) {
die('Connect Error (' . mysqli_connect_errno() . ') '
. mysqli_connect_error());
}
echo "Connection Successful";
// creating a query
mysqli_query($connection, "INSERT INTO `users` (`userid`,`firstname`, `lastname`, `username`, `email`,
`password`) VALUES (NULL, $firstname, $lastname, $username,$email,$password);");
mysqli_close($connection);
// printing to the screen
echo "Welcome $lastname . You have successfully logged in!";
?>
The connection is OK, but the values do not get inserted. How can I improve my code? I do not understand why the values donot get inserted into the database. I have checked the variables, they are fine.
try this "INSERT INTO users (userid,firstname, lastname, username, email,
password) VALUES (NULL, '$firstname', '$lastname', '$username','$email','$password');"
If you are not using prepared statements, you need to make sure that the SQL statement you create is complete and syntactically-correct, and that only the parts you want to be dynamic are dynamic (i.e. avoid SQL injection).
Rather than passing the string straight to mysqli_query, if you build it up in a variable first, you can echo it out to screen when debugging to spot obvious syntax errors.
In your case:
$sql = "INSERT INTO `users` (`userid`,`firstname`, `lastname`, `username`, `email`, `password`) VALUES (NULL, $firstname, $lastname, $username,$email,$password);";
die(htmlspecialchars($sql));
...will presumably show something like this...
INSERT INTO `users` (`userid`,`firstname`, `lastname`, `username`, `email`, `password`) VALUES (NULL, john, smith, jsmith1549348, john.smith@example.com);
...which is invalid SQL, because the strings have no quote-marks around them.
Since you also need to escape those values to avoid SQL injection, what you might end up with is more like this:
$sql = "INSERT INTO `users` (`userid`,`firstname`, `lastname`, `username`, `email`, `password`) VALUES (NULL, '" . mysqli_real_escape_string($connection, $firstname) . "', '" . mysqli_real_escape_string($connection, $lastname) . "', '" . mysqli_real_escape_string($username) . "', '" . mysqli_real_escape_string($email) . "', '" . mysqli_real_escape_string($password) . "');";
mysqli_query($connection, $sql);
You'll probably want to add some whitespace in there rather than having it all on one ridiculously long line, and it's possible I made a typo, but hopefully you get the idea....
Use wraper mysqli::query() for defence injection and using placeholder
<? class db{
private static $_instance;
private $db;
public function q(){return $this->db->query($this->make(func_get_args()));}
public function __get($property){return $this->db->$property;}
public function __call($method,$args){return call_user_func_array(array($this- >db,$method),$args);}
public function qr(){
$q = $this->make(func_get_args());
echo $q;
return $this->db->query($q);
}
public static function getInstance($conf){
if(null===self::$_instance){
self::$_instance = new self($conf);
}
return self::$_instance;
}
private function make($args){
$tmpl =& $args[0];
$tmpl = str_replace("%","%%",$tmpl);
$tmpl = str_replace("?","%s",$tmpl);
foreach($args as $i=>$v){
if($i && !is_int($v)){
$args[$i] = "'".$this->db->real_escape_string($v)."'";
}
}
for($i=$c=count($args)-1; $i<$c+20; $i++)
$args[$i+1] = "UNKNOWN_PLACEHOLDER_$i";
return call_user_func_array("sprintf", $args);
}
private function __construct($conf){
$this->db = new mysqli($conf['mysql_host'],$conf['mysql_user'],$conf['mysql_pass'],$conf['mysql_db']);
}
private function __clone(){
}
}
$mysql = db::getInstance([
'mysql_host' => '...',
'mysql_user' => '...',
'mysql_pass' => '...',
'mysql_db' => '...'
]);
$mysql->q('INSERT INTO `user` SET `first_name`=?,`last_name`=?',$f_name,$l_name);