Hi i have created a simple insert into database function where the student enters his/her information and upload their document into the database,but nothing gets inserted into the database only the files which were uploaded appears on the upload file but not on the database.
html code:
<form accept-charset="utf-8" action="page.php" enctype="multipart/form-data" id="wb_Form1" name="form" method="post" data-toggle="validator" role="form" >
<label>Student Name :</label>
<input type="text" name="stu_name" id="name" required="required" placeholder="Please Enter Name"/><br /><br />
<label>Student Email :</label>
<input type="email" name="stu_email" id="email" required="required" placeholder="john123@gmail.com"/><br/><br />
<label>Student City :</label>
<select name="stu_city">
<option value="works">test</option>
<option value="works3">test</option>
</select>
<label>Image:</label><input type="file" name="image">
<input type="submit" value=" Submit " name="submit"/><br />
</form>
php Code:
<?php
if(isset($_POST["submit"])){
$servername = "localhost";
$username = "root";
$password = "";
$dbname = "test";
$conn = new mysqli($servername, $username, $password, $dbname);
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
$fileinfo=PATHINFO($_FILES["image"]["name"]);
$newFilename=$fileinfo['filename'] ."_". time() . "." . $fileinfo['extension'];
move_uploaded_file($_FILES["image"]["tmp_name"],"upload/" . $newFilename);
$location="upload/" . $newFilename;
$sql = "INSERT INTO students (student_name, student_email, student_city,img_location)
VALUES ('".$_POST["stu_name"]."','".$_POST["stu_email"]."','".$_POST["stu_city"]."','".$_POST["location"]."')";
header('location:index.php');
}
?>
Thank you for your help
You need to execute the query. All you have is basically a string. As per my comment, you need to use prepared statements. Your code is risky. Also you are inserting the wrong variable for the file location. use the $location variable But to make it insert, add this
$conn->query($sql);
Using prepared statements, do this
// prepare and bind
$stmt = $conn->prepare("INSERT INTO students (student_name, student_email, student_city,img_location) VALUES (?, ?, ?,?)");//prepares the query. This returns true/false
$stmt->bind_param("ssss", $_POST["stu_name"], $_POST["stu_email"], $_POST["stu_city"],$location);//bind the variables to placeholders to prevent SQL injections
if($stmt->execute() === TRUE){//check if everything went well(executed!)
echo 'Record Saved';
} else {
echo 'Error BEcause '.$stmt->error;//get error if something went wrong
}
Try this for your connection, $conn = mysqli_connect($servername, $username, $password, $dbname); and after your $sql is mysqli_query($conn, $sql);and you can now do some redirection.
You didn't execute the query. You just made the query.
NB: A better way to do this will be 'prepared' statement than creating your own query. That will save you from SQL injection and accidental breaking of the query.
Check this out:
https://www.w3schools.com/php/php_mysql_prepared_statements.asp