This question already has an answer here:
So I am trying to create this form however, I am not able to enter the data into the table. Whenever I click on continue button, nothing really happens. I don't get an error or anything. and when I check my database, the values have not been added. Idk how its happening. I spent hours trying to understand what the issue is but i am not able to identify it and it got to the point where I felt hopeless and decided to post this question so please help me. Here's my code:
<?php
$conn = new mysqli("localhost", "root", "", "KFC");
if(isset($_POST['Submit_btn']))
{
session_start();
$RID= $_POST['R_ID'];
$Name= $_POST['Name'];
$S_Description=($_POST['S_Description']);
$L_Description=($_POST['L_Description']);
$Nutritional_value=($_POST['Nutritional_value']);
$Cost=($_POST['Cost']);
$TypeOfMeal=($_POST['TypeOfMeal']);
$SubmittedBy=($_POST['SubmittedBy']);
$sql= "INSERT INTO `recipe`(`R_ID`, `Name`, `S_Description`, `L_Description`, `Nutritional_value`, `Cost`, `TypeOfMeal`, `SubmittedBy`) VALUES ($RID,$Name,$S_Description,$L_Description,$Nutritional_value,$Cost,$TypeOfMeal,$SubmittedBy)";
mysqli_query($conn,$sql);
}
mysqli_close($conn);
?>
<html>
<body>
<div id="bodyContent">
<h1> Registration </h1>
</div>
<form method="post">
<table>
<tr>
<td>R_ID: </td>
<td>
<input type="text" name="R_ID" class="textInput">
</td>
</tr>
<tr>
<td>Name: </td>
<td>
<input type="text" name="Name" class="textInput">
</td>
</tr>
<tr>
<td>Small Description: </td>
<td>
<input type="text" name="S_Description" class="textInput">
</td>
</tr>
<tr>
<td>Long Description: </td>
<td>
<input type="text" name="L_Description" class="textInput">
</td>
</tr>
<tr>
<td>Nutritional value: </td>
<td>
<input type="text" name="Nutritional_value" class="textInput">
</td>
</tr>
<tr>
<td>Cost: </td>
<td>
<input type="number" name="Cost" class="textInput">
</td>
</tr>
<tr>
<td>Type Of Meal: </td>
<td>
<input type="text" name="TypeOfMeal" class="textInput">
</td>
</tr>
<tr>
<td>UserID: </td>
<td>
<input type="Number" name="SubmittedBy" class="textInput">
</td>
</tr>
<tr>
<td> </td>
<td>
<input type="submit" name="Submit_btn" value="Continue">
</td>
</tr>
</table>
</form>
</body>
</html>
</div>
I'm not sure but, input type number are stock like string in $_POST , try to convert them with intval()
Try replacing with this
<?php
// This prevents SQL injection threat
$RID = mysqli_real_escape_string($conn, $RID);
$Name = mysqli_real_escape_string($conn, $Name);
$S_Description = mysqli_real_escape_string($conn, $S_Description);
$L_Description = mysqli_real_escape_string($conn, $L_Description);
$Nutritional_value = mysqli_real_escape_string($conn, $Nutritional_value);
$Cost = mysqli_real_escape_string($conn, $Cost);
$TypeOfMeal = mysqli_real_escape_string($conn, $TypeOfMeal);
$SubmittedBy = mysqli_real_escape_string($conn, $SubmittedBy);
$sql= "INSERT INTO `recipe`(`R_ID`, `Name`, `S_Description`, `L_Description`, `Nutritional_value`, `Cost`, `TypeOfMeal`, `SubmittedBy`) VALUES ('$RID','$Name','$S_Description','$L_Description','$Nutritional_value','$Cost','$TypeOfMeal','$SubmittedBy')";
But more importantly, activate error displaying in your DEV environment, but remove it when you will host your website (PROD environment):
<?php
ini_set('display_errors', '1');
error_reporting(E_ALL);
Ok a few things:
$SubmittedBy=($_POST['SubmittedBy']);
you don't need the parenthesis around the $_POST. But if you're going to use the data from it especially in a SQL but not only you should sanitize the input. Here is an example with mysqli_real_escape_string so it would look like this:
$SubmittedBy=mysqli_real_escape_string($conn, $_POST['SubmittedBy']);
There are other methods like PDO::quote or using prepared statements, you might want to have a look at those too.
Next up your sql inserts the values without quotes:
$sql= "INSERT INTO `recipe`(`R_ID`, `Name`, `S_Description`, `L_Description`, `Nutritional_value`, `Cost`, `TypeOfMeal`, `SubmittedBy`) VALUES ('$RID','$Name','$S_Description','$L_Description','$Nutritional_value','$Cost','$TypeOfMeal','$SubmittedBy')";
Edited: Thanks to Funk Forty Niner for pointing out the missing $conn !