Home/ Questions/Q 8342771
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-09T05:51:52+00:00

I am trying to make a form using html and php to update mysql

  • 0

I am trying to make a form using html and php to update mysql database. the database updates (autoincrements) the keys, but it does not add any of the strings to the values. i have searched people with similar problems but because their codes are different than mine I cannot understand it (i am a noob with php and mysql) I think my problem is in the way that i use the html to get the values but I could be wrong

<form action=submitform.php method=GET> 
     Name:<input type="text" name="cuName" size=20 maxlength=20><br>    
     Password:<input type="password" name="password" size=20 maxlength=45><br>
     Account:<input type="text" name="account" size=20 maxlength=45><br>
     Phone:<input type="tel" name="phone" size=10 maxlength=10><br>
     Email:<input type="text" name="email" size=20 maxlength=45><br>
<input type=submit>
</form>

and my php is

<?php
        mysql_connect(localhost,  myUsername, "myPassword");
        mysql_select_db(myDatabaseName);
        mysql_query("INSERT INTO Customer (cuName, password, 
                        account, phone, email)
                    Values('$cuName', '$password', '$account',
                            '$phone', '$email')");
        echo $cuName ." thank you for reserving!";
        print ($cuName);
    ?>

thanks in advance for any help

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Your code is relying on REGISTER_GLOBALS to be turned on; it is usually turned off for security reasons.

    You should replace $cuName with $_GET['cuName'] to get the values that are sent from the form.

    Additionally, you should escape any value that is going to the database otherwise you may be exposing yourself to an SQL injection vulnerability.

    Cleaning up your code for both these scenarios, results in something like this:

    <?php
        if (!mysql_connect(localhost,  myUsername, "myPassword")) {
              print 'There was an error connecting to the database'.mysql_error();
              exit(); 
        }
        if (!mysql_select_db(myDatabaseName)) { 
              print 'Could not select db. The error was: '.mysql_error();
              exit();
        }
        $query = "INSERT INTO Customer (`cuName`, `password`, `account`,`phone`,`email`)";
        $query .= "VALUES (";
        $query .= "'".mysql_real_escape_string($_GET['cuName'])."','";
        $query .= mysql_real_escape_string($_GET['password'])."','";
        $query .= mysql_real_escape_string($_GET['phone'])."','";
        $query .= mysql_real_escape_string($_GET['email'])."'";

        if (!mysql_query($query)) {
            print 'There was an error inserting '.$query.'. Error was '.mysql_error();
        } else {
            echo $_GET['cuName']." thank you for reserving!";
        }
        print $_GET['cuName'];
    ?>

    I also added some error checking. You should always check results of functions that rely on external systems (such as databases) because you never know what is the status of the database (it could be down, not working, etc.) So you should always check and print any error messages.

    • 0