Home/ Questions/Q 8412933
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-10T00:48:14+00:00

<?php $conn= new mysqli(localhost, my_user, my_password, world); //changed for the sake of this question

  • 0
<?php
$conn= new mysqli("localhost", "my_user", "my_password", "world"); //changed for the sake of this question

$username = $_POST['Username'];
$password = sha1($_POST['Password']);
$email = $_POST['Email'];
$firstname = $_POST['FirstName'];
$lastname = $_POST['LastName'];

$insert = 'INSERT INTO User(FirstName, LastName, Email, Username, Password, Type) VALUES ("'.$firstname.'", "'.$lastname.'", "'.$email.'", "'.$username.'", "'.$password.'", 'User');';

$result = $conn->query($insert);

?>
<form method='post' action='regprocess.php'>
<fieldset class="register">
<h2>Register</h2>
<ul>
    <li><label for="FirstName">First Name: </label> <input type="text" name="FirstName" id="FirstName"></li>
    <li><label for="LastName">Last Name: </label> <input type="text" name="LastName" id="LastName"></li>
    <li><label for="Email">Email: </label><input type="email" name="Email" id="Email"></li>
    <li><label for="Username">Username: </label><input type="text" name="Username" id="Username"></li>
    <li><label for="Password">Password: </label><input type="password" name="Password" id="Password"></li>
    <li><input type="submit" value="Register"></li>
</ul>
</fieldset></form>

The form and the top sql code are in separate files.

Hello everybody, I’m trying to insert into an mysql table, and it won’t insert into my table. I’m trying to get it to insert through a registration table. And I’m not quite sure why it’s not working. Some insight would be great. If you need me to provide the table I will, but I don’t think it’s part of the reason it’s not working.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    It’s a good thing you’re using mysqli, but you’re using it incorrectly and are exposing yourself to a number of very serious SQL injection bugs, the consequences of which could be severe.

    This is what you should be doing to actually fix the numerous problems present in your example:

    $stmt = $conn->prepare('INSERT INTO User(FirstName, LastName, Email, Username, Password, Type) VALUES (?,?,?,?,?,?)');

$stmt->bind_param($firstname, $lastname, $email, $username, $password, 'User');
$stmt->execute();

$result = $stmt->get_result();

    The primary advantage of placeholders is not having to worry about how to properly quote data, it’s done for you automatically. It also largely avoids having to use two different kinds of quotes within your statement.

    If you do not use placeholders for ANY and ALL data being put into your SQL you may end up in serious trouble. You must be vigilant about this.

    • 0