I am trying to insert form data using mysqli, php. The issue I am stuck with is that it insert '?' as the form values in the table instead of what I am typing in the form? I know I am going wrong somewhere, but I am not able to figure it out.
My additional question is :Is it safe to use mysqli statements like this to insert or select data from the database since I guess $_POST becomes a threat for injection attacks,. Is it for now enough what I am writing here to prevent attacks or do I need to add something more?
Any suggestions would be of great help.
Here is my code
index.php
<?php
session_start();
include('db.php');
?>
<!DOCTYPE html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="viewport" content="width=device-width,initial-scale=1" />
<link rel="stylesheet" type="text/css" href="style.css"/>
</head>
<body>
<?php
if(isset($_POST['login']) && $_POST['login'] == 'Login') {
$loginEmail = $_POST['loginEmail'];
$loginPassword = $_POST['loginPassword'];
$query = $db->prepare("INSERT INTO dbname(password,email) VALUES ('?','?');");
$query->bind_param("ss",$loginEmail,$loginPassword);
$query->execute();
}
?>
<div id="login">
<strong>Login</strong>
<br/><br/>
<form action = "<?php echo $_SERVER['PHP_SELF'];?>" method="POST">
<table style="width:500px">
<tr>
<td><input type="text" name="loginEmail" placeholder = "Email" required/><br/></td>
</tr>
<tr>
<td><input type="password" name="loginPassword" placeholder = "Password" required/><br/></td>
</tr>
</table>
<input style="font-weight: bold; width: 70px; height: 25px; border-radius: 5px;" type="submit" name="login" value="Login"/>
</form>
</div>
</body>
</html>
db.php
<?php
$host = 'host';
$user = 'user';
$password = 'password';
$database = 'dbname';
$db = new mysqli($host, $user, $password, $database);
if($db->connect_errno > 0){
die('Unable to connect to database ['.$db->connect_errno.']');
}
?>