Boostrap Form with PHP, MySQL not sending data to database

Question

I've been trying to debug this for ages now and don't understand why is it not sending data to my database. Also as an indication, I'm using Boostrap and this form is inside of a modal. Can someone help me out please. I will include my html snipet as well as php code.

HTML CODE

<form class="form-horizontal" role="form" action="register.php" method="POST">
      <div class="input-group margin-bottom-sm"><span class="input-group-addon"><i class="glyphicon glyphicon-user" aria-hidden="true"></i></span>                        <input class="form-control" type="text" name="fname" id="FirstName" placeholder="First Name" required>
           </div></br>
          
        <div class="input-group"><span class="input-group-addon"><i class="glyphicon glyphicon-user" aria-hidden="true"></i></span>
                    <input class="form-control" type="text" name="lname" id="LastName" placeholder="Last Name" required>
        </div></br>
        
        <div class="input-group"><span class="input-group-addon"><i class="glyphicon glyphicon-calendar" aria-hidden="true"></i></span>
                    <input class="form-control" type="text" name="dob" id="dob" placeholder="Date of Birth" required>
        </div><br>
        
        <div class="input-group"><span class="input-group-addon"><i class="glyphicon glyphicon-book" aria-hidden="true"></i></span>
                    <input class="form-control" type="text"  name="school" id="SchoolName" placeholder="School" required>
        </div></br>
    
        <div class="input-group"><span class="input-group-addon"><i class="glyphicon glyphicon-user" aria-hidden="true"></i></span>
                    <input class="form-control" type="text" name="username" id="Username" placeholder="Username" required>
        </div></br>
      
        <div class="input-group"><span class="input-group-addon"><i class="glyphicon glyphicon-lock" aria-hidden="true"></i></span>
                    <input class="form-control" type="password"  name="pass" data-minlenght= "6" id="Pass" placeholder="Password" required> 
        </div><div class="help-block">Minimum of 6 characters</div></br></br>
        
        <div class="input-group"><span class="input-group-addon"><i class="glyphicon glyphicon-lock" aria-hidden="true"></i></span>
                    <input class="form-control" type="password" id="inputPasswordConfirm" data-match="#inputPassword"
                           data-match-error="Whoops, these don't match" placeholder="Confirm" required>
        </div></br>
    
        <div class="form-group">
        <button type="button" class="btn btn-default" data-dismiss="modal">Close</button>
        <button type="submit" class="btn btn-primary" id="register">Sing Up</button>
        </div>
    
        </form>

PHP

<?php

$conn=mysqli_connect("localhost","mydatabase","mypassword")
    or die("Could not connect:".mysqli_error($conn));
mysqli_select_db($conn , 'mydatabase') or die ('Database will not open');

if(isset($_POST['register'])){


    $fname = ($_POST['FirstName']);  
    $lname = ($_POST['LastName']);
    $dob = ($_POST['dob']);
    $school = ($_POST['SchoolName']);
    $username = ($_POST['Username']);
    $pass = ($_POST['Pass']);


    $query = "INSERT INTO users (FirstName,LastName,dob,SchoolName,Username,Pass)VALUES('$FirstName','$LastName','$Username','$dob', '$SchoolName','$Pass',)";
    $result = mysqli_query($conn,$query);
}
?>

What *is* the code doing? In what way is it failing? What happens when you check your PHP error logs? When you check `mysqli_error()`? — David, Mar 09 '17 at 14:41
`if(isset($_POST['register'])){` yet your `Sing up` button has no `name="register"` — Option, Mar 09 '17 at 14:45
small mistakes like these `,'$Pass',)"` this is where prepared statements come in to play — Masivuye Cokile, Mar 09 '17 at 14:45
You're at a huge risk for SQL injection. You should not just store POSTed data in the database. Please look into Parameter Binding http://php.net/manual/en/mysqli-stmt.bind-param.php. — nerdlyist, Mar 09 '17 at 14:50
I'll keep you posted, making changes as we speak...well type. @Fred-ii- — Kasia Wichrowska, Mar 09 '17 at 15:22
@KasiaWichrowska I deleted my comment that you tried to respond to. Important note: Don't use this code in a live environment and using plain text passwords. It's only a matter of time before you get hacked. — Funk Forty Niner, Mar 09 '17 at 15:24
**Never store plain text passwords!** Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). Make sure you ***[don't escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. — Jay Blanchard, Mar 09 '17 at 15:38

Masivuye Cokile · Answer 1 · 2017-03-09T15:07:05.023

all your $_POST variables are undefined. You should use the name attribute from your form to assign $_POST values, not the ID from the inputs

<form class="form-horizontal" role="form" action="register.php" method="POST">
      <div class="input-group margin-bottom-sm"><span class="input-group-addon"><i class="glyphicon glyphicon-user" aria-hidden="true"></i></span>                        <input class="form-control" type="text" name="fname" id="FirstName" placeholder="First Name" required>
           </div></br>

        <div class="input-group"><span class="input-group-addon"><i class="glyphicon glyphicon-user" aria-hidden="true"></i></span>
                    <input class="form-control" type="text" name="lname" id="LastName" placeholder="Last Name" required>
        </div></br>

        <div class="input-group"><span class="input-group-addon"><i class="glyphicon glyphicon-calendar" aria-hidden="true"></i></span>
                    <input class="form-control" type="text" name="dob" id="dob" placeholder="Date of Birth" required>
        </div><br>

        <div class="input-group"><span class="input-group-addon"><i class="glyphicon glyphicon-book" aria-hidden="true"></i></span>
                    <input class="form-control" type="text"  name="school" id="SchoolName" placeholder="School" required>
        </div></br>

        <div class="input-group"><span class="input-group-addon"><i class="glyphicon glyphicon-user" aria-hidden="true"></i></span>
                    <input class="form-control" type="text" name="username" id="Username" placeholder="Username" required>
        </div></br>

        <div class="input-group"><span class="input-group-addon"><i class="glyphicon glyphicon-lock" aria-hidden="true"></i></span>
                    <input class="form-control" type="password"  name="pass" data-minlenght= "6" id="Pass" placeholder="Password" required> 
        </div><div class="help-block">Minimum of 6 characters</div></br></br>

        <div class="input-group"><span class="input-group-addon"><i class="glyphicon glyphicon-lock" aria-hidden="true"></i></span>
                    <input class="form-control" type="password" id="inputPasswordConfirm" data-match="#inputPassword"
                           data-match-error="Whoops, these don't match" placeholder="Confirm" required>
        </div></br>

        <div class="form-group">
        <button type="button" class="btn btn-default" data-dismiss="modal">Close</button>
        <button type="submit" class="btn btn-primary" id="register" name="register">Sing Up</button>
        </div>

        </form>

Then you should use prepared statements to save data in your db, even if you working on localhost, also dont store a plain text password in the database infact don't ever store passwords, just store hash value of the password using password_hash() and password_verify()

if(isset($_POST['register'])){


    //validate these
    $fname = ($_POST['fname']);  
    $lname = ($_POST['lname']);
    $dob = ($_POST['dob']);
    $school = ($_POST['school']);
    $username = ($_POST['username']);
    $pass = ($_POST['pass']);

    $hash = Password_hash($pass,PASSWORD_DEFAULT); //hash password

    $query = $conn->prepare("INSERT INTO users (FirstName,LastName,dob,SchoolName,Username,Pass) VALUES(?,?,?,?,?,?)");
    $query->bind_param("ssssss",$fname,$lname,$dob,$school,$username,$hash);

    if($query->execute()){

        echo "data inserted success";
    }
}
?>

Note: If we want to insert any data from external sources (like user input), it is very important that the data is sanitized and validated.

Then password_verify(); will work on your login page, what basically it does it compares the password entered by the user against the hash stored in the database.

for more about the password_hash() and password_verify(); have a look in the manual:

http://php.net/manual/en/function.password-hash.php

http://php.net/manual/en/function.password-verify.php

http://php.net/manual/en/mysqli.quickstart.prepared-statements.php prepared statements.

Good answer, but you're leaving them halfway down in a hole without the use of `password_verify()` and if their password column is long enough to hold the hash. This given that they are using PHP 5.5+ otherwise that will fail them. — Funk Forty Niner, Mar 09 '17 at 14:59
Answered in a better way than my own so no need for mine :) good work! — Option, Mar 09 '17 at 15:01
@Fred -ii- I saw this answer better than my own therefore mine was pretty pointless. I'll reinstate it though. — Option, Mar 09 '17 at 15:03
@Option you dont need to delete your answer, the answer can be improved, u only missed the prepared statements part, — Masivuye Cokile, Mar 09 '17 at 15:08
@MasivuyeCokile Right on. However, you pinged Option with *"u only missed the prepared statements part"* - Although adding a prepared statement to help them to protect is better, saying they "missed" that IMHO rewrites are not mandatory and I posted something about this on meta about this https://meta.stackoverflow.com/q/344703/1415724 - Note: You won't be able to see some of the questions' links because they've been deleted. Only 10k+ members can. — Funk Forty Niner, Mar 09 '17 at 15:12
@Fred-ii- finished reading your post, you've made great points, will keep them in mind when answering in future — Masivuye Cokile, Mar 09 '17 at 15:27
Thanks for pointers to you both, I've re written my answer and gave secondary options to the Op so they can decide which way to go with it :-) — Option, Mar 09 '17 at 15:28
@MasivuyeCokile Thanks for reading it. If you agree on the post, I'd appreciate your voice on this. You know how the voting system works ;-) Cheers — Funk Forty Niner, Mar 09 '17 at 15:28

Option · Accepted Answer · 2017-03-09T15:55:04.693

So lets clear this up somewhat..

Firstly your query order is completely incorrect (take note of: FirstName,LastName,dob) this means the first 3 values should be $fname,$lname,$dob but instead you've added in $username for some reason..

NOTE: You were adding in non existent variables such as $FirstName when the actual assigned variable is in fact: $fname.

Your query (take note of the last variable $Pass,) because this is the last variable entry you don't add a comma take a look:

$query = "INSERT INTO users (FirstName,LastName,dob,SchoolName,Username,Pass)VALUES('$FirstName','$LastName','$Username','$dob', '$SchoolName','$Pass',)";

should be:

$query = "INSERT INTO users (`FirstName`,`LastName`,`dob`,`SchoolName`,`Username`,`Pass`)VALUES('$fname','$lname','$dob','$school','$username','$pass')";

Better still you could bind the params to prevent SQL Injection like below:

$query = "INSERT INTO users (`FirstName`,`LastName`,`dob`,`SchoolName`,`Username`,`Pass`)VALUES(?,?,?,?,?,?)";
$query->bind_param("ssssss", $fname, $lname, $dob, $school, $username, $pass);

Next up..

You're calling if(isset($_POST['register'])){

Yet your <button type="submit" class="btn btn-primary" id="register">Sing Up</button> has no name="register">

Therefore it should be: <button type="submit" class="btn btn-primary" id="register" name="register">Sing Up</button>

Also, you should never save a password as plain text to a database. You should run password_hash($pass, PASSWORD_DEFAULT); this will encrypt the passwords submitted to the database - Before doing so I recommend that you read up on the documentation.

It's not just as simple as using `password_hash()`, the documents must be read carefully. The table column holding the hash has to be big enough to hold the hash. This is one thing which trips up many a user the first time they employ PHP's password functions. — Jay Blanchard, Mar 09 '17 at 15:39
@Jay - Of course and I completely agree, this is why i didn't delve into it too much so that the Op would read through the docs based on using it. — Option, Mar 09 '17 at 15:44
The guidance intention is there. I too hold my hope they will research it for the sake of their security :-) — Option, Mar 09 '17 at 15:47

Tobias F. · Answer 3 · 2017-03-09T14:48:03.070

-1

It seems you didn't send $_POST['register'] to your register.php, so the if (isset($_POST['register'])) will evaluate to false and absolutely nothing will happen. The same goes for the other fields, you will only have values in the $_POST if you give your input-fields a name attribute.

edited Mar 09 '17 at 14:48

answered Mar 09 '17 at 14:45

Tobias F.

1,042
1
13
19

4

That's only one of the many errors. – Niek van der Maaden Mar 09 '17 at 14:48

score -1 · Answer 4 · answered Mar 09 '17 at 14:45

-1

Change

  <button type="submit" class="btn btn-primary" id="register">Sing Up</button>

To

  <button type="submit" class="btn btn-primary" id="register" name="register">Sing Up</button>

Also, with all your other $_POST variables you need to use the name field and not the id field.

Your SQL query also has a stray comma. Change it to

  $query = "INSERT INTO users (FirstName,LastName,dob,SchoolName,Username,Pass)VALUES('$FirstName','$LastName','$Username','$dob', '$SchoolName','$Pass')";

answered Mar 09 '17 at 14:45

Nick Duncan

749
5
17

1

Don't forget the variables, wrong names. – Niek van der Maaden Mar 09 '17 at 14:48
Variables are completely wrong, this wouldn't resolve the ops issue, just one of many. – Option Mar 09 '17 at 14:54
Yes I referenced that issue in my answer... – Nick Duncan Mar 09 '17 at 14:55
You guys have been tremendous...and I'm a master in making errors. – Kasia Wichrowska Mar 09 '17 at 15:08

Boostrap Form with PHP, MySQL not sending data to database

4 Answers4