[Mohsin01]

hi guys i am new to php and mysql
i have made a signup page and i am trying to save data from signup page to mysql data base
thats my code

signup.html

<form action="database.php" method="post">
 <INPUT type="text"  name="username" placeholder="User Name"/><BR><br>

<INPUT type="text" name="email" placeholder="Email ID"/><BR><br>
<INPUT type="PASSWORD" name="password" placeholder="Password"/><BR><br>

<INPUT type="text" name="country" placeholder="Country"/><BR><br>

<input type="submit"/>

database.php

<?php

$username=$_POST["username"];
$password=$_POST["password"];
$email=$_POST["email"];
$country=$_POST["country"];


$con=mysql_connect("localhost","root","");
mysql_select_db("signup",$con);
mysql_query("insert into user(username,password,country,email) values('$username','$password','$country','$email')");
mysql_close($con);
?>

i am trying to store data but data is not being stored in the database

[Atli]

Hey.

There are three big problems in this code.

• You are ignoring the return value of your mysql_query call. This function returns a value indicating the success of the query. In case it is unsucessfull, it returns FALSE. You need to look out for that and make sure to show or log the error so you can debug it.
  

  $result = mysql_query($sql);
  if (!$result) {
      trigger_error(mysql_error(), E_USER_ERROR);
  }
  
  

  
  
  
• You are not making sure the form values are actually passed into the PHP code before you try to use them. Never assume user supplied values exist until you have verified that they do in fact exist. PHP has a handy function called isset that you can use to test this.
  

  if (isset($_POST["field1"], $_POST["field2"])) {
      // field1 and field2 exist. Continue!
  }
  else {
      // field1 and field2 do NOT exist. Show an error
      // message or redirect, or something.
  }
  
  

  
  
  
• You are not making sure the form values are secure. Always assume user supplied values are in some way meant to harm your site, and make sure you secure them before they are used. In this case, the biggest threat is SQL Injection. For the old mysql_connect family of functions, you should pass all user supplied values through the mysql_real_escape_string function before putting it into a query. (Unless you've secured them in other ways, like type-casting numbers.)
  
  A better solution to the SQL Injection threat, however, is to abandon the old mysql_connect family of functions and upgrade to the Improved MySQL extension or the PDO extension.

P.S.
I've moved this thread over to the PHP forum.

This post has been edited by Atli: 10 May 2012 - 08:30 AM