Insert into in PHP

[Sigmahokies]

Hi everyone,

I am trying to get all data from input in HTML, then post in php to insert into the database (phpmyadmin), seem it doesn't work. I checked for misspelling, and checked followed very correct, but it won't work, even it did not show what is error. "require.php" file is a connect to database. Can you help?

Thanks,

Gary

	<?php
	require("require.php");
	    $first = $_POST['first'];
    $last = $_POST['last'];
    $address = $_POST['address'];
    $address2 = $_POST['address2'];
    $city = $_POST['city'];
    $state = $_POST['state'];
    $birth = $_POST['birth'];
    $zip = $_POST['zip'];
    $home = $_POST['home'];
    $mobile = $_POST['mobile'];
    $gender = $_POST['gender'];
	$insert = "INSERT INTO register (
ASL-PT_ID,
FirstName, 
LastName,
Address 1,
Address 2,
City,
State,
Zip,
BirthDate,
Home,
Mobile,
Gender) 
VALUES 
('$first',
'$last',
'$address',
'$address2',
'$city',
'$state',
'$zip',
'$birth',
'$home',
'$mobile',
'$gender')";
	if ($first && $last && $address && $address2 && $city && $state && $zip && $birth && $home && $mobile && $gender) {
    mysqli_query($GaryDB, $insert) or die("Could not add in the Database");
	}
	?>
	

[Ingolme]

Your field names have spaces and dashes in them, so they should be wrapped in `backticks`.

Outside of that, the code you're using is vulnerable to hacking. You should read about prepared statements and SQL injection: https://www.w3schools.com/php/php_mysql_prepared_statements.asp

[Sigmahokies]

I know about SQL injection, but all php code is outside, it won't show on website. all php are external file. I plan to insert the string escape mysqli, but I need to make sure it works, before I insert them. And, I don't show my code in php in website, it will work very quick, like first file, then jump second file to verify, then move to third file, there is no way to look at second file because has mysqli inject string escape which contain in php. I just create layout in html and css. I'm sure hackers cannot see my hidden file. It's like all html and css are upper from floor, but my php code is like just show up in one second to verify, then disappear from floor. This file is not on main file, it is outside, just use file to insert into database, then move to other website...it's just matter of less then second.

[Sigmahokies]

it is interest to have backticks, in other phpmyadmin in server already, it does not require to have backticks, it works. That make me puzzling.

[Ingolme]

PHPMyAdmin might be correcting your queries. You should always use backticks if the field has special characters (including spaces and dashes) in its name or if the field name is the same as one of the MySQL reserved words.

You might not think it's normal, but people can easily find any file on your website that does server-side processing. Press F12 to open the browser's developer tools, open the network tab, click the "persist log" option. Now when your website goes through that PHP file, all of the information that was sent and received from the server is visible and the person can experiment by sending different data and seeing what happens.

SQL injection should be a concern to anybody developing a website. There is no good reason to be lazy about it. Even if it's not about protecting your website, you also want to have to trust of potential employers who can know that you will do your best to keep their websites safe.

[Sigmahokies]

All right, I will test this SQL injection. Please be patient with me, I am having long way to learning. Please tell me, is PDO is best security than MySQLi? If so, that mean, i have to do start over to learn PDO. I know there will always new feature, but I am usually using same concept from Java, JavaScript, ASP. My real thing is working with database with web.

I just use developer tools, I tested my old website that under company that give me a free small space disk - 1 GB. It is not serious, it is my practice in PHP, so, I use my username and password to access to next file, I don't see any SQL statement in developer tools, like it is just disappear. How do you can see SQL and PHP code? I don't see anywhere in developer tools in web browser. I'm no hacker, I don't like to hack in because in case if i do this, FBI will eat me alive, even revoke my degree, so forget it.

my point is I thought PHP usually invisible to anyone because PHP just do interpreter in HTML, unlike ASP because ASP is a open source in website as you can see all code in View Page Source in any web browser. How can you see the SQL statement? I just don't get it all. Hey, I am still learning, there is no stopping to learn because there are over 1,000 new features in everyday. 

Thanks,

Gary

[Ingolme]

PDO and MySQLi are basically the same. I find PDO easier to use, but both libraries have the same functionality. 

Nobody can see your PHP or SQL code directly, but they have the URL of a page that handles data and the names of several variables. It's not hard to infer that there is a database table with field names that are similar to the variable names, and it's even easier to just send an apostrophe in just to see if it breaks something. Your website is a blackbox, anybody is capable of sending inputs and reading the output to see how the blackbox behaves and make guesses as to what is going on inside.

https://xkcd.com/327/

 

[Sigmahokies]

You mean, hackers can use URL to make data object mess up after use php code? Are you suggesting me to have different and very oddly variable, instead similar variable like inside SQL name of column that same name as variable? like for example, in SQL statement, `address 1`, then in PHP, $address1, is that how hacker get exploit to hack in? so, should I type very oddly, like Address 1 = $wacky? I mean, create those variable is no sense to people? 

[Ingolme]

You don't need to change your variables. By using prepared statements you solve all of the major security problems. W3Schools has a tutorial page explaining how to do prepared statements: https://www.w3schools.com/php/php_mysql_prepared_statements.asp