[PHP] Form Data = Database

Shibby-Shabs · 27-09-2010, 01:56 AM

In this tutorial I'll show you a HTML form that inserts the information into a MySQL database by the use of PHP, the tutorial will use if statements to check if fields are filled in and will submit to another page using the POST method.

Please Note: I don't usually do this but I'm going to add a verification to prevent spam, the form will be safer.

HTML Form
First is the html form which will be submitting to another page and will be using the POST method to retrieve the information. Below is a basic form. Please note the page this form is on is called form.php.

HTML Code:

<form action='insert.php' method='POST'>
Name:<br /> <input type='text' name='name'><br />
Subject:<br /> <input type='subject' name='subject'><br />
Question:<br /><textarea name='question'></textarea><br />
Enter this code: 46556<br />
<input type='text' name='verf'<br />
<input type='submit' name='submit'>
</form>

Above is the HTML form what starts with the opening and closing tags of <FORM> and </FORM> but the opening tags contain the attributes of ACTION and METHOD. METHOD is used to declare which method will be used to send the information this can be POST or GET. The GET method puts the information in the address bar, for example it would be like websitename.com/form.php?name=jack&subject=contact&question=howdoe sthemoonfly or similar while the POST method doesn't show the information in the address bar but gets the information through perfectly. The other attribute used was ACTION which which declares where the form will be submitting to, if the action was to go to form.php than it would basically refresh and execute the code otherwise it would go to the other page.

Making the information a value
To save having to continuously writing out the long code of $_POST['value']; we make the form values into strings by doing this below, notice that $_POST is used because the method we chose was POST, if we chose GET then it would be $_GET['value'];

PHP Code:


<?php
$name = $_POST['name']; // The name chosen
$subject = $_POST['subject']; // The message subject
$question = $_POST['question']; // The Question
$code = '46556'; // Verification Code
$verify = $_POST['verf']; // Submitted Verification Code
$submit = $_POST['submit']; // Submit button, I'll explain later.
?>

To make sure you've entered the code in correctly you will want to check the information and the best way to do this is by echoing out the information like the below example.

PHP Code:


<?php
$name = $_POST['name'];
$subject = $_POST['subject']; 
$question = $_POST['question'];
$code = '46556';
$verify = $_POST['verf'];
$submit = $_POST['submit']; 

echo $name . $subject . $question . $verify;
?>

All the values will be together without spaces but it checks if the information is there.

Check the verification
To check if the verification is correct we'll use an IF statement, we'll do the same to see if all the fields are filled in, below is the verification check.

PHP Code:


<?php
$name = $_POST['name'];
$subject = $_POST['subject']; 
$question = $_POST['question'];
$code = '46556';
$verify = $_POST['verf'];
$submit = $_POST['submit'];

if ($verify==$code) // If the submitted verification code is equal to the real code
{
// This is where the other codes will go.
}
else
die('The verification code you entered was inncorect');
?>

Here you can see the statement says IF the value of $verify is equal to the value of $code than the code it the curly brackets { } will be submitted ELSE, if the values don't match it will use the die funtion to echo out 'The verification code you entered was inncorect' and the page will die.

Check if the rest of the form is filled
To check this we will do the exact same thing we did to check verification except we won't be checking whether any values are equal.

PHP Code:


<?php
$name = $_POST['name'];
$subject = $_POST['subject']; 
$question = $_POST['question'];
$code = '46556';
$verify = $_POST['verf'];
$submit = $_POST['submit'];

if ($verify==$code) 
{
if ($name&&$subject&&$question) // If values exist
{
// The rest of the code.
}
else
die('Please fill in all fields');

}
else
die('The verification code you entered was inncorect');
?>

You can see we used another IF statement to check if the values where there and then if they are the code in the curly brackets {} will be execute ELSE we use the die function to echo out 'The verification code you entered was inncorect'.

Connection to MySQL
To connect to the database we use the mysql_connect() function to connect to the host and the mysql_select_db() function to select the database.

PHP Code:


<?php
$name = $_POST['name'];
$subject = $_POST['subject']; 
$question = $_POST['question'];
$code = '46556';
$verify = $_POST['verf'];
$submit = $_POST['submit'];

if ($verify==$code) 
{
if ($name&&$subject&&$question) // If values exist
{
$connect = mysql_connect('localhost','root','123')or die('Couldnt Connect, ' . mysql_error()); // host,user,password
mysql_select_db('databasename') or die('Couldnt connect to database, ' . mysql_error()); // database name

}
else
die('Please fill in all fields');

}
else
die('The verification code you entered was inncorect');
?>

After the functions you may have noticed I put or die() which is like an IF statement, if it connects than continue to execute or die() and then within the die() function I also put the mysql_error() function which tells you what the problem is instead of just echoing out 'Couldnt Connect.'
MySQL Query - Insert Information
To insert the information into the database we'll be using the mysql_query() function to put the data into the selected table.

PHP Code:


<?php
$name = $_POST['name'];
$subject = $_POST['subject']; 
$question = $_POST['question'];
$code = '46556';
$verify = $_POST['verf'];
$submit = $_POST['submit'];

if ($verify==$code) 
{
if ($name&&$subject&&$question) // If values exist
{
$connect = mysql_connect('localhost','root','123')or die('Couldnt Connect, ' . mysql_error());
mysql_select_db('databasename') or die('Couldnt connect to database, ' . mysql_error()); 

$sql = "INSERT INTO questions (name, subject, question)
VALUES
('$name', '$subject', '$question')";

if (mysql_query($sql, $connect))
{
echo 'Your message has been sent!';

}
else
die('Couldnt insert information, ' . mysql_error());

}
else
die('Please fill in all fields');

}
else
die('The verification code you entered was inncorect');
?>

You can see I used a mysql query to insert the information and if you read the code you'll see it's pretty easy to understand.
MySQL > Database > Creating Tables
To create the needed tables if pretty easy, open your PHPMyAdmin and go to the database you'll be using and then click the tab that says 'SQL' and from their enter this code:

Code:

CREATE TABLE questions
(
name varchar(25),
subject varchar(25),
question varchar(65)
)

Please note: I used normal curved brackets () and the name, subject and question rows are all lowercase!.

---------
If you have any issues with this tutorial please PM me or post a reply here, this tutorial took me a while and it would be a shame to see it go ignore because theres issues.

I have tested it and it works as it should.

Thread moved to tutorials by dinasaw (Forum Super Moderator)

LMS16 · 27-09-2010, 10:39 AM

Good tutorial, although it should be in the 'Tutorials' section.

Also, 65 characters for a question, you should make the question table text rather than varchar(65)

Lew.

Shibby-Shabs · 27-09-2010, 11:13 AM

Not sure what you mean, plus I was trying to keep it simple.

LMS16 · 27-09-2010, 11:37 AM

Code:

CREATE TABLE questions
(
name varchar(25) NOT NULL,
subject varchar(100) NOT NULL,
question text NOT NULL
)

Lew.

Shibby-Shabs · 27-09-2010, 12:02 PM

I see.. I'll keep that in mind for next time. Btw, I cannot post in tutorials.

Joe! · 28-09-2010, 08:41 AM

Just a few things, by having a verification code that isn't a random number in an image, it defeats the point. A bot will simply look in the source of the page for the verification code.
Also, you havn't cleaned any of the inputs, leaving the database vulnerable to sql injections, which is bad news.
Good for teaching people the basics of php though I guess, although I wouldn't advise anyone to use this on a live website..

LMS16 · 28-09-2010, 10:10 AM

Originally Posted by Joe!

Just a few things, by having a verification code that isn't a random number in an image, it defeats the point. A bot will simply look in the source of the page for the verification code.
Also, you havn't cleaned any of the inputs, leaving the database vulnerable to sql injections, which is bad news.
Good for teaching people the basics of php though I guess, although I wouldn't advise anyone to use this on a live website..

Who would go through he effort of even putting a bot on this script lol...
It is a good script and the database is only open to injection via the php coding

Lew.

Shibby-Shabs · 28-09-2010, 11:25 AM

I myself am a php noob as well, so care to explain how to make it secure?

Joe! · 29-09-2010, 09:08 AM

Originally Posted by Lewiie15

Who would go through he effort of even putting a bot on this script lol...
It is a good script and the database is only open to injection via the php coding

Lew.

How else is going to be open to injection..? Made me giggle.
Anyway, to prevent it happening, you could "clean" your user inputs..
So for example you could use mysql_real_escape_string() function.. for each of your input variables you'd do something like;

PHP Code:


$name = mysql_real_escape_string($_POST['name']);

Obviously you can do more to prevent it, but that's the basic idea

Shibby-Shabs · 06-10-2010, 12:02 PM

+rep for above. I don't actually know how to inject so I hadn't any idea.

Thread: [PHP] Form Data = Database

Thread Tools

[PHP] Form Data = Database

Posting Permissions