Hi, I'm trying to insert data from my form, but when I press the submit button it throws me the message:
"Connection Made"
Which is the message from my php connection file , nothing more. I have the code to insert it in another file. This is my code.
The one for my sales_customer.php form :
<div class="container clear_both padding_fix">
<!--\\\\\\\ container start \\\\\\-->
<form action="php/registrar_cliente.php" method="POST">
<div class="form-group">
<label for="idnom">Nombre:</label>
<input type="text" class="form-control" id="idnom" name="nnombre" REQUIRED placeholder="Ingresar Nombre">
</div>
<div class="form-group">
<label for="idape">Apellidos:</label>
<input type="text" class="form-control" id="idape" name="napellido" REQUIRED placeholder="Ingresar Apellidos">
</div>
<div class="form-group">
<label for="idtdoc">Tipo de Documento:</label>
<select class="form-control" id="idtdoc" name="ntdoc">
<option value="DNI">DNI</option>
<option value="RUC">RUC</option>
</select>
</div>
<div class="form-group">
<label for="iddoc">Documento:</label>
<input type="text" class="form-control" id="iddoc" name="ndoc" REQUIRED placeholder="Numero de Documento">
</div>
<div class="row">
<div class="form-group col-sm-4">
<label for="iddir">Direccion:</label>
<input type="text" class="form-control" id="iddir" name="ndireccion" REQUIRED placeholder="Ingresar Direccion">
</div>
<div class="form-group col-sm-8">
<label for="idtelf">Telf/Movil:</label>
<input type="text" class="form-control" id="idtelf" name="ntelf" REQUIRED placeholder="Ingresar Telf o Movil">
</div>
</div>
<input type="submit" class="btn btn-primary" value="Registrar"></button>
<button type="button" class="btn btn-default">Cancelar</button>
</form>
</div>
<!--\\\\\\\ container end \\\\\\-->
And this is the code of my file to register register_client.php :
<?php
include'conexion.php';
$nombre=$_POST['nnombre'];
$apellido=$_POST['napellido'];
$tipo_doc=$_POST['ntdoc'];
$documento=$_POST['ndoc'];
$direccion=$_POST['ndireccion'];
$telf=$_POST['ntelf'];
if(isset($_POST['submit'])){
$sql = "INSERT INTO cliente (nombre, apellidos, tipo_doc, dni, direccion, telfmovil)
VALUES ('$nombre', '$apellido', '$tipo_doc', '$documento', '$direccion', '$telf')";
if ($conn->query($sql) === TRUE) {
echo "Datos registrados correctamente";
} else {
echo "Ups! Error: " . $sql . "<br>" . $conn->error;
}
}
$conn->close();
?>
And the code of my connection.php file :
<?php
$servername = "localhost";
$username = "root";
$password = "123";
$dbname = "dbagricola";
// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
if (mysqli_connect_error()) {
die("Conexion a la Base de Dato fallida: " . mysqli_connect_error());
}
echo "Conexion hecha";
?>
The files registrar_client.php and conexion.php are housed in a folder called PHP, does that affect inserting the data?
If you know what my mistake is, I would be very grateful if you would let me see it so I can correct it.
The problem I see is:
To make it work with what you have, you should add the following to the form:
Hope this can help you
I am going to answer your additional reward, since the answer that is accepted is clear and correct,
PHP
I have advanced the code a bit, which is the part that I see as too vulnerable, a case of the current code, I do not see the logic in directly obtaining the data from the form without any checks inPHP
.In this case, we could first check if our form is defined and it would verify that no field (input) is empty, and if not, it would obtain the data.
To obtain the data, you would use
mysqli_real_escape_string()
, when one uses statementsmysqli
, in case of using statementsprepare()
it would not be correct to use said function.mysqli_real_escape_string
— Escapes special characters from a string for use in an SQL statement, taking into account the current character set of the connectionExample :
As you have been mentioned, it is better to create
sentencias preparadas
to better protect our statements against attacks frominyección SQL
Attacks
inyección SQL
can only happen if we don't format the parts of our query in an invulnerable way.A malicious format would be:
A correct format would be:
Source (English):
OS source:
Example prepared statements :
HTML code:
PHP code (php/registrar_client.php)