How to Insert Form Data into MySQL Using Prepared Statements in PHP?

PHP: Inserting Values from the Form into MySQL

Problem

You've created a database table and are trying to insert values from an HTML form into it, but the database remains empty. The code declares the SQL query as a string variable but does not execute it, leaving the database unaffected.

Answer

To insert values using a form, follow these steps:

1. Never Trust User Input: Input from forms can be manipulated, potentially causing SQL Injection vulnerabilities.
2. Use Prepared Statements: They allow you to specify placeholders for values in the SQL statement, which are then bound to variables dynamically, preventing malicious input.
3. Modify Your PHP Code:

<?php

// Database configuration
include_once 'dbConfig.php';

if (isset($_POST['save'])) {
    // Prepare the statement
    $sql = "INSERT INTO users (username, password, email) VALUES (?,?,?)";
    $stmt = $mysqli->prepare($sql);

    // Bind the parameters to the statement
    $stmt->bind_param("sss", $_POST['username'], $_POST['email'], $_POST['password']);

    // Execute the statement
    $stmt->execute();

    // Close the statement
    $stmt->close();
}

?>

Prepared Statement Notes

• Placeholders (?) are used for variable binding.
• Use bind_param to bind variable types (e.g., sss for three strings).
• execute finally inserts the values into the database.

Password Security

Note that passwords should never be stored in clear text. Instead, use password_hash to store a secure hash of the password.

The above is the detailed content of How to Insert Form Data into MySQL Using Prepared Statements in PHP?. For more information, please follow other related articles on the PHP Chinese website!