Let's create the PHP file for receiving the POST from HTML, and injecting the data to DB.

Bullet points below the code will highlight the most important parts of it.

addUser.php


<!doctype html>
<html lang="en">
    <head>
        <meta charset="UTF-8">
        <meta name="viewport" content="width=device-width, initial-scale=1.0">
        <title>Page title</title>
    </head>
    <body>
        <?php
        // inputs from HTML
        $fullName = $_POST['fullname'];
        $email = $_POST['email'];
        // Server, DB, User, User password
        $servername = "localhost";
        $database = "rikundev_testusers";
        $username = "rikundev_testuser";
        $password = "7Cmny=k15vK)";
        // Create connection
        $conn = mysqli_connect($servername, $username, $password, $database);
        // Connection Check
        if (!$conn) {
            die("Connection failed: " . $conn->connect_error);
        }
        else {
            // Sanitize out '\'-characters
            $fullName = str_replace("'","\'", $fullName);
            $email = str_replace("'","\'", $email);
            // Query
            $qu = "INSERT INTO users(fullname, email) VALUES ('$fullName', '$email')";
            // Query execution
            if ($conn->query($qu)===TRUE){
                echo "Inserted Successfully";
                $conn->close();
            } else {
                echo "Insert Failed ".$conn->error;
                $conn->close();
            }
        }
        ?>
    </body>
</html>

Variables

  • The received inputs can be accessed with PHP's $_POST. It's an automatic global variable and available throughout the script. Use the name of the HTML Form input to access its value.
  • After the inputs are set to variables, we'll set variables for Server, Database, User and User Password.
  • Server is set to 'localhost'. The hosting service I'm using provides the domain and as well MySQL databases, making the connection from my HTML to DB a local connection.
  • The DB, User and password are the same that I wrote down on my .txt file earlier.

Sanitation

  • After the connection is made, there's a simple sanitation of the inputs. For example, having a single quotation mark (') in an input value would cause an error in the Query if it isn't sanitized.
  • NOTE. For setting up a secure Query for injection, you could also read about mysqli::real_escape_string and Prepared statements.

Query


"INSERT INTO users(fullname, email) VALUES ('$fullName', '$email')";
  • The injection query breakdown
    • INSERT INTO - Query type to execute
    • Table name(column_1, column_2, column_n ...) - The table to insert into, column names in parenthesis
    • Note also. users( fullname, email ) - Check correct casing and naming to match your .txt file (or names in cPanel DB) .
    • VALUES ('$fullName', '$email') - Values to set in DB are given inside the parenthesis. Note. Use single quotation marks around the variable.
  • In this example we only injected two column values, but the table has actually 3 columns (user_id, fullname, email). The id-column was set as Auto Incrementing during the table creation, and it gets its value automatically at creation.

Closing the connection

  • After the injection succees or fails, the connection should always be closed. 

if ($conn->query($qu)===TRUE){
    echo "Inserted Successfully";
    $conn->close();
} else {
    echo "Insert Failed ".$conn->error;
    $conn->close();}

Improvement

  • You can improve the user experience by redirecting the client to a different page after the connection is closed. You can use f.e. PHP's header() for redirecting.

//...
$conn->close();
header("Location: https://rikun-devaus.com/redirected-here/");

In part 4 we will fetch data from DB with PHP!

1

2

3

4