INSERTION COMMAND TOGETHER WITH THE PHP TEMPLATE

Asked

Viewed 43 times

-1

Good evening, I wonder if there is a way to put the sql commands for insertion in the same form as the inputs. Obrihado!

INSERTION FORM

<!DOCTYPE html>
<html lang="en" >

<head>
  <meta charset="UTF-8">
  <title>Cadastro de Usuário</title>

      <link rel="stylesheet" href="css/style.css">

</head>

<body>

  <div id='container'>
  <div class='signup'>
     <form action="cadastrar1.php" method="POST">
       <input name="nome" type='text' placeholder='Nome:' required=".$this->fields["nome"]."/>
       <input name="sobrenome" type='text' placeholder='Sobrenome:'required=".$this->fields["sobrenome"].  />
       <input name="rm" type='text' placeholder='RM:' required=".$this->fields["rm"]."/>
       <input name="curso" type='text' placeholder='Curso:' required=".$this->fields["rm"]."/>
       <input name="data_nasc" type='date' placeholder='Data de Nacimento:' required=".$this->fields["rm"]."/">
       <input name="email" type='text' placeholder='Email:' required=".$this->fields["rm"]."/>
       <input name="senha" type='password' placeholder='Senha:' required=".$this->fields["rm"]."/>
       <button type="submit">Cadastrar</button>

     </form>
  </div>
  <div class='whysign'>
    <h1>Teste de Cadastro de Dados :3</h1>
    <p></p>
    <p> 

    </p>
  </div>
</div>



</body>

</html>

REGISTER.PHP

 if(!$conect=mysqli_connect('localhost','root','','cadastros')) 
    die ('erro ao conectar');

#Recolhendo os dados do formulário
    $nome=$_POST['nome'];
    $sobrenome=$_POST['sobrenome'];
    $data=$_POST['data_nasc'];
    $rm=$_POST['rm'];
    $curso=$_POST['curso'];
    $email=$_POST['email'];
    $senha=$_POST['senha'];

# Verificando apenas um campo, no caso dado1.
    $sql = $conect->query("SELECT * FROM usuarios WHERE email='$email'");
        if(mysqli_num_rows($sql) > 0){
            echo "Este usuário já existe";
        exit(); 
    } 
        else {

        if(!$conect->query("INSERT INTO usuarios(nome, sobrenome, data_nasc, rm, curso, email, senha) 
            VALUES('$nome','$sobrenome','$data','$rm','$curso','$email','$senha')")) 
        die ('Os dados não foram inseridos');
        echo "<script type='text/javascript'>alert('Cadastro Concluído!');</script>";
        header('Location: index.html');
}

  • Welcome my friend, you can be more specific, what you really want to do?

1 answer

-1

Yes, it is possible. For this you need to use the method isset.

if (isset($_POST['cadastro']))
{
    // Aqui vai o código do cadastrar.php
}

For this code to work, you need to add a property in your form statement in HTML, it would look like this:

<form action="cadastrar1.php" name="cadastro" method="POST">

Although this code works, it is not a good practice to leave the logic of the program in the same file where you display the HTML, because it reduces the maintainability of the code, besides being a bad practice of programming.

Doing an analysis of your code, I would suggest two important things for you to learn and apply in your projects:

1. Using MVC or some other layer separation pattern

For more complex projects or solutions that have high MVC is not the most appropriate, but because it is a very easy concept to learn and apply, it is what I recommend to those who are starting. At first you may think it’s much faster to do it all in one file, but as time goes on and the project gets bigger, you realize that any changes you (or someone else) make will require various parts of the code to be changed. That is where the separation of layers comes into play. I won’t go too long on this subject, but I’ll leave a Tableless link below that explains in more detail what it is and what the benefits.

https://tableless.com.br/mvc-afinal-e-o-que/

2. Use tools to avoid SQL Injection

If you don’t know what it is, SQL Injection is an attack method that people use form entries that are not validated before they run in the database. I’ll try to explain it simply:

  • Here is the code that will be executed in SQL second is in cadastra.php
INSERT INTO usuarios(nome, sobrenome, data_nasc, rm, curso, email, senha) 
            VALUES('$nome','$sobrenome','$data','$rm','$curso','$email','$senha')
  • Now, suppose I put the password '); DROP TABLE usuarios; --

  • When I enter this form, the server will run:

INSERT INTO usuarios(nome, sobrenome, data_nasc, rm, curso, email, senha) 
VALUES('nome qualquer','sobrenome qualquer','data qualquer','rm qualquer','curso qualquer',
'email qualquer',''); DROP TABLE usuarios; --')

Did you notice that this not only formed a valid SQL command but will delete your entire user table? Attacks like these are common and are called SQL Injection.

You can learn more about SQL Injection at this OWASP link (in English): https://www.owasp.org/index.php/SQL_Injection

To avoid SQL Injection with PHP, one of the ways is to run the calls using Prepared Statements.

You can check the official documentation link here (in English): https://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php

Browser other questions tagged

You are not signed in. Login or sign up in order to post.