PHP CODE :
<?php
// Create connection
$con=mysqli_connect("localhost","root","root","demo1");
echo "Connection was successful";
// Check connection
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
mysql_select_db("demo1",$con);
$sqli="INSERT INTO employee (Employee ID,NAME,Date Hired,Position,Salary,Department Code,Can HIRE,BOSSID)
VALUES('$_POST[EMPID]','$_POST[NAME]','$_POST[DATEHIRED]','$_POST[POSITION]','$_POST[SALARY]','$_POST[D EPTCODE]','$_POST[CANHIRE]','$_POST[BOSSID]')";
if (!mysqli_query($con,$sqli))
{
die('Error: ' . mysqli_error($con));
}
echo "1 record added";
mysqli_close($con);
?>
HTML CODE
<!DOCTYPE html>
<html>
<body>
<h1> EMPLOYEE </h1><br>
<form action="LAB5.php" method="post">
Employee ID: <input type="text" name="EMPID" ><br>
NAME: <input type="text" name="NAME" ><br>
Date Hired <input type="text" name="DATEHIRED" ><br>
Position: <input type="text" name="POSITION" ><br>
Salary: <input type="text" name="SALARY" ><br>
Department Code: <input type="text" name="DEPTCODE" ><br>
Can HIRE <input type="text" name="CANHIRE" ><br>
BOSSID: <input type="text" name="BOSSID" ><br>
<input type="image" src="Submit.gif" alt="Submit" width="100" height="50"><br>
</body>
</html>
ERROR MESSAGE:
Connection was successfulError: You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version for the right
syntax to use near 'ID, NAME, Date Hired, Position, Salary, Department Code, Can HIRE, BOSSID) VALU' at line 1
Table Screenshot : http://tinypic.com/r/vni4bc/8
Fields can't have spaces like Employee ID, double check the db table column names.
Also, your code is susceptible to SQL Injection. You should escape any user input that is going to be used in a SQL query. Try wrapping mysql_escape_string($_POST['value']) around all $_POST, $_GET, and $_REQUEST input.
You've mixed your code with MySQL and MySQLi. I've made your code into MySQLi only. And please avoid using (spaces) in your Column name. And you can prevent some SQL injection using mysqli_real_escape_string:
LAB5.php:
<?php
/* CHECK CONNECTION */
$connection=mysqli_connect("localhost","root","root","demo1");
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
$empID=mysqli_real_escape_string($connection,$_POST['EMPID']);
$name=mysqli_real_escape_string($connection,$_POST['NAME']);
$datehired=mysqli_real_escape_string($connection,$_POST['DATEHIRED']);
$position=mysqli_real_escape_string($connection,$_POST['POSITION']);
$salary=mysqli_real_escape_string($connection,$_POST['SALARY']);
$deptcode=mysqli_real_escape_string($connection,$_POST['DEPTCODE']);
$canhire=mysqli_real_escape_string($connection,$_POST['CANHIRE']);
$bossID=mysqli_real_escape_string($connection,$_POST['BOSSID']);
/* MYSQLI REAL ESCAPE STRING WOULD PREVENT A BIT OF SQL INJECTION */
mysqli_query($connection,"INSERT INTO employee (EMPID, NAME, DATEHIRED, POSITION, SALARY, DEPTCODE, CANHIRE, BOSSID) /* DOUBLE CHECK YOUR COLUMN NAME */
VALUES('$empID','$name','$datehired','$position','$salary','$deptcode','$canhire','$bossid')";
mysqli_close($con);
?>
Your HTML code:
<html>
<body>
<h1> EMPLOYEE </h1><br>
<form action="LAB5.php" method="post">
Employee ID: <input type="text" name="EMPID" ><br>
Name: <input type="text" name="NAME" ><br>
Date Hired <input type="date" name="DATEHIRED" ><br>
Position: <input type="text" name="POSITION" ><br>
Salary: <input type="number" name="SALARY" ><br>
Department Code: <input type="text" name="DEPTCODE" ><br>
Can HIRE <input type="text" name="CANHIRE" ><br>
BOSSID: <input type="text" name="BOSSID" ><br>
<input type='submit'>
</form>
</body>
</html>
use mysqli why "mysql_select_db"? mysqli will be:
bool mysqli_select_db ( mysqli $link , string $dbname )
You should switch to prepared statements to get rid of the sql injection problem that you have now.
Also, if your field- or table-names contain spaces, you need to enclose them in backticks:
INSERT INTO employee (`Employee ID`,NAME, ....
And you cannot mix mysqli_* with mysql_* functions like that, stick to mysqli_*.
You're mixing the database object up.
mysql_select_db("demo1",$con);
Should be
mysqli_select_db("demo1", $con);
This line:
$sqli="INSERT INTO employee (Employee ID, NAME, Date Hired, Position,Salary, Department Code, Can HIRE ,BOSSID)
VALUES('$_POST[EMPID]','$_POST[NAME]','$_POST[DATEHIRED]','$_POST[POSITION]','$_POST[SALARY]','$_POST[D EPTCODE]','$_POST[CANHIRE]','$_POST[BOSSID]')";
is also a major security risk, since you don't appear to be escaping the data you're inserting into the database.
Have a look at prepared statements
Related
Problem:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ')' at line 1
<?php
if(isset($_POST['submit']))
{
$cn = mysqli_connect("localhost", "root", "", "dbRIMA01");
$sql = "insert into pages(name, content) values('".$_POST['name']."','".$_POST['content']."',)";
if(mysqli_query($cn, $sql))
{
print 'Data Saved';
}
else{
print mysqli_error($cn);
}
}
?>
<br/>
<form method="post" action="">
<label>Name</label>
<input type="text" name="name" id="name" value=""/><br/>
<br/>
<label>content</label>
<textarea name="content" id="content"></textarea><br/>
<br/>
<input type="submit" name="submit" value="submit"/>
</form>
Just remove the last , from your query (just before the closing brace).
$sql = "insert into pages(name, content) values('".$_POST['name']."','".$_POST['content']."')";
You have a tailing comma (,) before your ). Remove it and you should be OK.
Mandatory comment:
Using string replacement like this will leave your code vulnerable to SQL injection attacks. You should consider using a prepared statement instead.
THis is my html code i have checked multiple time but again its not working.
<form action="insert.php" method="POST">
<input type="text" name="name"><br>
<input type="text" name="fname"><br>
<input type="submit" name=""><br>
</form>
This is my php code i think code is correct but don't know its not working.
<?php
//include("php\DB.php");
$connection=new mysqli("localhost","root","","sms");
if($connection){
echo "Connected";
}else{echo "Sorry";}
$username=$_POST["name"];
$fname=$_POST["fname"];
$query="INSERT INTO student(name,fname)VALUES('".$username."','".$fname."')";
$connection->query($query);
?>
according to my little knowledge please give space between insert statement
insert into student(name,fname) values('$username','$fname');
Updated
This is the whole code.
Still i do not have a value in the text field "user" but i have in all others.
I print the values before adding them to the db ( deleted it from the original code already - i have all values instead the one in the user field )
This is a testing environment.
What I have issues with, is the following:
the field "user" is a field containing text and for some reason the $_post do not contain it.
all the others variables from the number fields are carried in $_post[field_name], but not the text field.
Do you have any idea how to fix this?
I tried with using html special char, but still no results.
Thanks in advance for the help !
this is the html
<html><head><title>MySQL Table Viewer</title></head><body>
<form action="submit.php" method="POST">
Day: <input type="number" name="day"/> Month: <input type="number" name="mont"/> Year: <input type="number" name="year"/>
<br> <br>
Start Hour:<br>
<input type="number" name="shour"/>
<br>
End Hour:<br>
<input type="number" name="ehour"/>
Agent: <input type="text" name="user" value=""/>
<input type="submit" class="button" name="submit" value="submit" />
</form>
</body></html>
this is the php
<html>
<body>
<?php
$day = mysql_real_escape_string($_POST['day']);
$mont= mysql_real_escape_string($_POST['mont']);
$year = mysql_real_escape_string($_POST['year']);
$shour = mysql_real_escape_string($_POST['shour']);
$ehour = mysql_real_escape_string($_POST['ehour']);
$user = mysql_real_escape_string($_POST['user']);
$con = mysql_connect("localhost","root","samokow");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
mysql_select_db("reservations", $con);
$sql="INSERT INTO reservations (day, mont, year, shour, ehour, user)
VALUES ('$day', '$mont','$year', '$shour','$ehour','$user')";
if (!mysql_query($sql,$con))
{
die('Error: ' . mysql_error());
}
echo "Booking done." ;
mysql_close($con);
?>
</body>
</html>
You're quoting your $_POST[] you should do it like this:
$sql="INSERT INTO reservations (day, mont, year, shour, ehour, user) VALUES (".mysql_real_escape_string($_POST['day']).", ".mysql_real_escape_string($_POST['mont']).",".mysql_real_escape_string($_POST['year']).", ".mysql_real_escape_string($_POST['shour']).",".mysql_real_escape_string($_POST['shour']).",".mysql_real_escape_string($_POST['user'])."))";
this should work.
You don't have to qoute variables such as post in your query but instead use mysql_real_escape_string
EDIT:
Your year tag is invalid you end it with an $, and in your query you're getting shour 2 times
`Year: <input type="number" name"year"$`
Should be: Year: <input type="number" name="year">
$_POST[day]', '$_POST[mont]','$_POST[year]', '$_POST[shour]','$_POST[shour]'
shouldn't the second shour be ehour?
I hope this code is for testing purposes only?
Paste all of this in the same page!
<form method="POST">
Day: <input type="number" name="day" />
Month: <input type="number" name="mont" />
Year: <input type="number" name="year" />
Start Hour: <input type="number" name="shour" />
End Hour: <input type="number" name="ehour" />
Agent: <input type="text" name="user" />
<input type="submit" class="button" name="submit" value="submit" />
</form>
Before including the $_POST values in your database, you should use mysql_real_escape_string() Just like the others said.
ALSO, you will have to use mysqli or PDO because mysql_query() is deprecated.
if(isset($_POST['submit'])){
$day = mysql_real_escape_string($_POST['day']);
$mont= mysql_real_escape_string($_POST['mont']);
$year = mysql_real_escape_string($_POST['year']);
$shour = mysql_real_escape_string($_POST['shour']);
$ehour = mysql_real_escape_string($_POST['ehour']);
$user = mysql_real_escape_string($_POST['user']);
$sql="INSERT INTO reservations (`day`, `mont`, `year`, `shour`, `ehour`, `user`) VALUES ('$day', '$mont','$year', '$shour','$shour','$user')";
}
I would recommend to provide a valueparameter in the input tag as well:
.... Agent: <input type="text" name="user" value="">
some browsers are picky about that (MS IE ...?)
Try this :
$day = mysql_real_escape_string($_POST['day']);
$mont= mysql_real_escape_string($_POST['mont']);
$year = mysql_real_escape_string($_POST['year']);
$shour = mysql_real_escape_string($_POST['shour']);
$ehour = mysql_real_escape_string($_POST['ehour']);
$user = mysql_real_escape_string($_POST['user']);
$sql="INSERT INTO reservations (day, mont, year, shour, ehour, user) VALUES ('$day', '$mont','$year', '$shour','$shour','$user')";
you need to put the row in quotes like this:
$_POST['user']
I am trying to generate a script to insert comments on a blog to 'comments' table in MySsl database
<form action="insertcomment.php" method="post">
<p class ="ctitle">Leave a Comment:</p>
<p>
<label for="name"><b>PostID:</b></label>
<input type="text" id="postid" name="name" maxlength="4" /> <br/>
<label for="name"><b>Name:</b></label>
<input type="text" id="name" name="name" maxlength="25" /> <br/>
<label for="email"><b>Email:</b></label>
<input type="text" id="email" name="email" maxlength="50" /> <br/>
<label for="website"><b>Website:</b></label>
<input type="text" id="website" name="website" maxlength="25" /> <br/>
<label for="content"><b>Comment:</b></label>
<textarea id="content" name="content" cols="10" rows="4" maxlength="800"></textarea> <br/>
<input type="submit" value="Submit Comment" name="submit_comment" /> <br/>
</p>
</form>
and my PHP script is as follows:
<?php
include("dbconnect.php");
$con=new dbconnect();
$con->connect();
error_reporting(E_ALL);
if(isset($_POST['submit'])) {
$sSql = "INSERT INTO comments
( post_id,name, email, website,content)
VALUES ('$_POST[postid]','$_POST[name]', '$_POST[email]', '$_POST[website]', '$_POST[content]')";
mysql_query($sSql);
echo '<h2> Your Comment is submitted</h2><br />';
}
?>
But I was not able to insert my comment into database. my 'comments' table has comment_id,post_id,name,email,website,content,date_published fields. comment_id is the primary key. It has the option auto_increment. and date_published by default gives current time stamp. I was not able to figure out what my error is. Any thoughts would be appreciated.
Thank You!
You should use mysqli or PDO, but if you need to use the about-to-be depreciated mysql plugin:
<?php
include("dbconnect.php");
$con=new dbconnect();
$con->connect();
error_reporting(E_ALL);
if(isset($_POST['submit'])) {
foreach ($_POST as $key => $value) {
$$key = mysql_real_escape_string($value); // You should always sanitize user inputs.
}
$sSql = "INSERT INTO comments
( post_id,name, email, website,content)
VALUES ($postid,'$name', '$email', '$website', '$content')"; // No quotes around $postid because I'm assuming post_id column is an int type.
mysql_query($sSql);
echo '<h2> Your Comment is submitted</h2><br />';
}
?>
Notice the single quotes have been removed from $postid. This is because if table post_id is an int type, then you should not have quotes around the integer value.
Also, notice I've used the mysql_real_escape_string() function to clean your inputs. You should never ever quote direct user-inputted variables into SQL. It's very dangerous as users can use SQL injection attacks to gain access to your DB where they shouldn't or even possibly drop tables.
Still, I recommend converting to mysqli or PDO if at all possible, because the mysql plugin is about to be depreciated.
I have done my research but have found nothing specific enough to my problem
I have an HTML form, asking for data, then a php script that is suppose to put the data in a mysql database
When i try it on my localhost, i dont get any errors
but when i check on phpmyadmin, there is no new data
the html:
<html>
<head>
<form action="insert.php" method="post">
ID: <input type="text" name="ID"><br>
Family ID: <input type="text" name="Family_ID"><br>
First Name: <input type="text" name="First_Name"><br>
Last Name: <input type="text" name="Last_Name"><br>
Gender: <input type="text" name="Gender"><br>
Birthday: <input type="text" name="Birthday"><br>
Birthplace: <input type="text" name="Birthplace"><br>
Father ID: <input type="text" name="Father_ID"><br>
Mother ID: <input type="text" name="Mother_ID"><br>
Maiden Name: <input type="text" name="Maiden_Name"><br>
Mariage ID: <input type="text" name="Mariage_ID"><br>
Deathdate: <input type="text" name="Deathdate"><br>
Deathplace: <input type="text" name="Deathplace"><br>
Grave Location: <input type="text" name="Grave_Location"><br>
Email: <input type="text" name="Email"><br>
Phone: <input type="text" name="Phone"><br>
Address: <input type="text" name="Adress"><br>
Bio: <input type="text" name="Bio"><br>
Studies: <input type="text" name="Travail"><br>
Travail: <input type="text" name="Travail"><br>
Photo: <input type="text" name="Photo"><br>
Fete: <input type="text" name="Fete"><br>
<input type="Submit">
</form>
</head>
<body>
</body>
</html>
the php:
$username='root';
$password='121395';
$database='genealogy';
mysql_connect("localhost",$username,$password);
#mysql_select_db($database) or die( 'Unable to select database');
echo "Connected to MySQL";
$ID=mysql_real_escape_string($_POST['ID']);
$Family_ID=mysql_real_escape_string($_POST['Family_ID']);
$First_Name=mysql_real_escape_string($_POST['First_Name']);
$Last_Name=mysql_real_escape_string($_POST['Last_Name']);
$Gender=mysql_real_escape_string($_POST['Gender']);
$Birthday=mysql_real_escape_string($_POST['Birthday']);
$Birthplace=mysql_real_escape_string($_POST['Birthplace']);
$Father_ID=mysql_real_escape_string($_POST['Father_ID']);
$Mother_ID=mysql_real_escape_string($_POST['Mother_ID']);
$Maiden_Name=mysql_real_escape_string($_POST['Maiden_Name']);
$Mariage_ID=mysql_real_escape_string($_POST['Mariage_ID']);
$Deathdate=mysql_real_escape_string($_POST['Deathdate']);
$Deathplace=mysql_real_escape_string($_POST['Deathplace']);
$Grave_Location=mysql_real_escape_string($_POST['Grave_Location']);
$Email=mysql_real_escape_string($_POST['Email']);
$Phone=mysql_real_escape_string($_POST['Phone']);
$Address=mysql_real_escape_string($_POST['Adress']);
$Bio=mysql_real_escape_string($_POST['Bio']);
$Travail=mysql_real_escape_string($_POST['Travail']);
$Photo=mysql_real_escape_string($_POST['Photo']);
$Fete=mysql_real_escape_string($_POST['Fete']);
$query = "INSERT INTO bouan (ID, Family_ID, First_Name, Last_Name, Gender, Birthday,
Birthplace, Father_ID, Mother_ID, Maiden_Name, Mariage_ID,Deathdate, Deatchplace,
Grave_Location, Email, Phone, Adress, Bio, Travail, Photo, Fete) VALUES
('$ID','$Family_ID','$First_Name','$Last_Name','$Gender','$Birthday','$Birthplace',
'$Father_ID','$Mother_ID','$Maiden_Name','$Mariage_ID','$Deathdate','$Deathplace',
'$Grave_Location','$Email','$Phone','$Address','$Bio','$Travail','$Photo','$Fete')";
mysql_query($query) or die ("Error updating database");
mysql_error();
mysql_close();
All i get in return is:
Connected to MySQLError updating database
whats wrong? (i HAVE done my research, over 2 days fyi)
im sorry that im new to this, cant help it
You should probably
provide mysql_query with the real query
sanitize data before feeding it to sql
use {$_POST['whatever']} when you want to embed it into a string
check the return value of mysql_query
learn a thing or two.
Your first approach looks fine, but for security reasons fetch the posted variables like below $ID=mysql_real_escape_string($_POST['ID']);
mysql_real_escape_string() method will remove the unwanted characters and makes it secure.
At the end try to print the query which you are executing using echo or print statement.
echo $query;
Execute the result on your phpmyadmin. Phpmyadmin will let you know what are the errors in your mysql query and following those instructions you can change your query.
Debugging can be done by printing the results after each line execution wherever you feel something is going wrong.
Use mysql_error() to receive last error. Also I see potential bug in your query:
'`$ID`','`$Family_ID`','`$First_Name`' -- you may try to remove ` sign
try to do these 2 things, first add value attribute to your all input elements
e.g)
<input type="text" name="Family_ID" value="">
because it will not get into $_POST variable if you send blank value in the text box with no value attribute
try to add filed names so that you can track map with values and remove
`
from your field and value.