<form method="post" action="updatescreen(2).php">
Name of company:<br />
<input type="text" name="artid" id="artid" size="50" /><br /><br />
<input type="submit" name="Insert" id="Insert" value="Insert" /><br /><br />
<?php
if(isset($_POST['Insert'])){
$id = $_POST['artid'];
mysql_query("INSERT INTO test (id) VALUES ('$id', )");
}
?></form>
The connection to the database is included so not mentioned here. The connection is working fine, that's not the problem.
The problem is: the php code doesn't work. The php code doesn't insert the data into my database. What's wrong?
You had a , after '$id':
mysql_query("INSERT INTO test (id) VALUES ('$id')");
Your code is also open to SQL injection. You should be using something like PDO instead of the mysql_* functions, which are deprecated. With PDO, you can guard against SQL injections by using prepared statements.
Change
mysql_query("INSERT INTO test (id) VALUES ('$id', )");
to
mysql_query("INSERT INTO test (id) VALUES ('$id')");
You have one comma too many.
mysql_query("INSERT INTO test (id) VALUES ('$id')");
In future, try printing the error, which will help you debug the problem yourself:
mysql_query("INSERT INTO test (id) VALUES ('$id')") or die(mysql_error());
And please use PDO or mysqli instead of the mysql_ functions, which are insecure and deprecated.
Try
<?php if(isset($_POST['Insert'])){
$id = $_POST['artid'];
mysql_query("INSERT INTO test (id) VALUES ('".$id."')")or die(mysql_error());
}?>
<form method="post" action="updatescreen(2).php">
Name of company:<br />
<input type="text" name="artid" id="artid" size="50" /><br /><br />
<input type="submit" name="Insert" id="Insert" value="Insert" /><br /><br />
And => think about the safety!
Errors:
mysql_query("INSERT INTO test (id) VALUES ('$id', )");
^---not secure, potencial sql injection
^----not need ","
Use this code for more security (most of all better pdo or mysqli):
if(isset($_POST['Insert'])){
$id = mysql_real_escape_string($_POST['artid']);
mysql_query("INSERT INTO test (id) VALUES ('$id')");
}
Related
HTML code
<form id="form1" name="addAnnouncement" method="post" action="ownerAddAnnouncement_exec.php" onsubmit="return validateForm()">
<label style="font-size:18px">Title:
<input type="text" name="title" />
</label>
<p>
<label style="margin-left: -36px; font-size:18px;">Description:
<textarea name="description" rows="6" cols="60"></textarea>
</label>
</p>
<label style="font-size:18px">Date & Time: <br>
From
<input type="text" name="from" /> <br>
To <input type="text" name="to" />
</label> <br>
<label style="font-size:18px">Venue
<input type="text" name="venue" />
</label>
<p>
<label>
<input type="submit" name="Submit" value="Submit" />
</label>
</p>
</fieldset>
</form>
PHP code
<?php
$title = $_POST['title'];
$description = $_POST['description'];
$from = $_POST['from'];
$to = $_POST['to'];
$venue = $_POST['venue'];
$link = mysql_connect("localhost","root","") or die();
$db = mysql_select_db("condo") or die("no database found");
$insert_sql="INSERT INTO announcement (title, description, from, to,venue, status)
VALUES('$title', '$description', '$from', '$to','$venue', 'Pending')";
$sql_result=mysql_query($insert_sql) or die("Error in inserting data due to ".mysql_error());
if($sql_result)
echo "Succesfully insert new data. Please log in back";
else
echo "Error in inserting new data";
?>
an error like this ("Error in inserting data due to You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'from, to, status) VALUES('melvin', 'sdsaadsd', 'wew', 'ewrerw', 'we3', 'Pendi' at line 1" )
is show out when try to insert a data into database.
Anyone please help me fix the code.i have been stuck at here for 1 hour.
Display the field names with in ``.
Convert the insert statement to
$insert_sql="INSERT INTO announcement (`title`, `description`, `from`, `to`,`venue`, `status`)
VALUES('$title', '$description', '$from', '$to','$venue', 'Pending')";
You should escape reserved keywords using backticks. Currently, you are using the following reserved keywords - From and To Try this :-
$insert_sql="INSERT INTO `announcement` (`title`, `description`, `from`, `to`,`venue`, `status`)
VALUES('$title', '$description', '$from', '$to','$venue', 'Pending')";
From is a keyword. And also To. It is not recommended to use them. But if you can't avoid it and still want to use them, add backquote ` like below in your insert query :
INSERT INTO announcement (`title`, `description`, `from`, `to`, `status`)
VALUES('$title', '$description', '$from', '$to', 'Pending')
Hope this helped.
Regarding current error it is about reserved keywords like from as field name, so to avoid it either rename your db column or enclose it in back-quotes like `from`
further you may face other errors as you are ignoring many good practices in your code, for example
Validate user input before inserting into db
remember to escape user input (sql injection)
enclose field names in back-quotes
and many others see http://code.tutsplus.com/tutorials/30-php-best-practices-for-beginners--net-6194
I am trying to post some data from my HTML form into my mysql database.
Here is my HTML code:
<!doctype html>
<html>
<head>
</head>
<body style="background-color:#BCB7B7">
<form id="form1" name="form1" method="post" style="text-align:center" action="post.php">
<input type="text" name="name" id="name" placeholder="Name">
<p></p>
<input type="text" name="age" id="age" placeholder="Age">
<p></p>
<input type="text" name="food" id="food" placeholder="Food">
<p></p>
<input type="submit" name="submit" id="submit" value="Submit">
</form>
</body>
</html>
and here is my php code:
<?php
$connect = mysql_connect("localhost","myusername","mypassword","mydbname");
mysql_select_db("mydbname",$connect);
mysql_query("INSERT INTO myTable VALUES Name = $_POST[name], Age = $_POST[age], Food = $_POST[food]");
?>
but the data does not get saved
Strings in SQL must be quoted. You are dumping your variables into the SQL without quotes.
Your syntax is also wrong. The format is INSERT INTO table_name (column_name, column_name) VALUES value, value.
You are also failing to escape the data, so you are vulnerable to SQL Injection attacks.
To fix your problems:
Stop using the deprecated mysql_ library and switch to mysqli_ or PDI
Use bound arguments to insert variables into your SQL
Use the correct syntax
This question about preventing SQL injection has examples of how to use those libraries safely.
There are 2 different versions of the INSERT command - you are using neither.
Either:
INSERT INTO myTable SET Name = "Peter",
Age = 15, Food = "pizza"
or
INSERT INTO myTable (Name, Age, Food) VALUES
("Peter", 15, "pizza")
You have to quote the values:
mysql_query("INSERT INTO myTable VALUES Name = '$_POST[name]', Age = '$_POST[age]', Food = '$_POST[food]'");
Hint: You should use mysqli_ or PDO_ functions as mysql_ functions are deprecated
try this
<?php
$connect = mysql_connect("localhost","myusername","mypassword","mydbname") or die("error while connecting to the database");
mysql_select_db("mydbname",$connect) or die("error while selecting the database");
mysql_query("INSERT INTO myTable VALUES ('" . mysql_real_escape_string($_POST[name]) . "', '" . mysql_real_escape_string($_POST[age]) . "', '". mysql_real_escape_string($_POST[food]) . "')");
?>
I havent do php for some time, but i dont really see what am I missing.
I am trying to insert some datas from FORM into MYSQL , but it still fail.
This is the file with FORM :
<html>
<head>
<link type="text/css" rel="stylesheet" href="stylesheet.css"/>
<title>registrace</title>
</head>
<body>
<H1> The Best Page! </H1>
<p>
"Please registrate"
<form action="zpracovani.php" method="post">
Name <input type="text" size="20" name="Name" value=""><br>
Surname <input type="text" size="30" name="Surname" value=""><br>
Username <input type="text" size="30" name="username" value=""><br>
Password <input type="text" size="10" name="password" value=""><br>
Retype password <input type="text" size="10" name="password2" value=""><br>
<input type="image" name="button" value="submit" class="button" src="button.jpg">
</form>
</p>
</body>
</html>
As you can see i am sending data to proceed into file "zpracovani.php". I did test if i am connected to mysql server ( It passes ) and also a check if i am connected to the right database ( Also passes with no probs ).
<html>
<?php
echo "Wait please";
$con=mysql_connect ('localhost','root','');
if (!$con)
{
die ( 'Could not connect: ' . mysql_error());
}
mysql_select_db ('registrace') or die("cannot select DB");
echo #mysql_ping() ? 'true' : 'false';
$sql="INSERT INTO 'registrace'(Name, surname, username, password).
VALUES('$_POST[Name]','$_POST[Surname]','$_POST[username]','$_POST[password]')";
$result=mysql_query($sql);
if($result){
echo("<br>Input data is succeed");
}else{
echo("<br>Input data is fail");`
}
mysql_close($con);
?>
</html>
Below is overwiev of mysql table I made.
ID int(11)
Name varchar(20) latin1_swedish_ci
Surname varchar(30) latin1_swedish_ci
username varchar(30) latin1_swedish_ci
password varchar(10) latin1_swedish_ci
However I am connected to the database and to correct table it still is unable to insert anyone into the database. Can anyone look into this and help me out, please?
Thanks in advance!
Either remove the quotes in 'registrace' or use backticks in INSERT INTO 'registrace'
Example:
INSERT INTO `registrace`
Using backticks is better.
Also remove the dot in:
$sql="INSERT INTO 'registrace'(Name, surname, username, password).
It should read as:
$sql="INSERT INTO `registrace` (Name, surname, username, password)
Reformatted:
$sql="INSERT INTO `registrace` (Name, surname, username, password)
VALUES
('{$_POST['Name']}','{$_POST['Surname']}','{$_POST['username']}','{$_POST['password']}')";
Or follow this convention:
$unsafe_variable = $_POST["user-input"]
$safe_variable = mysql_real_escape_string($unsafe_variable);
mysql_query("INSERT INTO table (column) VALUES ('" . $safe_variable . "')");
NOTE: I also noticed that you are using the same name for both your DB and your table.
Make sure that this is in fact the case.
Your DB:
mysql_select_db ('registrace')
and your table?
INSERT INTO `registrace`
Plus, it would be a good idea to increase the values for your VARCHAR's and consider using MySQLi_ and prepared statements or PDO. MySQL_ functions are deprecated.
Do read the following articles:
How can I prevent SQL injection in PHP?
On owasp.org
First: use mysqli
Second: get rid of mysql ping
Third: change:
"......'$_POST[xxx]'......"
into:
"......'{$_POST['xxx']}'....."
Thanks guys it is working now.
By the way the mysql ping was just a check to see if i am well connected as i wrote in my original post :)
Anyway it was very helpful thx
Hi I am trying to get a form to post to a database i can connect and the database and table are set up. but rather than post the contents of the fields in it posts the text firstname and secondname in to the columns.
below is my code:
mysql_select_db("company", $conn);
$sqlCmd = sprintf("INSERT INTO names (firstname, secondname) VALUES ('%firstname','%secondname')",
mysql_real_escape_string($_POST["firstname"]),
mysql_real_escape_string($_POST["secondname"]));
//echo $sqlCmd;
//die();
mysql_query($sqlCmd);
mysql_close($conn);
}
?>
<form method="post">
<input type="text" id="firstname" name="firstname"/>
<input type="text" id="secondname" name="secondname"/>
<input name="submit" type="submit" value="Submit"/>
</form>
I need it to post the values from the fields. i am new to php and this is my first project, i would love some help.
just to add this is what i have managed after following a tutorial.
Thanks
Ryan
Do not use php's mysql_ methods any more.
It is outdated:
https://wiki.php.net/rfc/mysql_deprecation
Use mysqli_ or pdo instead
In your code you forgot the mysql_connect() anyways ;)
Just change your sprintf call to:
$sqlCmd = sprintf("INSERT INTO names (firstname, secondname) VALUES ('%s','%s')",
mysql_real_escape_string($_POST["firstname"]),
mysql_real_escape_string($_POST["secondname"]));
Also consider using the newer mysqli function: http://www.php.net/manual/en/intro.mysqli.php
HTH;
Pacific
I'm working on a Uni assignment and am having trouble inserting records to MySQL database using a form. My set up is below.
I can view entries in the database with no problem. I'm new to this so sorry in advance :(
conninfo.php
<?php
$strServer="localhost";
$strDatabase="djdatabase"; // CHANGE TO YOUR DATABASE NAME HERE
$strUser="root";
$strPwd=""; // Leave blank for WAMPServer
$strDB=mysql_connect($strServer,$strUser,$strPwd)or die("Could not open database");
$database=mysql_select_db("$strDatabase",$strDB);
?>
addnewdata.php
<?php include "conninfo.php";
$newdj=$_POST["dj"]; //pick up from form
$newfn=$_POST["fn"];
$newem=$_POST["em"];
$newwe=$_POST["we"];
$newpi=$_POST["pi"];
$newev=$_POST["ev"];
$query = "INSERT INTO dj(DJName, FirstName, Email, Website, Picture, EventNumber)VALUES('$newdj', '$newfn', '$newem', '$newwe', '$newpi', '$newev)";
mysql_query($query);
header("location:showall.php");
?>
enternewdata.php
<?php include "conninfo.php";?>
<html>
<head>
</head>
<body>
<form action="addnewdata.php" method="post">
DJ Name:<input type="text" name="dj"><br>
FirstName: <input type="text" name="fn" /><br>
Email: <input type="text" name="em" /><br>
Website: <input type="text" name="we" /><br>
Picture: <input type="text" name="pi" /><br>
EventID: <input type="text" name="ev" /><br>
<br><br>
<button type="submit">Submit</button>
</form>
</body>
</html>
Many Thanks for your help :)
had better use SET command to insert data
$query = "INSERT INTO dj SET
DJName=".$newdj.",
FirstName=".$newfn.",
Email=".$newem.",
Website=".$newwe.",
Picture=".$newpi.",
EventNumber=".$newev."";
$save = mysql_query($query);
if($save){
header("location:showall.php");
}else{
die(mysql_error());
}
You are missing a quote ' wich is causing the error that you cannot see because you haven't done any debug. Anyway you should just change to this
'$newwe', '$newpi', '$newev')"; //a quote was missing after '$newv
I would suggest you to also debug query by adding or die('INVALID QUERY: ' . mysql_error());
so code would look like
mysql_query($query) or die('INVALID QUERY: ' . mysql_error());
Since you said this is an university test I don't know if you are supposed to use mysql_* function (wich are deprecated), but I would strongly reccommend to switch to mysqli or PDO if you can for security reason.
You missed ' on your query on $newev that gives you an error
$query = "INSERT INTO dj(DJName, FirstName, Email, Website, Picture, EventNumber)VALUES('$newdj', '$newfn', '$newem', '$newwe', '$newpi', '$newev)";