2

I'm currently building a web form which has several drop down menus and I want to submit these into a SQL database through PHP.

I have little PHP knowledge but no better way to learn than doing it! I'm following this guide to post data back to my db - Link

My code is:

$CLI = $_POST['CLI'];
$Environment = $_POST['Environment'];
$Type = $_POST['Type'];
$Fault = $_POST['Fault'];

$query="INSERT INTO testtable (cli, env, type, fault)VALUES ('$CLI', '$Environment', '$Type', '$Fault')"

mysql_query($query) or die (mysql_error());

echo "Database Updated With: ".$CLI";

When I'm editting this code I'm getting a syntax error on the mysql_query line and the echo line. I've uploaded this to my server however it goes to the php update page then doesnt post the data back to the db.

Can someone help please? I can't find any simple answers to fix it!

Thanks

Improve this question
8
  • What's the syntax error you're getting? Commented Aug 29, 2012 at 20:12
  • Can you do this: echo $query; before executing it. Commented Aug 29, 2012 at 20:13
  • 1
    Dreamweaver just points out I have a syntax error on lines:mysql_query($query) or die (mysql_error()); echo "Database Updated With: ".$CLI"; Commented Aug 29, 2012 at 20:13
  • 2
    1. you are asking to be hacked that way! 2. if you are getting a syntax error why don't you post the error?! also check if all the fields you listed exist in your db table and things like that. Commented Aug 29, 2012 at 20:14
  • 1
    Please do not use mysql_query in new applications. This interface is being phased out because of serious problems with SQL injection bugs as you've demonstrated in your simple example. If any of these values contain ' then your query will not work. You should be using mysqli or PDO and placeholders to do this correctly under all circumstances. Commented Aug 29, 2012 at 20:18

5 Answers 5

Reset to default
4

You need a semicolon at the end of the mysql line (after the last quote).

Probably you need a space before VALUES.

You have an extra " at the end of the last line.

In other words:

$query="INSERT INTO testtable (cli, env, type, fault) VALUES ('$CLI', '$Environment', '$Type', '$Fault')";

mysql_query($query) or die (mysql_error());

echo "Database Updated With: ".$CLI;

NOTE:

As was mentioned in a comment, if someone invokes the page passing this:

&Type=','');+DROP+TABLE+testtable;+--

...it will delete your data! Please read up on "Sql injection attacks" before it's too late.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

assembling the query that way he is ought to be hacked soon, isn't he?
Thanks so much egrunin, that's sorted it :) I had too many "'s.
@user1634278 - glad to be of help, I've added more to address SparK's very important point.
1

Please revise your code. You miss ; after $query=..., and you have extra " in the last line.

Improve this answer

Comments

1

You're missing a semicolon at the end of the line:

$query="INSERT INTO testtable (cli, env, type, fault)VALUES ('$CLI', '$Environment', '$Type', '$Fault')"
Improve this answer

Comments

0

You'll need to connect to your DB using mysql_connect() first before running mysql_query().

http://php.net/manual/en/function.mysql-connect.php

Improve this answer

Comments

0

You don't have a semicolon at the end of the $query="INSERT... line and you have an extra double quote before the semicolon on the last line.

The PHP errors that are issue should, point this out to you pretty clearly.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.