1

I am trying to insert variables into a table in my database, and for some reason, the INSERT query is not inserting my values into said database. I've tested the "test_input" function, which worked fine, and I know the connection is working since a SELECT query I have later on in the code is working. I also know the inputs are in the $_POST superglobal, so I thought it probably had to do with the insert query by way of ruling out the other possibilities. Is there anything wrong with the query? Here is my php code:

            function test_input($data) {
            $data = trim($data);
            $data = stripslashes($data);
            $data = htmlspecialchars($data);
            return $data;
        }

        $name = test_input($_POST['name']);
        $date = test_input($_POST['date']);
        $datestring = date('Y-m-d',strtotime(test_input($_POST['date'])));
        $venue = test_input($_POST['venue']);
        $town = test_input($_POST['town']);

        $connection = new mysqli("Example","Example","Example","Example");
        if (mysqli_connect_errno()) {
            echo "Failed to connect to MySQL: " . mysqli_connect_error();
        }   

        if($_POST != []) {
            $connection->query("INSERT INTO events (Name, Date, Venue, Town) VALUES(" . $name . ", " . $datestring . ", " . $venue . ", " . $town . ")");
        }

Here is my HTML form code if anything is wrong with that.

    <div class="tr" id="addevent">      

        <form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">

        <div class="td">
        <input type="text" name="name">
        </div>

        <div class="td">
        <input type="text" name="date">
        </div>      

        <div class="td">
        <input type="text" name="venue">
        </div>          

        <div class="td">
        <input type="text" name="town">
        </div>  

        <div class="td">
        <input type="submit" value="Add Event">
        </div>

        </form>

    </div>
Improve this question
2
  • 1
    You probably want to check your condition $_POST != []. Maybe you can test isset($_POST['name']) instead. Or any other form parameter that must exist. Try echo in the if statement and see if it is executed at all. Commented Nov 21, 2014 at 23:21
  • Please remove $_SERVER['PHP_SELF'] as your action. I know you have htmlspecialchars() but either one of those is like a hackers heaven. See here for more info - phpsecurity.wordpress.com/2007/11/03/the-danger-of-php_self and here for why htmlspecialchars is a problem in itself - blog.astrumfutura.com/2012/03/… Commented Nov 21, 2014 at 23:24

1 Answer 1

Reset to default
1

It's not working because the dynamic SQL insert statement you are creating will have unquoted strings in the VALUES list and therefore be malformed. Having said that, you really shouldn't be doing it this way at all, as it's vulnerable to a very common attack called SQL injection.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.