0

Cant seem to get this to work. could some one please point me out into the right direction with an example how to fi this. thank you. i need this url domain.com/script.php?from=1123&message=1234454

to insert velues into my table

<?php

mysql_connect('localhost', 'user', 'pass');

mysql_select_db('dbname');

$sql = "insert into table (from, message) values ('".$_GET['from']."','".$_GET['message']."')"; 
if(!$sql){ 
echo "Error " . mysql_error(); }
else{ echo "Success"; }

?>
Improve this question
1
  • 2
    There's nothing there to actually insert into the database - you're just generating a string of SQL. Commented Jul 25, 2012 at 18:11

3 Answers 3

Reset to default
1

try adding 

 mysql_query($sql);

So it actually adds to the db at the moment you are just creating a string

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

No, DO NOT use mysql_query, especially not when none of the parameters are properly escaped. Do it properly. Posting answers like this is only teaching dangerous techniques.
0

You are never calling mysql_query() to actually execute the query.

<?php

mysql_connect('localhost', 'user', 'pass');

mysql_select_db('dbname');

$from    = mysql_real_escape_string($_GET['from']);
$message = mysql_real_escape_string($_GET['message']);

// TODO: check that $from and $message are not empty and are valid

$sql    = "insert into table (from, message) values ('$from','$message')"; 
$result = mysql_query($sql);  // This actually executes the query on the server

if(!$result) { 
    echo "Error " . mysql_error();
} else {
    echo "Success";
}

The call to mysql_real_escape_string is very important as well. Without it, you are vulnerable to SQL injection.

Also, the mysql_* functions are deprecated. You should switch to Mysqli or PDO_Mysql.

Improve this answer

4 Comments

Error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'table' ('from', 'message') values ('111111','223232')' at line 1
Add echo $sql; before you run the query. What is the full output?
I think the problem is that you have to use backticks (`) around table, from, and message, not single quotes.
Strings get enclosed in single or double quotes, SQL identifiers like table and column names (can) get enclosed in backticks.
0

First you have to check if the variables are set. 

    if(isset($_GET['from'],$_GET['message'])){
       $con = mysql_connect('localhost', 'user', 'pass');

       mysql_select_db('dbname',$con);

       $from    = mysql_real_escape_string($_GET['from']);
       $message = mysql_real_escape_string($_GET['message']);

// TODO: check that $from and $message are not empty and are valid

$sql    = "insert into table (from, message) values ('$from','$message')"; 
$result = mysql_query($sql);

if(!$result) {  echo "Error " . mysql_error(); } 
else {  
  echo "Success"; 
  mysql_close($con);
}

}else{die();}
Improve this answer

1 Comment

The last thing the internet needs is yet another example using mysql_query. Please don't do this.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.