0

I'm using php and a database to add books to a database.

HTML

<form method="POST" action="addbook.php">
<p>Enter Book title :<input type="text" name="bookname"></p>
<p>Enter Book Author :<input type="text" name="bookauthor"></p>
<p><input type="submit" value="addbook"></p>
</form>

PHP

$bname = $_POST['bookname'];
$bauthor = $_POST['bookauthor'];
$dbcon = mysqli_connect('localhost','root','password','bookstore') or die('asd');


$dbquery = "INSERT INTO books (title,author) VALUES ($bname,$bauthor)";

mysqli_query($dbcon,$dbquery) or die('not queryed');

echo "Your book has been added to your online library";

I'm getting the reply ' not queryed'

Improve this question
3
  • 2
    Your code is vulnerable to SQL injections, please read this : xkcd.com/327 Commented Dec 8, 2013 at 10:52
  • 1
    I suggest you change the end of the second last line to: or die(mysqli_error($dbcon);, and you will be able to see the specific error of your query. Commented Dec 8, 2013 at 10:53
  • 1
    Try $dbquery = "INSERT INTO books (title,author) VALUES ('$bname','$bauthor')"; Commented Dec 8, 2013 at 10:54

3 Answers 3

Reset to default
1

try putting single quotes around the values

ie

$dbquery = "INSERT INTO books (title,author) VALUES ('$bname','$bauthor')";
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

You should be using PDO and prepared statements in order to prevent SQL injection. The resultant PHP would be something like this:

$bname = $_POST['bookname'];
$bauthor = $_POST['bookauthor'];

$dbh = new PDO("mysql:host=$host;dbname=$dbname", $user, $pass); //Fill in these variables with the correct values ('localhost' for host, for example)

$st = $dbh->prepare("INSERT INTO books (title,author) VALUES (?,?)");
$data = array($bname, $bauthor);
$st->execute($data);

You can then add logic to check if the statement executed successfully.

Also, I think you just gave us your root password?

For more information about PDO, see this tutorial.

Improve this answer

Comments

0

Check the Column names in the table,whether they match with the one in the query.also check whether they are varchar itself.

I dont find any problem in the query, and also try putting 

or die(mysqli_error());

and tell what exactly you can see.

If the type is varchar , you have to use single quotes around the values.

$dbquery = "INSERT INTO books (title,author) VALUES ('$bname','$bauthor')";
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.