mysql - INSERT query in PHP Failing (returns blank error) -


this question has answer here:

i'm using following code in attempt insert user-provided values in <form> sql table. when insert query used in phpmyadmin, insertion successful, unsuccessful in following php. connection database successful.

<?php $servername = "localhost"; $username = "***"; $password = "***"; $db_name = "my_db"; $trip; $odom; $gals; $ppg;  if (isset($_request['trip'])){  $trip = $_request['trip']; $odom = $_request['odom']; $gals = $_request['gals']; $ppg = $_request['ppg'];  }   // create connection $conn = mysqli_connect($servername, $username, $db_name, $password);  // check connection if ($conn->connect_error) { die("connection failed: " . $conn->connect_error); } echo "connected "; 

here, i've tried using double quotes around query form string; i've omitted quotes well, no avail. also, in values, i've tried both single-quotations , omission thereof well, without success. variables double values, not strings.

 $vals = "insert `log` (`trip`, `odometer`, `gallons_pumped`,      `price_gallon`)   values ('$trip', '$odom', '$gals', '$ppg')"; 

the return value of $retval false, no error provided.

$retval = mysql_query($vals);  if ($retval) { echo "new record created successfully"; } else { echo "error: " . $vals . "<br>" . $retval->error; }  mysql_close($conn);  ?> 

is syntax incorrect? if not, why insert query unsuccessful?

you're mixing mysqli_* functions mysql_* functions. can't that; aren't same library.

use mysqli_*. please don't use mysql_*; mysql_* functions outdated, deprecated, , insecure. use mysqli or pdo instead.

the last block of code should (untested):

$retval = mysqli_query($vals); // changed  if ($retval) {     echo "new record created successfully"; } else {     echo "error: " . $vals . "<br>" . mysqli_error($conn); // changed }  mysqli_close($conn); // changed 

note change $retval->error mysqli_error($conn). definition, if reached point in code because $retval evaluated false , therefore not object.


also, please note wide open sql injection. sql statement this:

$vals = "insert `log` (`trip`, `odometer`, `gallons_pumped`, `price_gallon`) values ('$trip', '$odom', '$gals', '$ppg')"; 

but values ($trip, etc.) come straight user (via $_request). bad things can happen if user submits values containing, example, ' character. should use prepared statements, this:

$vals = "insert `log` (`trip`, `odometer`, `gallons_pumped`, `price_gallon`) values (?, ?, ?, ?)";  if($stmt = mysqli_prepare($conn, $vals)) {     // adjust "sddd" below match data types; see http://php.net/manual/en/mysqli-stmt.bind-param.php     mysqli_stmt_bind_param($stmt, "sddd", $trip, $odom, $gals, $ppg);      $retval = mysqli_stmt_execute($stmt); } else {     echo "error: " . $vals . "<br>" . mysqli_error($conn); }  mysqli_close($conn); 

Comments

Popular posts from this blog

c++ - llvm function pass ReplaceInstWithInst malloc -

Cross-Compiling Linux Kernel for Raspberry Pi - ${CCPREFIX}gcc -v does not work -

java.lang.NoClassDefFoundError When Creating New Android Project -