MySQL query not inserting row

Question

I have a form in my handler:

<form action="../submitcomment.php" method="post">
                <input maxlength=100 size=60 type="text" name="IP" value="' . $ip . '" readonly="readonly" hidden="hidden">
                <input maxlength=100 size=60 type="text" name="BlogId" value="' . $blogId . '" readonly="readonly" hidden="hidden">
                <input maxlength=100 size=60 type="text" name="Date" value="' . $date . '" readonly="readonly" hidden="hidden">         
                <input maxlength=100 size=60 type="text" name="Name" placeholder="Enter Your Name">
                <input maxlength=100 size=60 type="text" name="Email" placeholder="Enter Your Email">
                <input maxlength=100 size=60 type="text" name="Comment" placeholder="Enter Your Comment">
                <br>
                <input type="submit" name="Submit" value="Submit Your Comment">
                </form>

The action is submitcomment.php:

$ip = $_POST['IP'];
$BlogId = $_POST['BlogId'];
$Date = $_POST['Date'];
$Name = $_POST['Name'];
$Email = $_POST['Email'];
$Comment = $_POST['Comment'];

$blog = new Blogs();

if (isset($_POST['Submit'])) 
{
    $addComment = $blog->insertComment($ip, $BlogId, $Date, $Name, $Email, $Comment);
    header('Location: http://www.ryan.archi.dev.netsite.co.uk/Blog?success=1');
}else{
    header('Location: http://www.ryan.archi.dev.netsite.co.uk/Blog?fail=1');
}

which reference a function in my class:

function insertComment($ip, $BlogId, $Date, $Name, $Email, $Comment)
    {
        $query = "INSERT INTO BlogComments (Name, Comment, IPAddress, Email, BlogId, Date) VALUES ('$Name', '$Comment', '$ip', '$Email', '$BlogId', '$Date')";
        $oDatabase = new database;
        $connection = $oDatabase->Connect();
        $result = mysql_query ($query, $connection);
        return $result;
    }

The attempt to insert does not return or raise any errors. As far as I'm aware this should be working, Can you spot what I am doing wrong?

Uff, let SQL Injection live long!

shadyyx
– shadyyx

2012-05-21 09:23:48 +00:00
Commented May 21, 2012 at 9:23 — shadyyx
– shadyyx, Commented May 21, 2012 at 9:23
Are there any errors returned by mysql_query?

Sirko
– Sirko

2012-05-21 09:24:22 +00:00
Commented May 21, 2012 at 9:24 — Sirko
– Sirko, Commented May 21, 2012 at 9:24
Does the attempt to insert return or raise any error?

shadyyx
– shadyyx

2012-05-21 09:25:05 +00:00
Commented May 21, 2012 at 9:25 — shadyyx
– shadyyx, Commented May 21, 2012 at 9:25

shadyyx · Accepted Answer · 2012-05-21 09:27:16Z

3

Problem is with the column named Date - date is a reserved word (I guess of all known RDBMS).

You have to escape this word in Your query:

INSERT INTO BlogComments (Name, Comment, IPAddress, Email, BlogId, `Date`) VALUES ('$Name', '$Comment', '$ip', '$Email', '$BlogId', '$Date')

Also Your code gives anybody a chance to do a SQL injection attack therefore You should at least escape any user input or better use MySQLi or PDO.

You can do the escaping by php function http://php.net/mysql_real_escape_string :

$ip = mysql_real_escape_string($_POST['IP']);
$BlogId = mysql_real_escape_string($_POST['BlogId']);
$Date = mysql_real_escape_string($_POST['Date']);
$Name = mysql_real_escape_string($_POST['Name']);
$Email = mysql_real_escape_string($_POST['Email']);
$Comment = mysql_real_escape_string($_POST['Comment']);

answered May 21, 2012 at 9:27

shadyyx

16.1k7 gold badges62 silver badges98 bronze badges

Sign up to request clarification or add additional context in comments.

6 Comments

RSM Over a year ago

When i done the mysqld_real_escape_string it throws this error: Can't connect to local MySQL server through socket '/tmp/mysql.sock' (2)

shadyyx Over a year ago

So You are not connected to the DB. Where and when are You connecting to DB? Edit Your question and add the code of connecting to DB.

RSM Over a year ago

I connect to the db in my class function not in the submit comment where them variables are defined

shadyyx Over a year ago

So when You call $blog = new Blogs; You are only connecting to DB? Then just move this line before the mysql_real_escape_string calls are done.

shadyyx Over a year ago

Ahh, didn't see - but that is not very good approach. You should connect to a DB in some bootstrap to be connected for all the time the code is being executed. Call Your $oDatabase = new database; $connection = $oDatabase->Connect(); at the beginning of submit and You are done. You also should write the Database class as a singleton thus calling only its static getInstance() method that will either create and return an instance or only return the existing instance of this object...

|

Del Pedro · Accepted Answer · 2012-05-21 09:25:50Z

0

Did you debug it? Is the connection to the database established successfully? You did no mysql escaping maybe the insert query fails.

answered May 21, 2012 at 9:25

Del Pedro

1,21212 silver badges32 bronze badges

Collectives™ on Stack Overflow

MySQL query not inserting row

2 Answers 2

6 Comments

Comments

Your Answer

Hot Network Questions

Collectives™ on Stack Overflow

2 Answers 2

6 Comments

Comments

Your Answer

Sign up or log in

Post as a guest

Related