0

My php code doesn't seem to be working. Was functioning yesterday but I must have changed something and now it isn't. As far as I can tell it's the if($word) that's causing the problem. The else part functions and it's connecting with the mysql db but that one if statement does nothing.

Here's the php:

<?php
  require('connect.php');
  $word=$_POST['word'];
  $submit=$_POST['submit'];

  if($submit){
      if($word){
         mysql_query("INSERT INTO words (word) VALUES ($word)");
      }
      else{
         echo "Enter a word.";
      }
  }
?>

and this is the html form:

<form name="form" id="form" method="post" action="index.php">
    <p><label>Label</label></p>
    <p><input type="text" name="word" id="word" maxlength="16"/></p>
    <p><input type="submit" name="submit" id="submit" value="Save"/></p>
</form>
Improve this question
4
  • 2
    Please, don't use mysql_* functions in new code. They are no longer maintained and are officially deprecated. See the red box? Learn about prepared statements instead, and use PDO or MySQLi - this article will help you decide which. Commented Feb 21, 2013 at 18:45
  • 'As far as I can tell it's the if($word) that's causing the problem'- can you provide some reason why you think that's causing the problem? And what problem is it causing? Commented Feb 21, 2013 at 18:45
  • Your query have sql injection, see here stackoverflow.com/a/60195/813069 how to process the input Commented Feb 21, 2013 at 18:47
  • If I change the mysql_query to a simple echo it still doesn't work. However if the field id left blank the "enter a word" echo does function. Commented Feb 21, 2013 at 18:48

2 Answers 2

Reset to default
4

You should immediately stop using this code. It is vulnerable to SQL injection. You need to learn how to bind parameters to prevent this as well as use a non-deprecated API. I would also recommend that you check REQUEST_METHOD rather than if $_POST['word'] is set as it can be empty.

Since you don't have any type of error catch functions, it is difficult to tell what could be the problem. If I had to guess, it's probably because you're missing single quotes around your posted variable:

...INSERT INTO words (word) VALUES ('$word')...

Using parameters:

<?php

if( $_SERVER['REQUEST_METHOD'] == 'POST' && !empty($_POST['submit']) ) {

    $link = mysqli_connect('localhost', 'my_user', 'my_password', 'world');

    /* check connection */
    if (!$link) {
        printf("Connect failed: %s\n", mysqli_connect_error());
        exit();
    }

    $stmt = mysqli_prepare($link, "INSERT INTO words (word) VALUES (?)");
    mysqli_stmt_bind_param($stmt, 's', $_POST['word']);

    /* execute prepared statement */
    mysqli_stmt_execute($stmt);

    printf("%d Row inserted.\n", mysqli_stmt_affected_rows($stmt));

    /* close statement and connection */
    mysqli_stmt_close($stmt);

    /* close connection */
    mysqli_close($link);
}
?>

The documentation is a good place to start.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

While this is probably the best answer for the OP, you should probably point him towards OOP PHP, as he seems very new to this. better to start with OOP than learn procedural only to scratch your head later.
@Hiroto I don't see why I should point him to OOP, nor why it's better. Programming style is for the OP to decide. My comment under the answer should suffice.
1

You most likely need to quote your $word value...

INSERT INTO words (word) VALUES ('$word')

As mentioned in the comments...

Why shouldn't I use mysql_* functions in PHP?

And don't forget about input sanitization.

How can I prevent SQL injection in PHP?

xkcd.com

Improve this answer

2 Comments

INSERT INTO words SET (word) VALUES ($word) is not valid MySQL syntax.
@AarolamaBluenk It breaks since $word does not have any quotes surrounding it, but just adding them won't fix the real problem.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.