0

I'm trying to add information to a MySQL table using the following PHP code. (The input the name and text from an HTML5 basic web form.) Probably a syntax issue?

<?php
include "dbinfo.php"; //contains mysqli_connect information (the $mysqli variable)
//inputs
$name = $_GET["name"];
$text = $_GET["text"];

$sqlqr = 'INSERT INTO `ncool`.`coolbits_table` (`name`, `text`, `date`) VALUES ("$name", "$text", CURRENT_TIMESTAMP);'; //the query. I'm pretty sure that the problem is a syntax one, and is here somewhere.

mysqli_query($mysqli,$sqlqr); //function where the magic happens.
?>

No error is thrown. A blank screen results, and a row with "$name" and "$text" is added to the MySQL table.

Improve this question
7
  • 1
    Warning! Your code is dangerously vulnerable to SQL injection attacks. Read up on how to escape your SQL variables, preferably using Prepared Statements. Commented Mar 26, 2013 at 16:56
  • Based on the posted code, an inserted row and a blank screen is exactly what I'd expect. Commented Mar 26, 2013 at 16:56
  • What does mysqli_error() return? Commented Mar 26, 2013 at 16:57
  • @EdGibbs Yes,but it is the variable name (literally $name) that's added, not its value. Commented Mar 26, 2013 at 17:07
  • @Jocelyn mysqli_error() doesn't return anything (assuming I'm using it correctly). Commented Mar 26, 2013 at 17:07

2 Answers 2

Reset to default
3

First of all: you should use mysqli prepared statements to prevent SQL injection attacks. It is not safe to use user input within a query without proper escaping. Prepared statements are useful to prevent this.

Second: you should learn how string quoting works in PHP, single quoted strings and double quoted strings are different

I would recommend to read the PHP documentation about string quoting.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

will take a look and read up on it. I thought that I'd read it thoroughly enough, but I guess I need to look it over some more.
0

This is how your code should look (with added SQL Injection protection):

<?php
include "dbinfo.php"; //contains mysqli_connect information (the $mysqli variable)
//inputs
$name = mysqli_real_escape_string($_GET['name']);
$text = mysqli_real_escape_string($_GET['text']);

$sqlqr = "INSERT INTO `ncool`.`coolbits_table` (`name`, `text`, `date`) VALUES ('" . $name . "', '" . $text . "', CURRENT_TIMESTAMP);";

mysqli_query($mysqli,$sqlqr); //function where the magic happens.
?>

Take a look at what I've done. Firstly I've escaped the user input you're retrieving into the $name and $text variables (this is pretty much a must for security reasons) and as others have suggested you should preferably be using prepared statements.

The problem is that you weren't surrounding string values with single quotes ('), which is a requirement of the SQL syntax.

I hope this helps to answer your question.

Improve this answer

4 Comments

Thanks. That seems to give a few errors (on the $sqlqr line and with the inputs) but I'm pretty sure that I know what's going on there and will fix it.
@EM-Creations You need to fix the single and double quotes.
The procedural mysqli_real_escape_string() takes two parameters: the string to escape and also the $link variable. php.net/manual/en/mysqli.real-escape-string.php
will it still work if I use VALUES ('$name ', ' $text ', CURRENT_TIMESTAMP) instead of VALUES ('" . $name . "', '" . $text . "', CURRENT_TIMESTAMP) ? If yes, then can you please explain why ?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.