1

Ok, so I am trying to insert a dynamical data inside a row. This is most likely not the best way to do it, but after banging my head on the wall for hours I still can't understand why the $insert string won't get queried by mysql_query. Even when I echo it and copy what is echoed to the query it works, but querying the variable doesn't.

$insert = '"INSERT INTO '.$_SESSION['tabsel'].' (';
echo "<form method='post' action=''>";
while($row = mysql_fetch_array($result))
{
    echo "Enter ".$row[0]." <input type='text' name='data[]'>";
    echo "<br>";
    $insert .= $row[0].",";
    $_SESSION['insert'] = $insert;
}

echo "<input type='submit' value='Add'>";
echo "</form>";
if(isset($_POST['data']))
{
    $insert = $_SESSION['insert'];
    $strlength = strlen($insert);
    $insert = substr($insert,0,($strlength-1));
    $insert .= " VALUES (";
    foreach($_POST['data'] as $value)
    {
        $insert .= "'$value',";
        $_SESSION['insert'] = $insert;
    }
}

$insert = $_SESSION['insert'];
$strlength = strlen($insert);
$insert = substr($insert,0,($strlength-1));
$insert .= ')"';
$_SESSION['insert'] = $insert;
$insert = $_SESSION['insert'];
echo $insert."<br>";
$seldb = mysql_select_db($_SESSION['sel']);
if($seldb && (!empty($_POST['data'])) && (isset($_SESSION['sel'])) && (isset($_SESSION['tabsel'])))
{
    $insert = $_SESSION['insert'];
    echo $insert;
    $query = mysql_query($insert, $con);
    if($query)
    {
        echo "Record succesfully added!";
    }
    else
    {
        echo mysql_error();
    }
}

Error given:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near "INSERT INTO mtable (id,nr,d,ra) VALUES ('d','d','d','d')" at line 1

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
Mr.Potson
  • 59
  • 10
  • What about also posting the echo'd string? And there is not `mysql_query` in your code. – Alexander Apr 29 '12 at 10:31
  • "INSERT INTO druga (id,podaci,d,ra) VALUES ('d','d','d','d')" The query is next line :) P.S. Error is You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"INSERT INTO druga (id,podaci,d,ra) VALUES ('d','d','d','d')"' at line 1 – Mr.Potson Apr 29 '12 at 10:33
  • 1
    **Do not pass unfiltered user input to SQL**. The `mysql_` functions are being deprecated, you should be using `mysqli_` or `PDO` instead, and use bind variables to pass user input to the query. (Also, I don't actually see any calls to `mysql_query` in the code you posted.) – DCoder Apr 29 '12 at 10:34
  • $query=mysql_query($insert, $con); if($query) { echo "Record succesfully added!"; } else { echo mysql_error(); } } – Mr.Potson Apr 29 '12 at 10:36
  • @user1364022, edit your answer and put things in comments. – Alexander Apr 29 '12 at 10:38
  • The problem with this particular query is that you're including a literal `"` before `INSERT`. But my earlier comment about `PDO` and bind variables still stands. – DCoder Apr 29 '12 at 10:39
  • @DCoder: I suggest you post that as an answer :) – Armatus Apr 29 '12 at 10:42
  • possible duplicate of [How to include a PHP variable inside a mysql insert statement](http://stackoverflow.com/questions/7537377/how-to-include-a-php-variable-inside-a-mysql-insert-statement) – Your Common Sense Apr 29 '12 at 10:44

1 Answers1

1

Taking a look at the echo'd string

"INSERT INTO druga (id,podaci,d,ra) VALUES ('d','d','d','d')"

You need to remove the leading and trailing quote characters you are placing in the SQL query. Modify these two lines of code:

  • Remove the leading quote character.

    $insert='INSERT INTO '.$_SESSION['tabsel'].' (';

    instead of 

    $insert='"INSERT INTO '.$_SESSION['tabsel'].' (';

  • Remove the trailing quote character.

    $insert.=')';

    instead of 

    $insert.=')"';
Alexander
  • 23,432
  • 11
  • 63
  • 73