0

When I execute this query it returns false, which means the query is wrong. Can you figure out why?

$string1 = 'wee';
$string2 = 'wee'; 
$string3 = 'wee'; 
$string4 = 'wee';  

if (isset($_POST['submit'])) {  

    $query = "INSERT INTO data (book, title, content, author)
              VALUES ($string1, $string2, $string3, $string4)";          
    mysql_query($query, $con);    
}

However, when I put something that is like the following, it returns true and inserts correctly:

$query = "INSERT into data (book, title, content, author)
          VALUES ('wee', 'wee', 'wee', 'wee')";

And another question: when I submit, it seems that the query is returning twice when executed which means two records with one query. Does anyone understand that?

If you need more information, just ask.

Thanks in advance.

simhumileco
  • 31,877
  • 16
  • 137
  • 115
Andre malupet
  • 91
  • 3
  • 12
  • 1
    I strongly suggest not using the old `mysql_xx()` functions. They are considered obsolete, and even the PHP manual says to stop using them. Instead, you should use the `mysqli_xx()` functions or the PDO library. With either of these, you can use parameterised queries, which will make your SQL much more secure. – Spudley Sep 30 '12 at 17:53

2 Answers2

1

Although this question seems answered, you should not be using user input directly in queries as this opens holes for vulnerabilities like SQL Injection (and that's bad mmmay)

If you look at the mysql page on php.net (mysql_query) the page says it is recommended you use an abstraction layer like PDO (pdo-mysql)

Using PDO will allow you to bind parameters to your sql queries to bypass the security implications of using user input in your queries.

If you don't bind parameters to your queries, you're gonna have a bad time.

Johnathon Malizia
  • 136
  • 1
  • 4
0

Your field data type is string or varchar so you need to put '' or "" around them.

Change your query as below

$query = "INSERT into data (book, title, content, author)VALUES ('".$string1."', '".$string2."',     
         '".$string3."', '".$string4."')";

To resolve submit issue, please post your html code

GBD
  • 15,847
  • 2
  • 46
  • 50
  • did it it worked.thanks.hmmm and for numbers or dates what would it be?
    – Andre malupet Sep 30 '12 at 17:30
  • for numbers, doesn't need to put '' or "" around them. for date, it varies. here is article which tells you more about date .http://www.ntchosting.com/mysql/insert-date.html – GBD Sep 30 '12 at 17:40