PHP database variable

Question

I m trying to insert a record through a PHP variable

 <html>
 <head>
<title>Welcome to PHP Products</title>
 </head>
 <body>
 <?php
$txt1=$_POST["product_form_no"];
$txt2=$_POST["product_form_name"];
$txt3=$_POST["product_form_desc"];

$con = mysql_connect("localhost:3306","root","INDIA");
if (!$con)
{
  die('Could not connect: ' . mysql_error());
}

mysql_select_db("sample", $con);

mysql_query("INSERT INTO `sample`.`product` (`product_no`, `product_name`, `product_desc`, `created_DT`) VALUES 
(echo $txt1,echo $txt2,echo $txt3, CURRENT_TIMESTAMP);");

mysql_close($con);


  ?> 



<h1>The Entered Product</h1>

<p>Product No</p><?php echo $txt1 ?>
<p>Product Name</p><?php echo $txt2 ?>
<p>Product Desc</p><?php echo $txt3 ?>

  </body>
  </html>

Unfortunately it is not inserting through variables in mysql_query. Neither it is giving some error.

You should probably go read a PHP book before trying to make an application that is dealing with products and possibly carts. You still have a lot to learn, and I mean that in the nicest way :) That being said, your problem is that you are not putting together a proper MySQL query inside your mysql_query call. More problematic than that, however, is the fact that even if your string was properly formatted, it would be vulnerable to SQL injection which can do nasty things to you. — Paolo Bergantino, Dec 17 '12 at 18:51
Unrelated to the question, but... 1) You shouldn't put passwords in the page's file. If you ever accidentally serve the file code instead of interpreting it then you're giving out a password. 2) Your code is wide open to SQL injection vulnerabilities where you build a query directly out of user input. 3) Please stop using `mysql_*` and at least use `mysqli_*` or, even better, something like PDO. 4) You have an XSS vulnerability where you echo user input back out to the page. — David, Dec 17 '12 at 18:51
you don't need to echo those varibles. Pass those inside a couple of single quotes ( ' ) and for date time use now() function of sql. — Dev, Dec 17 '12 at 18:53
[**Please, don't use `mysql_*` functions in new code**](http://bit.ly/phpmsql). They are no longer maintained [and are officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). See the [**red box**](http://j.mp/Te9zIL)? Learn about [*prepared statements*](http://j.mp/T9hLWi) instead, and use [PDO](http://php.net/pdo) or [MySQLi](http://php.net/mysqli) - [this article](http://j.mp/QEx8IB) will help you decide which. If you choose PDO, [here is a good tutorial](http://j.mp/PoWehJ). — Madara's Ghost, Dec 17 '12 at 20:07

score 3 · Answer 1 · edited May 23 '17 at 11:43

Use this way

//First escape your variable values before using into query
$txt1=mysql_real_escape_string($_POST["product_form_no"]);
$txt2=mysql_real_escape_string($_POST["product_form_name"]);
$txt3=mysql_real_escape_string($_POST["product_form_desc"]);


mysql_query("INSERT INTO `sample`.`product` (`product_no`, `product_name`, `product_desc`, `created_DT`) VALUES 
('$txt1','$txt2','$txt3', CURRENT_TIMESTAMP());");

Recommendations:

1.Learn to prevent from MySQL Injections: Good Link

2.Mysql extension is not recommended for writing new code. Instead, either the mysqli or PDO_MySQL extension should be used. More reading: PHP Manual

3.Variable parsing

Oldskool · Answer 2 · 2012-12-17T18:55:52.757

You don't echo variables in a query.
Please, please, please start reading up on SQL injection. Your code is wide open to it.

The query should become something like this:

mysql_query("
    INSERT INTO `sample`.`product` (`product_no`, `product_name`, `product_desc`, `created_DT`)
    VALUES ('" . mysql_real_escape_string($txt1) . "', '" . mysql_real_escape_string($txt2) . "', '" . mysql_real_escape_string($txt3) . "', CURRENT_TIMESTAMP)
");

score 0 · Answer 3 · answered Dec 17 '12 at 18:52

Be sure to escape your inputs to be more SQL safe, the echo is not supposed to be in there. I also think CURRENT_TIMESTAMP should be a function and have parens.

<html>
 <head>
<title>Welcome to PHP Products</title>
 </head>
 <body>
 <?php
$txt1=mysql_real_escape_string($_POST["product_form_no"]);
$txt2=mysql_real_escape_string($_POST["product_form_name"]);
$txt3=mysql_real_escape_string($_POST["product_form_desc"]);

$con = mysql_connect("localhost:3306","root","INDIA");
if (!$con)
{
  die('Could not connect: ' . mysql_error());
}

mysql_select_db("sample", $con);

mysql_query("INSERT INTO `sample`.`product` (`product_no`, `product_name`, `product_desc`, `created_DT`) VALUES 
('$txt1','$txt2','$txt3', CURRENT_TIMESTAMP())");

mysql_close($con);


  ?> 

<h1>The Entered Product</h1>

<p>Product No</p><?php echo $txt1 ?>
<p>Product Name</p><?php echo $txt2 ?>
<p>Product Desc</p><?php echo $txt3 ?>

  </body>
  </html>

PHP database variable

3 Answers3