1

I have a simple insert page that seems to go through with out any errors but does not show up in db. I have read upwards of 30 diff posts on this and can not figure out what is wrong. I know the dbcon.php works as the display page pulls all the results no problem.

<?php
ob_start();
include('dbcon.php');

if (isset($_POST['submit'])){

$Ph1=preg_replace('/[^0-9]/', '', $_POST["ph1"]);
$Ph2=preg_replace('/[^0-9]/', '', $_POST["ph2"]);
$Name=mysql_real_escape_string($_POST['name']);
$Email=mysql_real_escape_string($_POST['email']);
$Group=$_POST['group'];

mysql_query("insert into reps (ph1,ph2,name,email,group)
        values("$Ph1","$Ph2","$Name","$Email","$Group")");
        header('location:index.php');
}
ob_flush();
?>
John Woo
  • 258,903
  • 69
  • 498
  • 492
user2052960
  • 13
  • 2
  • you get no errors because you are not checking for errors, if you where mysql would tell you the problem –  Feb 08 '13 at 02:53

1 Answers1

2

GROUP is a RESERVED KEYWORD. It must be enclosed with backtick,

insert into reps (ph1,ph2,name,email,`group`)

another problem is the used of `double quotes around values.

mysql_query("INSERT INTO reps (ph1,ph2,name,email,`group`) VALUES ('$Ph1','$Ph2','$Name','$Email','$Group')");

As a sidenote, the query is vulnerable with SQL Injection if the value(s) of the variables came from the outside. Please take a look at the article below to learn how to prevent from it. By using PreparedStatements you can get rid of using single quotes around values.

Community
  • 1
  • 1
John Woo
  • 258,903
  • 69
  • 498
  • 492
  • I totally didn't think of the the reserved keyword list. Thank you. I was not worried about SQL Injection as it will be in a password protected directory and only used by one or two people but thank you for the reference link. – user2052960 Feb 08 '13 at 14:13
  • yes I am new, thank you for advising me on correct procedure. – user2052960 Feb 08 '13 at 17:51