0

I am new to php coding for some reason my code isn't inserting anything into the table. I've been working on this problem for a few hours and I can't figure it out at all.

I use php my admin and I used that to generate a php script (not this current version of code), but that still didn't work.

<?

//data

$ID = $_GET['ID'];
$Type = $_GET['Type'];
$Name = $_GET['Name'];
$Addr = $_GET['Addr'];
$Phone = $_GET['Phone'];
$startDate = $_GET['startDate'];
$endDate = $_GET['endDate'];
$SRN = $_GET['SRN'];

//sql info
$user = $_GET['user'];
$pass = $_GET['pass'];

echo " 

Hostname: $ID
Dev_Type: $Type
User_Name: $Name
User_addr: $Addr
User_Phone: $Phone
DATE_START: $startDate
Date_END: $endDate
Square Recipt Number: $SRN

";



// sql insert

$con=mysqli_connect("mysql1098.servage.net",$user,$pass,"RC_DB");

mysqli_query($con,"INSERT INTO RC_DB.Current_Rentals (Hostname,Dev_Type,User_Name,User_Addr,User_Phone,Date_Start,Date_End,STOLEN,Square_Recipt_Number)
VALUES ($ID,$Type,$Name,$Addr,$Phone,$startDate,$endDate,'0',$SRN)");

mysqli_close($con);

?>

any ideas?

Derek Frelow
  • 37
  • 6
  • 1
    I'd like to point out that your code is extremely dangerous and a disaster waiting to happen. You're passing `$_GET` parameters straight into the database (and even your database credentials are `$_GET` params, which is a BIG No-No!). As @Joe already points out in his answer this code enables SQL injections. You should REALLY heed his advice to use `mysqli_real_escape_string` or read [this question](http://stackoverflow.com/q/60174/813718) for a better understanding of the risk and alternative (better) techniques to prevent this. – Rem.co May 09 '13 at 22:58

2 Answers2

2

You need to have apostrophes around the text items. This has confused me in the past, too. You are not adding your parameters to a function, but are quoting the text that will be passed to mysql. So, $Name should be '$Name'. Try something similar to the following:

mysqli_query($con, "INSERT INTO RC_DB.Current_Rentals 
(Hostname,Dev_Type,User_Name,User_Addr,User_Phone,Date_Start,Date_End,STOLEN,Square_Recipt_Number)
VALUES ('$ID','$Type','$Name','$Addr','$Phone','$startDate','$endDate','0','$SRN')");

EDIT: The way I usually troubleshoot PHP SQL statements is to echo the text and then try to run the code in phpMyAdmin. phpMyAdmin usually gives better error messages than PHP does.

var $text = "INSERT INTO ... (...) VALUES ('$ID', '$Type'...)";
echo $text;

After this works, then you can add this text variable to your mysqli_query call and see if that works.

var $text = "INSERT INTO ... (...) VALUES ('$ID', '$Type'...)";
mysqli_query($con, $text);
Brian
  • 88
  • 6
0

You probably need to wrap the values you're inserting in double quotes or pass them in with mysqli_real_escape_string

mysqli_query($con,"INSERT INTO RC_DB.Current_Rentals (Hostname,Dev_Type,User_Name,User_Addr,User_Phone,Date_Start,Date_End,STOLEN,Square_Recipt_Number) VALUES (\"$ID\",\"$Type\",\"$Name\",\"$Addr\",\"$Phone\",\"$startDate\",\"$endDate\",'0',\"$SRN\")")

although mysqli_real_escape_string is better because it protects more from SQL injection.

Edit: per Remco's 2nd comment, See this example for the right way to do it.

Joe T
  • 2,300
  • 1
  • 19
  • 31
  • ... i am sorry i am a total noob wont that mess with the PHP variables? – Derek Frelow May 09 '13 at 22:31
  • Single quotes will do just fine and are a lot less work to type. – Rem.co May 09 '13 at 22:32
  • afaik single quotes will mess with the variables, ie you will insert the literal characters $ID instead of the number that $ID equals. – Joe T May 09 '13 at 22:35
  • That's why you use `mysqli_real_escape_string` AND wrap the variable in quotes. See [example #1 in the manual](http://php.net/manual/en/mysqli.real-escape-string.php); Only escaping them is not enough. – Rem.co May 09 '13 at 22:36