Why is MySQL not accepting this value, or why is php not transmitting it properly?

Question

I am working on a contact form for my company, and I made this large elaborate form with over 20 fields for the user to fill out. Upon clicking submit, the php page sends an email to a sales rep with a detailed report of the order. The next step is to get the info into a database. I wrote the code for it, but it is not working, so I created a secondary table for me to use for testing purposes until I am ready to use the one for the company. In this small test database, there are 3 fields, orderID, companyName, and contactName. When I specify an orderID, and only an orderID, it gets stored in the database, no problem, using the code below.

$mysqli = new mysqli ("host", "username", "pass", "dbname");
    if($mysqli->connect_errno)
    {
        echo "Failed to connect: " . $mysqli->connect_error;
    }
    $mysqli->query("insert into testTable (orderID) values (5000)");

But if I use this code below, this time including a companyName value, nothing happens at all. I get no errors(that I see) and php says nothing.

$mysqli = new mysqli ("host", "username", "pass", "dbname");
    if($mysqli->connect_errno)
    {
        echo "Failed to connect: " . $mysqli->connect_error;
    }
    $mysqli->query("insert into testTable (orderID, companyName) values (5000, \'".$_POST['companyName']."\')");

Any and all help is appreciated, and thank you in advance.

And if you change it, like this : $mysqli->query("insert into testTable (orderID, companyName) values (5000,'".$_POST['companyName']."')"); — Hackerman, Jun 21 '13 at 22:23
Add some error reporting to your code, specifically after you run `$mysqli->query()`. It is highly likely that you have an SQL syntax error — jraede, Jun 21 '13 at 22:23
Have you checked all your logs yet? something could be failing silently. — usumoio, Jun 21 '13 at 22:24
Are you asking me to do that? Ill go ahead and do it, but shouldn't i have to escape the single quotes? — JPeroutek, Jun 21 '13 at 22:24
Sorry if this is a nooby question, i just started learning mysql yesterday, but how do i check the logs? Or add error reporting? — JPeroutek, Jun 21 '13 at 22:25
Im looking at the error logs(i think) but they are very vague and reference place on the site that have not existed for months, and I see nothing about mysql in them. — JPeroutek, Jun 21 '13 at 22:35

score 1 · Accepted Answer · edited May 23 '17 at 11:50

1

Try this instead :

$mysqli = new mysqli ("host", "username", "pass", "dbname");
if($mysqli->connect_errno)
{
    echo "Failed to connect: " . $mysqli->connect_error;
}

$companyName = $mysqli->real_escape_string($_POST['companyName']);

$mysqli->query("insert into testTable (orderID, companyName) values (5000, '$companyName')");

I think you were escaping the single quotes and it wasn't necessary, also I sanitized your company name to help protect you against MySQL injections.

It is best to use prepared queries none the less, for more information, visit the following links :

http://de1.php.net/manual/en/mysqli.real-escape-string.php

How can I prevent SQL injection in PHP?

edited May 23 '17 at 11:50

Community

1
1

answered Jun 21 '13 at 22:24

Dany Caissy

3,176
15
21

it says mysqli_real_escape_string() requires 2 parameters – JPeroutek Jun 21 '13 at 22:32
should be $mysqli->real_escape_string – Justin T. Watts Jun 21 '13 at 22:32
It says Parse error: syntax error, unexpected T_OBJECT_OPERATOR in /home/content/33/9093333/html/geotest/process.php on line 125 – JPeroutek Jun 21 '13 at 22:36
I edited it twice, is the line really " $mysqli->real_escape_string($_POST['companyName']);" ? – Dany Caissy Jun 21 '13 at 22:37

Why is MySQL not accepting this value, or why is php not transmitting it properly?

1 Answers1