-4

I am trying to add 2 html form field on one Mysql field have tried this code but unable inset the value to the database.

if ($_SERVER['REQUEST_METHOD'] == 'POST')
{

  $city= mysql_real_escape_string($_POST['city']);
  $name = mysql_real_escape_string($_POST['name']. "-" . $_POST['domain']);
  $alias = mysql_real_escape_string($_POST['alias']);
  $date = mysql_real_escape_string($_POST['Date']);
  $user = mysql_real_escape_string($_POST['user']);
  $id = mysql_real_escape_string($_POST['id']);

    $all1 = implode(",",$city);
    $all2 = implode(",",$name);
$all3 = implode(",",$alias);
$all4 = implode(",",$date);
$all5 = implode(",",$user);
$all6 = implode(",",$id);


$all1e = explode(",",$city);
$all2e = explode(",",$name);
$all3e = explode(",",$alias);
$all4e = explode(",",$date);
$all5e = explode(",",$user);
$all6e = explode(",",$id);

     $insert = mysql_query ("INSERT INTO `Dname` (`city`, `name`, `alias`, `user`,     `Date`, `id`) VALUES ('$all1e','$all2e','$all3e','$all4e','$all5e'");

    //insert null for id place holder
$insert .= "'')";
$res = mysql_query($insert) or die(mysql_error());
}
Charaf JRA
  • 8,249
  • 1
  • 34
  • 44
Daniel
  • 39
  • 1
  • 9
  • 1
    fyi your code is vulnerable to sql injection attacks! – Daniel A. White Aug 25 '13 at 23:42
  • and its terrible Database normalization –  Aug 25 '13 at 23:45
  • What's the error you're getting? Also @DanielA.White is correct, please read [How can I prevent SQL injection in PHP?](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) and [Why shouldn't I use mysql_* functions in PHP?](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php) –  Aug 25 '13 at 23:45
  • Try first to explain well your problem,because i haven't understood,also i see that you use implode and then explode in the same file , please try to give a good question so that we can help – Charaf JRA Aug 25 '13 at 23:57
  • Echo out the SQL you're generating - you're missing a comma between the final two fields in the VALUES – andrewsi Aug 26 '13 at 00:01

1 Answers1

1

Apart from a very strange way of handling user input your immediate problem is that your query is missing a value for id column and closing parenthesis because instead of assigning your query text you assign the result of execution of it with first mysql_query() and then try to concatenate the result with an empty string and then passing '') literal to mysql_query() again.

To cut it short and assuming that your id column has auto_increment on it change

 $insert = mysql_query ("INSERT INTO `Dname` (`city`, `name`, `alias`, `user`,     `Date`, `id`) VALUES ('$all1e','$all2e','$all3e','$all4e','$all5e'");

//insert null for id place holder
$insert .= "'')";
$res = mysql_query($insert) or die(mysql_error());

to

$insert = "INSERT INTO `Dname` (`city`, `name`, `alias`, `user`, `Date`)
           VALUES ('$all1e', '$all2e', '$all3e', '$all4e', '$all5e')";
$res = mysql_query($insert) or die(mysql_error());

On a side note instead of interpolating query strings use prepared statements with either mysqli_* or PDO.

That being said your code with prepared statements in PDO might look like

$city  = $_POST['city'];
$name  = $_POST['name']. "-" . $_POST['domain'];
$alias = $_POST['alias'];
$date  = $_POST['Date'];
$user  = $_POST['user'];

try {
    $db = new PDO('mysql:host=localhost;dbname=dbname;charset=UTF8', 'user', 'password');
    $db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
    $db->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);

    $insert = "INSERT INTO `dname` (`city`, `name`, `alias`, `user`, `date`) VALUES (?, ?, ?, ?, ?)";
    $query = $db->prepare($insert);
    $query->execute(array($city, $name, $alias, $user, $date));
} catch (PDOException $e) {
    echo "Exeption: " .$e->getMessage();
}
$query = null;
$db = null;
peterm
  • 91,357
  • 15
  • 148
  • 157