Mysqli_Query INSERT

Question

For some reason, this code is not inserting into my database, It was working a few days ago, I swear. Now, nothing. Does anyone have any ideas as to why it's not working? It's just giving any errors.

$con=mysqli_connect($host,$username,$password,$dbname) or die('Error->' .mysqli_error($con));

function quote2entities($string,$entities_type='number')
{
    $search                     = array("\"","'");
    $replace_by_entities_name   = array("&quot;","&apos;");
    $replace_by_entities_number = array("&#34;","&#39;");
    $do = null;
    if ($entities_type == 'number')
    {
        $do = str_replace($search,$replace_by_entities_number,$string);
    }
    else if ($entities_type == 'name')
    {
        $do = str_replace($search,$replace_by_entities_name,$string);
    }
    else
    {
        $do = addslashes($string);
    }
    return $do;
}
echo mysqli_error($con);

$c = quote2entities($_POST['company']);
$mem = quote2entities($mem);
$cp = quote2entities($cp);
$vcc = quote2entities($vcc);
$addy = quote2entities($addy);
$contact = quote2entities($contact);
$date = quote2entities($date);
$type = quote2entities($type);


echo $c ;
echo $contact;
echo $vcc;
$query = "INSERT INTO project (company) VALUES (".$c.")";
mysqli_query($con, $query);
mysqli_close($con);

Did you happen to change this `('Error->'`? that `>` could be playing tricks on you. — Funk Forty Niner, Oct 19 '13 at 23:57
also change `VALUES (".$c.")` to `VALUES ('".$c."')` could be another thing — Funk Forty Niner, Oct 19 '13 at 23:58
let me try the ('".$c."') again, it was set there before. I don't know, also ('Error->' is set using literal terms, so that isn't the problem. @Fred -ii- — RainbowdashTM, Oct 20 '13 at 00:06
Of course, that was the issue, I have no idea why that is required though. Thanks anyways! If you post it as a comment I'll make it the answer! — RainbowdashTM, Oct 20 '13 at 00:07
Not using bound parameters... Not checking return value from mysqli_query()... Not printing any error messages... Come on, this has been answered hundreds of times on StackOverflow already. — Bill Karwin, Oct 20 '13 at 01:00

score 1 · Answer 1 · edited May 23 '17 at 12:00

1

Change VALUES (".$c.") to VALUES ('".$c."')

the variable needs to be inclosed inside single quotes.

You also could use single quotes ('$c') or ('.$c.') as other options.

These I already knew, however you can consult: When to use single quotes, double quotes, and backticks in MySQL to see the different combinations.

edited May 23 '17 at 12:00

Community

1
1

answered Oct 20 '13 at 00:58

Funk Forty Niner

74,450
15
68
141

score 1 · Answer 2 · edited May 23 '17 at 12:33

1

This code should never ever be used.
As it makes not a slightest sense: for some reason you are using HTML encoding when dealing with database. Which is obviously wrong. Not to mention that you ought to use prepared statements instead of interpolating values into query.

Please get rid of your current approach and learn the right way here: How can I prevent SQL injection in PHP?

edited May 23 '17 at 12:33

Community

1
1

answered Oct 20 '13 at 08:38

Your Common Sense

156,878
40
214
345

Mysqli_Query INSERT

2 Answers2