-1
<html>
<head>
HTML CODE
<?
$username="xxxxxx";
$password="xxxxxx";
$database="xxxxxx";

mysql_connect(localhost,$username,$password);

$escape = "INSERT INTO monster VALUES ('',$_POST["name"],$_POST["soort"])";
$escape2 = "DELETE monster FROM monster LEFT OUTER JOIN (
            SELECT MIN( ID ) AS ID, NAME, PREF
            FROM monster
            GROUP BY NAME, PREF
            ) AS KeepRows ON monster.ID = KeepRows.ID
            WHERE KeepRows.ID IS NULL";

$query=mysql_real_escape_string($escape);
$query2=mysql_real_escape_string($escape2);

@mysql_select_db($database) or die("MySQL error: Kan inte ansluta till databasen.");
mysql_close();
?>
</body>
</html>

Every time i run this(from another file, containing the name and soort post's) I get an 500 internal server error. First I figured that the queries may be the problem, but they don't even get executed. However, i tried to escape the queries. But still error. What is wrong with this code? (note: $escape2 is some code i found that removes duplicates in the database. But i don't really know how to format it so that it can be used through php.)

plain jane
  • 1,009
  • 1
  • 8
  • 19
user2912679
  • 11
  • 2

5 Answers5

0

problem in insert into statement

it should be

$escape = "INSERT INTO monster VALUES ('',".$_POST['name'].",".$_POST['soort'].")";

it is preferable to write colums name while writing insert queries

if column contains string values like VARCHAR or TEXT then use quoted_printable_decode

pass null if column is autoincrement

insert statment

$escape = "INSERT INTO monster (col1, col2, col3) VALUES (NULL,'".$_POST['name']."',".$_POST['soort'].")";

or 

$escape = "INSERT INTO monster (col2, col3) VALUES ('".$_POST['name']."',".$_POST['soort'].")";
Pragnesh Chauhan
  • 8,363
  • 9
  • 42
  • 53
0

Use something like below...

$query = "INSERT INTO monster VALUES ('', '".$_POST["name"]."', '".$_POST["soort"]."')";

Please do not insert values without escaping.

Ashwini Agarwal
  • 4,828
  • 2
  • 42
  • 59
0

It looks like you need something like this:

$query = "INSERT INTO monster VALUES ('', '".$_POST["name"]."', '".$_POST["soort"]."')";

Also I would suggest to use prepared statements because it is bad experience to build queries.

Community
  • 1
  • 1
ST3
  • 8,826
  • 3
  • 68
  • 92
0

First of all I have cool proposition for you. What do you say about some advanced PHP? One step further into great world of safe PHP + MySQL apps?

Introducting to you a PDO. (I know this is not answer to your question but you can consider it). Example of use on your queries:

$db = new PDO('mysql:host=localhost;dbname='.$database, $username, $password);

$insertQuery = $db->prepare('INSERT INTO monster VALUES ("", :name, :soort)');
$deleteQuery = $db->prepare('DELETE monster FROM monster LEFT OUTER JOIN (
SELECT MIN( ID ) AS ID, NAME, PREF
FROM monster
GROUP BY NAME, PREF
) AS KeepRows ON monster.ID = KeepRows.ID
WHERE KeepRows.ID IS NULL');

//to execute query:
$deleteQuery->execute();
//or with params:
$insertQuery->execute(array(
  ':name'  => $_POST['name'],
  ':soort' => $_POST['soort'],
));

Cool, huh? There is more... Now according to your problem it could be everything (as we don't have error log) but my guess is:

  • Try to use <?php instead of <?
  • $escape = "INSERT INTO monster VALUES ('',{$_POST["name"]},{$_POST["soort"]})";

EDIT: As you provided error log - now I'm sure that problem is in $escape query. It's because you used $escape = " <- and then $_POST["name"] so there was a collision of " (if I can say so).

speccode
  • 1,562
  • 9
  • 11
0

Try this:

Whenever you insert string type of values in the database using query it has to pass in the quote format. So you just need to change your insert query here.

$query = "INSERT INTO monster VALUES ('', '".$_POST["name"]."', '".$_POST["soort"]."')";

write query like this.

- Thanks

Anand Solanki
  • 3,419
  • 4
  • 16
  • 27