Why this won't insert into table?

Question

Here is my code for adding users to mysql database, I really don't know why it won't submit it...

    <?php include 'includes/header.php'; ?>
<?php 
    if (isset($_post['submit'])) {
        $ime_priimek = $_post['ime_priimek'];
        $spol = $_post['spol'];
        $razred = $_post['razred'];
        $slika = $_post['slika'];
        $sql = mysqli_query($con, "INSERT INTO uporabniki (ime_priimek, spol, razred, slika) VALUES ('". $ime_priimek ."' , '". $spol ."' , '". $razred ."' , '". $slika ."' , )" or die(mysql_error()));
        echo "Dodan";
    } else {
        echo "Ni dodan";
    }
 ?>
<div class="container main">
    <div class="row">
        <div class="col-lg-8">
            <div class="panel panel-primary">
              <div class="panel-heading">Dodaj uporabnika</div>
              <div class="panel-body">
                <form role="form" action="admin.php?g=miha" method="post" accept-charset="utf-8">
                  <div class="form-group">
                    <label for="ime_priimek">Ime in priimek:</label>
                    <input type="text" name="ime_priimek" class="form-control" id="ime_priimek" placeholder="Andrej Novak">
                  </div>
                  <div class="form-group">
                    <label for="spol">Spol:</label>
                    <input type="text" name="spol" class="form-control" id="spol" placeholder="Moški">
                  </div>
                  <div class="form-group">
                    <label for="razred">Razred:</label>
                    <input type="text" name="razred" class="form-control" id="razred" placeholder="2. Mb">
                  </div>
                  <div class="form-group">
                    <label for="slika">Slika:</label>
                    <input type="text" name="slika" class="form-control" id="slika" placeholder="https://fbcdn-sphotos-c-a.akamaihd.net/hphotos-ak-ash3/1391614_10200902760433385_105742999_n.jpg">
                  </div>
                  <button class="btn btn-primary" name="submit" type="submit">Dodaj</button>
                </form>
              </div>
            </div>
        </div>

I can't find reason why this code won't insert data in my database. Please help!

What error are you getting? Btw, your code is prone to SQL injections. Check this [useful documentation](http://xkcd.com/327/) — Mosty Mostacho, Oct 25 '13 at 21:24
[read this](http://stackoverflow.com/a/601457/623952) and then [this](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) — gloomy.penguin, Oct 25 '13 at 21:27

Funk Forty Niner · Answer 1 · 2013-10-25T22:27:54.497

1

For one thing, $_POST is a superglobal and must be in uppercase like this $_POST

yours are all in lowercase $_post

I also noticed there are no DB credentials for $con in your posted code.

You need to be doing something to the affect of:

$con=mysqli_connect("xxx_host", "xxx_user", "xxx_password");
mysqli_query($con, "INSERT INTO uporabniki (ime_priimek, spol, razred, slika) VALUES 
('". $ime_priimek ."' , '". $spol ."' , '". $razred ."' , '". $slika ."' )" or die(mysql_error()));

and you had a stray comma in '". $slika ."' , )"

You can also try this method:

$mysql_hostname = 'xxx';
$mysql_username = 'xxx';
$mysql_password = 'xxx';
$mysql_dbname = 'xxx';

$con= new PDO("mysql:host=$mysql_hostname;dbname=$mysql_dbname", $mysql_username, $mysql_password); 

$sql = $con->prepare("INSERT INTO uporabniki (ime_priimek, spol, razred, slika) VALUES (?, ? ,? ,?)");
$sql->bindParam(1, $ime_priimek);
$sql->bindParam(2, $spol);
$sql->bindParam(3, $razred);
$sql->bindParam(4, $slika);
$sql->execute();

edited Oct 25 '13 at 22:27

answered Oct 25 '13 at 21:24

Funk Forty Niner

74,450
15
68
141

That also didn't helpet. It goes through without any error, but won't insert into database – user2912934 Oct 25 '13 at 21:28
@user2912934 You have a stray comma also in `'". $slika ."' ,` – Funk Forty Niner Oct 25 '13 at 21:29
@user2912934 and consult [bksi's answer](http://stackoverflow.com/users/965689/bksi) – Funk Forty Niner Oct 25 '13 at 21:31
@user2912934 Where is your `$con` ? Is it in your `header.php` ? – Funk Forty Niner Oct 25 '13 at 21:35
@user2912934 I added something to my answer, since you do not have any DB credentials in your posted code, "if" that's the case. – Funk Forty Niner Oct 25 '13 at 21:51

Havenard · Answer 2 · 2013-10-25T21:33:30.820

There are several mistakes in your code.

$_post? Unless you declared it yourself, PHP only has $_POST. Variable names are case-sensitive.

I suppose thats basically why your insert won't work, howover, there is more.

You are getting values sent from the client and trowing them, as is, directly inside a SQL Query. Bad move. Perhaps you want to learn the principles of SQL Injection and how to prevent it.

Also, I don't see how mysql_error() will help you here, sinse you are using MySQLi. Try mysqli_error() instead.

score 0 · Answer 3 · answered Oct 25 '13 at 21:28

You need to change $_post to uppercase. Like:

<?php 
    if (isset($_POST['submit'])) {
        $ime_priimek = $_POST['ime_priimek'];
        $spol = $_POST['spol'];
        $razred = $_POST['razred'];
        $slika = $_POST['slika'];
        $sql = mysqli_query($con, "INSERT INTO uporabniki (ime_priimek, spol, razred, slika) VALUES ('". $ime_priimek ."' , '". $spol ."' , '". $razred ."' , '". $slika ."' , )" or die(mysql_error()));
        echo "Dodan";
    } else {
        echo "Ni dodan";
    }
 ?>

score 0 · Accepted Answer · answered Oct 25 '13 at 21:29

0

Everytime it is good to format your queries. If you have formated yours you should see that you have one extra , at the end

$query = "INSERT INTO uporabniki (ime_priimek, spol, razred, slika)";
$query .= " VALUES ('". $ime_priimek ."','". $spol ."','". $razred ."','". $slika ."')";
$sql = mysqli_query($con, $query) OR die("ERROR: ".mysqli_error());

answered Oct 25 '13 at 21:29

bksi

1,606
1
23
45

Pretty sure the OP would need to use [`mysqli_multi_query`](http://php.net/manual/en/mysqli.multi-query.php) for this one. – Funk Forty Niner Oct 25 '13 at 21:33
Hm, this is just one insert statement. Why multi_query is needed? – bksi Oct 25 '13 at 21:36
Because of the concatenate on `$query .=` – Funk Forty Niner Oct 25 '13 at 21:37
But the query is one, not two as your link shows. There are 2 SELECTS concatinated. Here we have only one INSERT statement – bksi Oct 25 '13 at 21:40
It's because of both `$query=` and `$query .=` Using 2 `$query` requires `mysqli_multi_query` - Have a look at the documentation http://php.net/manual/en/mysqli.multi-query.php – Funk Forty Niner Oct 25 '13 at 21:44
I just looked at it and it is used when you concatinate more than one statement. Here we have only one. it is same as we used $query = "INSERT INTO uporabniki (ime_priimek, spol, razred, slika) VALUES ('". $ime_priimek ."','". $spol ."','". $razred ."','". $slika ."')"; – bksi Oct 25 '13 at 21:45
Ok, I see what you're getting at now. – Funk Forty Niner Oct 25 '13 at 21:50
I just want to notice that query formatting is sometimes crusual for errorless code. – bksi Oct 25 '13 at 21:52
Yes you're right. I also noticed another thing is, the OP didn't post any DB (`$con`) credentials in posted code, so I suspect it to be a reason; if my suspicion is correct. – Funk Forty Niner Oct 25 '13 at 21:56

Why this won't insert into table?

4 Answers4