Insert does not work with PHP variables

Question

I want to insert into a MySQL database from a webpage using PHP, but when trying to use variables it does not work (it works just fine if I use something not while using $something)

Here is the code:

mysqli_query($con,"INSERT INTO Atendido (idPaciente,idDoctor,fecha,costo,tipoAtencion) values ('".$_GET['iddoctor']."', '".$_GET['idpacient']."', '".$_GET['date']."', '".$_GET['amount']."', '".$_GET['description']."')");

and the data comes from an other page with this form:

<form action="thanks/index.php" method="get">
    <span class="largetext">ID. doctor</span><br/>
    <input type="password" name="iddoctor"><br/>
    <span class="largetext">ID. patient</span><br/>
    <input type="password" name="idpatient"><br/>
    <span class="largetext">Date</span><br/>
    <input type="date" name="date"><br/>
    <span class="largetext">Amount</span><br/>
    <input type="number" name="amount"><br/>
    <span class="largetext">Description</span><br/>
    <input type="text" name="description"><br/><br/>
    <input type="submit" value="Accept" style="background-color:#FF5F00; color:#FFFFFF; opacity: 0.77;">
</form>

Thank you! To everyone who noted the SQL injection problem, I will also have a look onto that.

I now works, here is the corrected code:

mysqli_query($con,"INSERT INTO Atendido (idPaciente,idDoctor,fecha,costo,tipoAtencion) VALUES ('".$_GET['idpatient']."', '".$_GET['iddoctor']."','".$_GET['date']."', '".$_GET['amount']."', '".$_GET['description']."')");

I wait for the first comment: YOU ARE VULNERABLE FOR SQL INJECTION — Black Sheep, Nov 15 '13 at 01:46
arturojain how did you hack stackoverflow than become aldanux :) — Ismail Sahin, Nov 15 '13 at 01:47
check out you date format, wrong date format may not cause fail insert — caoglish, Nov 15 '13 at 01:51
Have you actually looked for an error message? Check the return value of `mysqli_query`, and if it's `false` look at `mysqli_error($con)`. I bet it says you have a syntax error. — , Nov 15 '13 at 01:53
For one thing, you have `$_GET['idpacient']` and `name="idpatient"` so no match. I believe you wanted to use `$_GET['idpatient']` or `name="idpacient"` (take your pick) - so that alone, I do believe will put things to a grinding halt. — Funk Forty Niner, Nov 15 '13 at 01:55
It now works, thank you all. I will also take a look onto SQL injection. — arturojain, Nov 15 '13 at 01:58
@arturojain Because of my above comment of no match? spelling mistake — Funk Forty Niner, Nov 15 '13 at 01:58
I think the error was the spelling mistake, yes. Thank you a lot. — arturojain, Nov 15 '13 at 01:59
I will put it as an answer so we can close this question and marked as answered then. @arturojain and you're welcome, glad I could help. — Funk Forty Niner, Nov 15 '13 at 02:00

score 1 · Answer 1 · answered Nov 15 '13 at 01:51

1

the fields are in wrong order:

Atendido (idPaciente, idDoctor
VALUES ('".$_GET['iddoctor']."', '".$_GET['idpacient']."'

change to:

"INSERT INTO Atendido (idPaciente,idDoctor,fecha,costo,tipoAtencion)
 VALUES ('".$_GET['idpacient']."', '".$_GET['iddoctor']."',
 '".$_GET['date']."', '".$_GET['amount']."', '".$_GET['description']."')")

answered Nov 15 '13 at 01:51

rray

2,518
1
28
38

1

The fields may be in the wrong order, but that shouldn't prevent the `INSERT` occurring. – Nov 15 '13 at 01:53
can be, like foreign key violetion – rray Nov 15 '13 at 01:55
It now works, thank you all. I will also take a look onto SQL injection. – arturojain Nov 15 '13 at 01:58

score 1 · Accepted Answer · answered Nov 15 '13 at 02:00

1

As discussed with the OP, $_GET['idpacient'] and name="idpatient" so no match.

I believe you wanted to use $_GET['idpatient'] or name="idpacient"

Take your pick on which one to correct.

answered Nov 15 '13 at 02:00

Funk Forty Niner

74,450
15
68
141

Giacomo1968 · Answer 3 · 2013-11-15T02:15:46.453

Your INSERT syntax makes little sense as it is:

mysqli_query($con,"INSERT INTO Atendido (idPaciente,idDoctor,fecha,costo,tipoAtencion) values ('".$_GET['iddoctor']."', '".$_GET['idpacient']."', '".$_GET['date']."', '".$_GET['amount']."', '".$_GET['description']."')");

I would suggest you do the following—and use sprintf—to make formatting easier:

$insert_query = sprintf("INSERT INTO Atendido (idPaciente,idDoctor,fecha,costo,tipoAtencion) values ('%s','%s','%s','%s','%s')", $_GET['iddoctor'], $_GET['idpacient'], $_GET['date'], $_GET['amount'], $_GET['description']);
mysqli_query($con,$insert_query);

What is nice about sprintf is it allows you to easily separate formatting logic from the data itself. Think of it as a small-scale templating system.

Also, I would even suggest taking it one step further by doing this:

$data_keys = array('idPaciente','idDoctor','fecha','costo','tipoAtencion');
$data_values = array();
foreach($data_keys as $key) {
  $value = array_key_exists($key, $_GET) && !empty($_GET[$key]) ? $_GET[$key] : null;
  if (!empty($value)) {
    $data_values[$key] = $value;
  }
}
if (!empty($data_values)) {    
  $insert_query = sprintf("INSERT INTO Atendido (%s) values ('%s')", implode(',', array_keys($data_values)), implode("','", $data_values) );
  echo $insert_query;
  mysqli_query($con,$insert_query);
}

That way you have a process to filter the $_GET values and make the creation of the INSERT easier to understand irregardless of how many values you have.

Insert does not work with PHP variables

3 Answers3