0

Happy New Year folks. I'm a newbie and apparently a simpleton. I had an HTML entry form for a movie database that's been working fine. I decided to add two fields to the data base (720 and 1080.) That's all I did, honest. But now it won't write and I get the dreaded Error X. I've been going over the code for hours and can't find what I did wrong.

Any suggestions would be greatly appreciated.

//  Write data to table.    

 $sql="INSERT INTO movies (Movies, Rating, Genre, Year, Actors, Time, Notes, Viewed, link, 720, 1080)
    VALUES ('" . $_POST['Movies'] . "', '" . $_POST['Rating'] . "', '" . $_POST['Genre'] . "', '" . $_POST['Year'] . "', '" . $_POST['Actors'] . "', '" . $_POST['Time'] . "', '" . $_POST['Notes'] . "', '" . $_POST['Viewed'] . "', '{$f_link}', '" . $_POST['720'] . "', '" . $_POST['1080'] . "')";

 if (!mysqli_query($con,$sql))
  {
 die('Error: X ' . mysql_error($con));
  }

 echo "<center>1 record successfully added</center>";

    mysqli_close($con);
Gun2sh
  • 870
  • 12
  • 22
Jim Raymond
  • 103
  • 9
  • 1
    And the rest of the error message is...? Maybe if you used `mysqli_error` instead of the wrong `mysql_error` you'd know. – deceze Jan 01 '14 at 20:36
  • is `link` not named `Link` which would follow the casing pattern? – Patrick Moore Jan 01 '14 at 20:36
  • 1
    Not related to your question, but concatenating $_POST-variables directly into your query is a very, very easy way to get your website compromised/hacked. You should try reading [bobby-tables.com](http://bobby-tables.com/) to see why, and how you can prevent it. – Sebastian Paaske Tørholm Jan 01 '14 at 20:38
  • Thank you folks. It would appear that you have solved my issue. It did cross my mind that maybe I couldn't just numbers for a field. I'm sure once I change those it will work. Thanks. – Jim Raymond Jan 01 '14 at 20:48
  • Thanks @Set Sail Media you are right. I'm not only a newbie but a hack. When I added the link field I didn't stay consistent and I just left it that way. I guess I should fix that. Thanks. – Jim Raymond Jan 01 '14 at 20:50
  • Thanks @Sebastian Paaske Torholm. I will surely look into that. The book I bought from "Head First" (O'Reilly) told me to use the $_Post. I'll definitely look into your suggestion. Every time I screw up one thing and come here I learn a ton more. – Jim Raymond Jan 01 '14 at 20:54

3 Answers3

4

From the Mysql documentation:

http://dev.mysql.com/doc/refman/5.1/en/identifiers.html

Identifiers may begin with a digit but unless quoted may not consist solely of digits.

MillaresRoo
  • 3,808
  • 1
  • 31
  • 37
2

Escaping column names with backticks works, so use `720`, `1080` instead.

On a sidenote, you should cleanup and escape $_POST data before insert.

Also, I think you have to use mysqli_error() instead of mysql_error().

Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
MonkeyVoodoo
  • 538
  • 5
  • 17
0

Folks, thanks again for all your help. I had to hit the grocery store before the two day, foot of snow storm that's coming in around midnight.

I changed the names to R720 and R1080 (for resolution) and that solved the problem. Unfortunately, and I have no idea why, if I try to use the mysql instead of the mysqli I get the error message. And it has never actually given me the code. Just Error X.

I did take a peek at the slide show at bobby-tales but it's a bit much for me right now. I will look into it in the next few days and try and understand it.

Again, thanks and have a Happy New Year.

Jim Raymond
  • 103
  • 9
  • For the security issue, you may like to read [How can I prevent SQL injection in PHP?](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). This is a serious threat, and every programmer must practice SQL injection defense before deploying their apps on the public web. Here's another resource that might help, it's a presentation I created: [SQL Injection Myths and Fallacies](http://www.slideshare.net/billkarwin/sql-injection-myths-and-fallacies) – Bill Karwin Jan 01 '14 at 23:05