Insert values from form to database

Question

What did I do wrong? My code doesn't work

if (isset($_POST['submit'])){


    $fecha = ($_POST['fecha']);//date
    $hora_in = ($_POST['hora_incial']); //time
    $hora_fin = ($_POST['hora_final']);//time
    $comentarios =($_POST['comentarios']);//text

    //inserting data order
    $order = "INSERT INTO control ('Fecha','Hora_incial','Hora_final','Comentarios') VALUES('".$fecha."','".$hora_in."','".$hora_fin."','".$comentarios."')";

    //declare in the order variable
    $result = mysql_query($order);  //order executes
    if($result){
        echo("<br>Input data is succeed");
    } else{
        echo("<br>Input data is fail"); 
    }
}

It shows me fail always. The connection is ok, but I can't insert the data

Thanks for you help !! :)

What does mysql_error() say? Have you verified the query is correct? Are all of the values what you expect? — John Conde, Jan 30 '14 at 20:26
Lovely [SQL injection attack](http://bobby-tables.com) vulnerabilities... enjoy having your server pwn3d. — Marc B, Jan 30 '14 at 20:35

score 1 · Accepted Answer · edited May 23 '17 at 11:58

1

Remove the quotes around your column names and replace with backticks.

(`Fecha`,`Hora_incial`,`Hora_final`,`Comentarios`)

Quotes cannot be used for tables or column names

Line rewrite: (EDIT-added $con)

if (isset($_POST['submit'])){

$fecha = mysqli_real_escape_string($con,$_POST['fecha']);//date
$hora_in = mysqli_real_escape_string($con,$_POST['hora_incial']); //time
$hora_fin = mysqli_real_escape_string($con,$_POST['hora_final']);//time
$comentarios = mysqli_real_escape_string($con,$_POST['comentarios']);//text

$order = "INSERT INTO control (`Fecha`,`Hora_incial`,`Hora_final`,`Comentarios`) VALUES('$fecha','$hora_in','$hora_fin','$comentarios')";
$result = mysqli_query($con,$order);

if(! $result )
{
  die('Could not enter data: ' . mysqli_error($con));
}

else { echo "Success"; }

}

I also encourage you to switch to using mysqli_* functions with prepared statements instead of the deprecated mysql_* functions. Plus PDO is also an option.

Do read the following:

How can I prevent SQL injection in PHP?

edited May 23 '17 at 11:58

Community

1
1

answered Jan 30 '14 at 20:27

Funk Forty Niner

74,450
15
68
141

Do your columns exist and that your form elements are properly named? I.e.: `` etc.? @Deimos and I assume you are connected to DB? – Funk Forty Niner Jan 30 '14 at 20:40
Warning: mysqli_query() expects at least 2 parameters, 1 given this message i have now, yes is connect to DB, with mysqli, and i change to $result = mysqli_query($order); is this ok? $host = "localhost"; $user = "root"; $pass = ""; $db = "jazmin"; // Create connection $con=mysqli_connect($host,$user,$pass,$db); – Deimos Jan 30 '14 at 20:47
Ok, I think I know. I will edit my answer. @Deimos give me a minute or so. – Funk Forty Niner Jan 30 '14 at 20:47
See my edit, or use `$result = mysql_query($con, $order);` @Deimos – Funk Forty Niner Jan 30 '14 at 20:52
Parse error: syntax error, unexpected ',' something is wrong with linea i think – Deimos Jan 30 '14 at 20:54
Wait, I made a mistake. I am too used to using `mysqli_` and placing connection first. I edited it again. @Deimos – Funk Forty Niner Jan 30 '14 at 20:56
Hold on. Your DB connection is `mysqli_` it's confusing me. Give me a few more minutes, I'll fix it. @Deimos – Funk Forty Niner Jan 30 '14 at 21:04
You're welcome. Ok, try it now and reload my answer. You were mixing your query with `mysql_*` functions with a `mysqli_*` connection method, they don't mix together. @Deimos – Funk Forty Niner Jan 30 '14 at 21:10
You're very much welcome. I'm always glad to hear when something gets solved. Thank you and have a nice day/evening as well, cheers! @Deimos – Funk Forty Niner Jan 30 '14 at 21:18

score 0 · Answer 2 · answered Jan 30 '14 at 20:46

Change your query to

$order = "INSERT INTO control 
        ."(Fecha,Hora_incial,Hora_final,Comentarios)" 
        ." VALUES"
        ."('$fecha','$hora_in','$hora_fin','$comentarios')";

i dont understand why you use dots in ".$variable."

whe you have a problem, try first to echo your query, like

echo $order;

and past it in your phpmyadmin (if you have one).

Insert values from form to database

2 Answers2