Empty values with PHP/MySQL INSERT INTO

Question

I need to do an school assigment and I have run into quite few problems, but I don't understand why the code below gives empty values to the table. Only NOW() gets inserted into the table, otherwise it says Query Empty or something like that. I had the same code on different page and with different table and it worked like a charm.

Regards, Werner.

<?php
$dbhost = 'localhost';
$dbuser = '';
$dbpass = '';
$pnimi =$_REQUEST['pitsa_nimi'];
$id =$_REQUEST['pitsatyybinimi'];
$conn = mysql_connect($dbhost, $dbuser, $dbpass);
if(! $conn )
{
   die('Could not connect: ' . mysql_error());
}
$sql = 'INSERT INTO tellimused_pitsad '.
       '(pitsa_nimi,aeg,toidutyybi_id)'.
        "VALUES ( '$pnimi', NOW(), '$id' )";

mysql_select_db('carl.reinomagi');
$retval = mysql_query( $sql, $conn );
if(! $retval )
{
   die('Could not enter data: ' . mysql_error());
}
echo mysql_error();
echo "Entered data successfully\n";
mysql_close($conn);
header("location:tellimine.php");

?>

This is the previous page ( ordering ) code :

<?php
$tulemus = mysql_query("SELECT * FROM pitsad, pitsatyybid WHERE pitsad.toidutyybi_id =           pitsatyybid.id", $dbhandle);
while ($row = mysql_fetch_assoc($tulemus))
{
?>
<tr><form action="telli.php">
    <td><? echo $row['pitsa_nimi']; ?></td>
    <td><? echo $row['hind']; ?></td>
    <td><? echo $row['valmimisaeg']; ?> Minutit</td>
    <td><? echo $row['pitsatyybinimi']; ?></td>
    <td>
    <input type="submit" value="TELLI"/>
    </form></td>
</tr>
<?php
}
?>
</table>

this means ur requested values are empty !! Please update the question add the code for ur form. — Abhik Chakraborty, Mar 27 '14 at 16:38

score 0 · Answer 1 · edited May 25 '19 at 11:57

Please, don't use mysql_* functions in new code. They are no longer maintained and are officially deprecated. See the red box? Learn about prepared statements instead, and use PDO or MySQLi - this article will help you decide which. If you choose PDO, here is a good tutorial.

Here's a better example using PDO. This code is completely safe against SQL Injection, and is better than using mysql_* functions.

Make sure to read the comments and understand the code.

This is not copy/paste ready code!!

<?php

# Database Connection #
try {
    $conn = new PDO("mysql:host=localhost;dbname=carl.reinomagi", "root", ""); //Please consider having different credentials.
    $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); //Throw Exceptions on errors - This disables the need to check for errors, see the catch block below.
    $conn->setAttribute(PDO::ATTR_EMULATE_PREPARES, false); //True prepared statements.

    ## Prepreations ##

    $pnimi = $_POST["pitsa_nimi"];
    $id = $_POST["pitsatyybinimi"]; //Please use $_POST or $_GET rather than $_REQUEST

    ## Data validation ##
    if (empty($pnimi) || empty($id)) {
        //One of the variables is empty, return an error to the user.
    }

    //Few things about this:
      //Note the `backticks` around table and column names. This helps readability.
      //Also note the placeholders :pnimi and :id, those placeholders for the prepared statement.
    $query = "INSERT INTO `tellimused_pitsad` (`pitsa_nimi`, `aeg`, `toibutyybi_id`) VALUES (:pnimi, NOW(), :id);";

    $statement = $stmt->prepare($query);

    $statement->bindValue(":pnimi", $pnimi); //Bind the values to the placeholders
    $statement->bindValue("id", $id);

    $statement->execute();
    header("Location: tellimine.php");
}
catch (PDOException $e) {
    echo "An error has occured! " . $e->getMessage(); //Echo a generic error to all mysql error messages.
}

Fatal error: Call to a member function prepare() on a non-object on the line '$statement = $pdo->prepare($query);' — WKoppel, Mar 27 '14 at 17:18
@WKoppel: "This is not copy/paste ready code". Although that was a mistake on my part. — Madara's Ghost, Mar 27 '14 at 17:20

Empty values with PHP/MySQL INSERT INTO

1 Answers1

This is not copy/paste ready code!!