0

I'm developing a web app for movie reviews. I am writing the page where reviews are created and am having issues with the data for a new review being uploaded to the MySQL database. When I submit a new review I get the created successfully message, however the database remains unchanged.

The POST data is gathered by forms located on the same page.

Connect.php:

<?php
$connection = mysql_connect('localhost', 'root', '');
if (!$connection){
die("Database Connection Failed" . mysql_error());
}
$select_db = mysql_select_db('mydb');
if (!$select_db){
die("Database Selection Failed" . mysql_error());
}
?>

Here's my PHP code:

<?php
session_start();
require("connect.php");
if(isset($_SESSION['critic_name'])){
$movie_id=NULL;      
if (isset($_POST['reviewmovie']) && isset($_POST['rating'])){
$movie_title = $_POST['reviewmovie'];
$review_title = $_POST['review_title'];
$movie_id = mysql_query("SELECT movie_id FROM Movies WHERE 'movie_title'=".$_POST['reviewmovie']." ") or die(mysql_error());       
$mem_id = mysql_query("SELECT mem_id FROM Members WHERE 'critic_name'=".$_SESSION['critic_name']." ") or die(mysql_error());
$rating = $_POST['rating'];
$comments = $_POST['comments'];
$result = mysql_num_rows($movie_id);
$result2 = mysql_num_rows($mem_id);
if(!$result && !$result2){
$query = mysql_query("INSERT INTO `Reviews` (review_id, rating, comments, mem_id movie_id, review_title) VALUES ('$rating', '$comments', '$mem_id', '$movie_id', '$review_title')");
if($query){
$msg = "Review Created Successfully.";
}
}
}
}
?>
user3491695
  • 1
  • 1
  • Remove the quotes from both `WHERE 'movie_title'` and `WHERE 'critic_name'` those are column names and not variables. Plus change `".$_POST['reviewmovie']."` to `'".$_POST['reviewmovie']."'` and `".$_SESSION['critic_name']."` to `'".$_SESSION['critic_name']."'` – Funk Forty Niner Apr 03 '14 at 00:56
  • Please, before you get yourself into trouble, read up on [proper SQL escaping](http://bobby-tables.com/php) to avoid severe [SQL injection bugs](http://bobby-tables.com/). When using `mysqli` you should be using parameterized queries and [`bind_param`](http://php.net/manual/en/mysqli-stmt.bind-param.php) to add user data to your query. **Avoid** using string interpolation to accomplish this. **Never** put `$_POST` data directly in a query. – tadman Apr 03 '14 at 00:56

1 Answers1

1

Remove the quotes from both WHERE 'movie_title' and WHERE 'critic_name' those are column names and not variables. If you absolutely want to wrap them in something, use backticks `` `.

Plus, change ".$_POST['reviewmovie']." to '".$_POST['reviewmovie']."' and ".$_SESSION['critic_name']." to '".$_SESSION['critic_name']."'

You also forgot a comma in between mem_id and movie_id (which will break your query).

(review_id, rating, comments, mem_id movie_id, review_title)
                                    ^ // <- right there

Change it to:

(review_id, rating, comments, mem_id, movie_id, review_title)

Sidenote: Your present code is open to SQL injection. Use mysqli_* functions. (which I recommend you use and with prepared statements, or PDO)

Footnotes:

mysql_* functions deprecation notice:

http://www.php.net/manual/en/intro.mysql.php

This extension is deprecated as of PHP 5.5.0, and is not recommended for writing new code as it will be removed in the future. Instead, either the mysqli or PDO_MySQL extension should be used. See also the MySQL API Overview for further help while choosing a MySQL API.

These functions allow you to access MySQL database servers. More information about MySQL can be found at » http://www.mysql.com/.

Documentation for MySQL can be found at » http://dev.mysql.com/doc/.

Community
  • 1
  • 1
Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
  • Thanks, I'll be sure to use mysqli_* functions in the future. I changed everything you recommended. Still doesn't seem to work though. – user3491695 Apr 03 '14 at 01:16
  • You're welcome. Check to see if `$_SESSION['critic_name']` is indeed set and not empty by doing `var_dump($_SESSION['critic_name']);` if it shows up empty/NULL then that's another problem because your entire query is based on whether the session is set. @user3491695 – Funk Forty Niner Apr 03 '14 at 01:23
  • Also, these are other conditional statements that your query is relying on `(isset($_POST['reviewmovie']) && isset($_POST['rating'])` are your form elements named and no spelling mistakes? Letter-case is also important. `name="reviewmovie"` and `name="ReviewMovie"` are not the same. Double check everything. Even if ONE is mispelled or has a missing `name="something"`, your query will fail. @user3491695 – Funk Forty Niner Apr 03 '14 at 01:27