0
<?php
if (isset($_POST['submitted'])){
include('connect.php');
$name=$_POST['name'];
$addr=$_POST['addr'];
$phno=$_POST['phno'];
$tr=$_POST['tr'];
$trd=$_POST['trd'];
$sname=$_POST['sname'];
$sphno=$_POST['sphno'];
$sfield=$_POST['sfield'];
$med=$_POST['med'];
$apaid=$_POST['apaid'];
$apend=$_POST['apend'];

$sqlinsert="INSERT INTO patient (name , addr , phno , tname , tdate , sName , sphno , sSpeciality , med , amtpaid , amtrem) VALUES 
('$name','$addr','$phno','$tr','$trd','$sname','$sphno','$sfield','$med','$apaid','$apend')";

if(!mysql_query($dbcon , $sqlinsert))
{
        die('error inserting new record');
}
else
echo "new";
}
?>

<html>
<head>
    <title>Insert Data</title>
</head>
<body>
<h1>Insert Data</h1>
<form method="post" action="insert.php">
<input type="hidden" name="submitted" value="true" />
<fieldset>
<legend>New Patient</legend>
<label>Name : <input type="text" name="name" /></label>
<label>Address : <input type="text" name="addr" /></label>
<label>Phone no : <input type="text" name="phno" /></label>
<label>Treatment : <input type="text" name="tr" /></label>
<label>Treatment date : <input type="text" name="trd" /></label>
<label>Specialist Recommended : <input type="text" name="sname" /></label>
<label>Specialist phno : <input type="text" name="sphno" /></label>
<label>Specialist field : <input type="text" name="sfield" /></label>
<label>Medicine : <input type="text" name="med" /></label>
<label>Amount Paid : <input type="text" name="apaid" /></label>
<label>Amount Pending : <input type="text" name="apend" /></label>
</fieldset>
<br />
<input type="submit"value="add new record" />
</form>
</body>
</html>

i m getting this error while inserting even when the table has a string variable

Warning: mysql_query() expects parameter 1 to be string, object given in C:\xampp\htdocs\insert.php on line 18 error inserting new record

please help...

Neel Shah
  • 319
  • 7
  • 16
  • **By building SQL statements with outside variables, you are leaving yourself open to SQL injection attacks.** Also, any input data with single quotes in it, like a name of "O'Malley", will blow up your SQL query. Please learn about using parametrized queries, preferably with the PDO module, to protect your web app. [This question](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) has many examples in detail. You can also see http://bobby-tables.com/php for alternatives and explanation of the danger. – Andy Lester Apr 09 '14 at 17:53

3 Answers3

1

Read the docs:

mixed mysql_query ( string $query [, resource $link_identifier = NULL ] )

Side point:

There is no more support for mysql_* functions, they are officially deprecated, no longer maintained and will be removed in the future. You should update your code with PDO or MySQLi to ensure the functionality of your project in the future.

qwertynl
  • 3,912
  • 1
  • 21
  • 43
1

check this manual. http://php.net/manual/en/function.mysql-query.php Parameter 1 is query and 2 is conn

kayra
  • 228
  • 3
  • 10
0

you are passing mysql connection object as argument to mysql_query() function . mysql_query() expects only 1 string parameter . use mysqli_query() you have to change your code .. 

<?php
if (isset($_POST['submitted'])){
include('connect.php');
$name=$_POST['name'];
$addr=$_POST['addr'];
$phno=$_POST['phno'];
$tr=$_POST['tr'];
$trd=$_POST['trd'];
$sname=$_POST['sname'];
$sphno=$_POST['sphno'];
$sfield=$_POST['sfield'];
$med=$_POST['med'];
$apaid=$_POST['apaid'];
$apend=$_POST['apend'];

$sqlinsert="INSERT INTO patient (name , addr , phno , tname , tdate , sName , sphno , sSpeciality , med , amtpaid , amtrem) VALUES 
('$name','$addr','$phno','$tr','$trd','$sname','$sphno','$sfield','$med','$apaid','$apend')";

if(!mysqli_query($dbcon , $sqlinsert))
{
        die('error inserting new record');
}
else
echo "new";
}

?>

Azeem Hassni
  • 885
  • 13
  • 28