0
<?php
include("db.php");
$name=$_REQUEST['name'];
$mail=$_REQUEST['email'];
$yname=$_REQUEST['yname'];
$result=mysql_query("SELECT * FROM information WHERE uname = '$name' ");

if (mysql_num_rows($result) == 0) {

    $query=mysql_query("INSERT into noresult (Serial,searchname,yourname,email)
        VALUES ('',$name','$yname','$mail')");
    if ($query){
        header('Location:nullresult.php');
    }
    else{
        echo "Query failure";
    }

}

?>

This returns 'Query Failure'. It was working sometime back with table name 'seeker'. Then I dropped it and created a new table 'noresult' as the previous one was a bit messed up. Suddenly the query fails.

Note: seeker and noresult have same columns.

Uyghur Lives Matter
  • 18,820
  • 42
  • 108
  • 144
Abhishek Singh
  • 358
  • 2
  • 10
  • **By building SQL statements with outside variables, you are leaving yourself open to SQL injection attacks.** Also, any input data with single quotes in it, like a name of "O'Malley", will blow up your SQL query. Please learn about using parametrized queries, preferably with the PDO module, to protect your web app. [This question](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) has many examples in detail. You can also see http://bobby-tables.com/php for alternatives and explanation of the danger. – Andy Lester Apr 17 '14 at 17:39
  • 1
    Thanks. Didn't know about these. As a beginner my primary goal was to see whether I could implement certain things. Will take care of the issues next time. – Abhishek Singh Apr 17 '14 at 18:30
  • The other big benefit of using prepared statements is that you don't run into the quoting problems that you ran into above. – Andy Lester Apr 17 '14 at 18:31

2 Answers2

2

You're missing a single quote in your query:

$query=mysql_query("INSERT into noresult (Serial,searchname,yourname,email)
    VALUES ('','$name','$yname','$mail')");
      there----^
larsAnders
  • 3,813
  • 1
  • 15
  • 19
  • I'd double check the casing of `Serial` vs. `serial`, too, if this doesn't solve it for you right away. +1 – Patrick Moore Apr 17 '14 at 17:22
  • From the [MySQL documentation](http://dev.mysql.com/doc/refman/4.1/en/identifier-case-sensitivity.html): "Column and index names are not case sensitive on any platform, nor are column aliases." However, table names are case-sensitive on certain platforms, so you may want to check `noresult`. – larsAnders Apr 17 '14 at 17:25
  • There is no issue of casing. I tried with both `serial` and `Serial`. – Abhishek Singh Apr 17 '14 at 18:22
0

Try this updated query-

$query=mysql_query("INSERT into noresult (Serial,searchname,yourname,email)
        VALUES ('','".$name."','".$yname."','".$mail."')");

also check all column name from table noresult.

shashank
  • 566
  • 3
  • 10
  • 31