inserting user input data into database

Question

i have a form ("aud.php") with 3 fields: YEAR: can be(fe,se,te,be) SEMESTER: can be (1 or 2) SUBJECT: can be (any VARCHAR datatype)

Now, i have a database ("einternals") with four tables (fe,se,te,be). Each table has 2 fields (sem1 or sem2). The problem is when i submit the form, the data is not getting inserted into the databse.

HERE"S the "aud.php" file:

$con = mysql_connect("localhost","root","","einternals");
if (!$con)
{
 die('Could not connect: ' . mysql_error());
}
else
{
echo "Go ahead and edit";
}
?>

<html>
<body background="bg1.jpg">
<h2 align="left"><a href="logout.php">LOGOUT</a></h2>

<form action="add.php" method="post">
<h1 align="center"><u>ADD A SUBJECT</u></h1>

<p align="center">&nbsp&nbsp&nbsp&nbspYEAR: <input type="text" name="year" required/></p><br>

<p align="center">SEM: <input type="text" name="sem" required/></p><br>

<p align="center">&nbsp&nbspSUBJECT: <input type="text" name="subject" required /></p><br>

<p align="center"><input type="submit" value="ADD" /></p>

</form>

<form action="delete.php" method="post">
<h1 align="center"><u>DELETE A SUBJECT</u></h1>

<p align="center">&nbsp&nbsp&nbsp&nbspYEAR: <input type="text" name="year" required/></p><br>

<p align="center">SEM: <input type="text" name="sem" required/></p><br>

<p align="center">&nbsp&nbspSUBJECT: <input type="text" name="subject" required /></p><br>


<p align="center"><input type="submit" value="DELETE" /></p>

</form>

</body>
</html>

HERE's the "add.php" file:

<?php
$con = mysql_connect("localhost","root","");
if (!$con)
{
 die('Could not connect: ' . mysql_error());
}
else
{
 mysql_select_db("einternals", $con);
 if('$_POST[sem]'==1)
  {
   $sql="INSERT INTO '$_POST[year]'(sem1)
   VALUES
   ('$_POST[subject]')";

   if (!mysql_query($sql,$con))
   {
   die('Error: ' . mysql_error());
   }
}
else
{
 $sql="INSERT INTO '$_POST[year]'(sem2)
 VALUES
 ('$_POST[subject]')";

 if (!mysql_query($sql,$con))
 {
  die('Error: ' . mysql_error());
 }
}
echo "Operation successful";


}
mysql_close($con)
?>

a syntax error that says "Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''fe'(sem2) VALUES ('evs')' at line 1" — nido, Oct 27 '14 at 04:40

Sougata Bose · Answer 1 · 2014-10-27T04:50:07.007

0

a space needed in the query and no quotes needed.

instead of  - `"INSERT INTO '$_POST[year]'(sem1)
VALUES
('$_POST[subject]')"`

try this -

"INSERT INTO ".$_POST['year']." (sem1)
VALUES
('$_POST[subject]')"

edited Oct 27 '14 at 04:50

answered Oct 27 '14 at 04:43

Sougata Bose

31,517
8
49
87

here's what i did INSERT INTO ".$_POST[year]"(sem1) and its showin Parse error: syntax error, unexpected '"' in C:\xampp\htdocs\einternals\add.php on line 12 – nido Oct 27 '14 at 04:51
missed that dot `".$_POST[year]."` and add the `space` – Sougata Bose Oct 27 '14 at 05:02

score 0 · Answer 2 · answered Oct 27 '14 at 04:44

0

try this for connection

  $con = mysql_connect("localhost","root","");
    mysql_select_db("einternals");

you have to use mysql_select_db() for select your database you are trying to make database connection as mysqli_* function

answered Oct 27 '14 at 04:44

Dinesh

4,066
5
21
35

i dont think thats the problem cuz the connection worked fine with other scripts – nido Oct 27 '14 at 04:49
it is best to call mysql_select_db() soon after - it takes just one argument, which is the name of the database you wish to use. – Dinesh Oct 27 '14 at 04:52

score 0 · Answer 3 · edited May 23 '17 at 12:20

0

Just remove single quotes and add a space between table and column names

$sql="INSERT INTO $_POST[year] (sem1)
   VALUES
   ('$_POST[subject]')";

Also mysql_* is deprecated use PDO instead to prevent your app from sql injection have a look at: What is PDO , how it's related with sql injection & why i should use this?

edited May 23 '17 at 12:20

Community

1
1

answered Oct 27 '14 at 04:44

Tushar Gupta

15,504
1
29
47

Rakesh Sharma · Answer 4 · 2014-10-27T04:52:24.530

0

Try to added proper quoting to post data for check and in query

<?php
$con = mysql_connect("localhost","root","");
if (!$con)
{
 die('Could not connect: ' . mysql_error());
}
else
{
 mysql_select_db("einternals", $con);
 if($_POST['sem']==1)
  {
   $sql="INSERT INTO ".$_POST['year']." (sem1) VALUES ('".$_POST['subject']."')";
   if (!mysql_query($sql,$con)) {
     die('Error: ' . mysql_error());
   }
}
else {
 $sql="INSERT INTO ".$_POST['year']." (sem2) VALUES ('".$_POST['subject']."')";
 if (!mysql_query($sql,$con)) {
  die('Error: ' . mysql_error());
 }
}
echo "Operation successful";
}
mysql_close($con)
?>

Note :- mysql_* has been deprecated use mysqli_* or pdo

    you need to escape post data to prevent `sql injection`

edited Oct 27 '14 at 04:52

answered Oct 27 '14 at 04:46

Rakesh Sharma

13,680
5
37
44

i think you should add white space after concatenate year $sql="INSERT INTO ".$_POST['year']." (sem2) VALUES ('".$_POST['subject']."')"; – Syed Arif Iqbal Oct 27 '14 at 04:51
1

your variable should return like this. `"INSERT INTO 1999(sem2) VALUES ('value');` but this is invalid query between table and field name must have a space. – Syed Arif Iqbal Oct 27 '14 at 04:58

inserting user input data into database

4 Answers4