-1

I am trying to make a basic song info page, and my only problem is the SQL. I keep getting this message:

Warning: mysqli_query() expects parameter 1 to be mysqli, string given in /var/www/tts/recommend-action.php on line 33

Here is my code:

<?php

session_start();

ini_set("display_errors",true);

ob_start();

$host = "localhost"; 
$user = "root";
$pass = "[MYPASSWORD]";
$db = "[MYDATABASE]";
$tb = "recommendation";

$link = mysqli_connect($host, $user, $pass, $db) or die("Failed to connect.");

$song = $_POST['song'];
$album = $_POST['album'];
$artist = $_POST['artist'];
$linkitunes = $_POST['linkitunes'];
$artwork = $_POST['albumPic'];

$song = stripslashes($song);
$album = stripslashes($album);
$artist = stripslashes($artist);
$link = stripslashes($linkitunes);
$artwork = stripslashes($artwork);

print "<br /><br /><b>User ID: </b>" . $_SESSION['user_id'] . "<br /><b>Song: </b>$song<br /><b>Album: </b>$album<br /><b>Artist: </b>$artist<br /><br />";

$sql = "INSERT INTO recommendation (user_id, artist, song, album, artwork, linkitunes) VALUES (" . $_SESSION['user_id'] . ", $artist, $song, $album, $artwork, $linkitunes);";

$postrec = mysqli_query($link, $sql);

if ($postrec == true) {
    print "sucess";
}
else {
    print "<br /><br />failed";
}

ob_flush();

?>

I cannot find a solution. Help is very greatly appreciated.

Dharman
  • 30,962
  • 25
  • 85
  • 135
Cameron Montesano
  • 1
  • 6
  • I know for a fact that all the connections are valid. No problem there. – Cameron Montesano Jan 28 '15 at 18:46
  • 1
    Besides the answer below, you're more than likely are passing strings in your values. `or die(mysqli_error($link))` to `mysqli_query()` would have thrown an error. – Funk Forty Niner Jan 28 '15 at 18:50
  • Since you are pulling in your answers from $_POST, it could just be easier to use a prepared statement. Would protect you from most damaging effects of the values you're trying to insert. http://php.net/manual/en/mysqli.prepare.php @CameronMontesano – Michael Lea Crawford Jan 28 '15 at 18:53
  • What do you mean passing strings in my values? – Cameron Montesano Jan 28 '15 at 18:54
  • Take it up with the answer below. No sense for me putting in one now, not a "partial" answer anyway. I'll get downvoted for it. No thanks. Read this too http://php.net/manual/en/function.error-reporting.php which may very well pop up some new errors on top of what you're receiving now. I've never heard of an artist called `12345`. UB 40, but that contains a string ;-) – Funk Forty Niner Jan 28 '15 at 18:55
  • 1
    **Building SQL statements with outside variables makes your code vulnerable to SQL injection attacks.** Also, any input data with single quotes in it, like "O'Malley", will blow up your query. Learn about parametrized queries, preferably with the PDO module, to protect your web app. [This question](http://stackoverflow.com/questions/60174) has many detailed examples. See also http://bobby-tables.com/php for alternatives & explanation of the danger. – Andy Lester Jan 28 '15 at 18:55
  • I now get this message: – Cameron Montesano Jan 29 '15 at 16:12
  • Notice: Undefined variable: link in /var/www/tts/recommend-action.php on line 33 Warning: mysqli_query(): Empty query in /var/www/tts/recommend-action.php on line 33 – Cameron Montesano Jan 29 '15 at 16:13
  • You said you changed the variable name of the string. Did you change the name of your `mysqli_connect` variable? `$link = mysqli_connect(...);` – showdev Jan 29 '15 at 18:38

1 Answers1

4

You connect fine and $link is good:

$link = mysqli_connect($host, $user, $pass, $db) or die("Failed to connect.");

But then later redefine as a string:

$link = stripslashes($linkitunes);

And then you try and use the string:

$postrec = mysqli_query($link, $sql);
AbraCadaver
  • 78,200
  • 7
  • 66
  • 87