SQL insert not saving to database

Question

Im having trouble getting this simple code to work, it,s part of a rating script for a product page.

$connn = new mysqli($servername, $username, $password, $dbname);
if ($connn->connect_error) {
    die("Connection failed: " . $connn->connect_error);
}

$vresult1 = mysqli_query($connn,"SELECT * FROM rating_log WHERE ip=$userIP AND product_id=$pid");

if ($vresult1->num_rows > 0) {
    // ERROR: user already voted
    $v_msg = '<div style="color:red;">You have already voted on this product!</div>';
} else {
    // enter vote
    mysqli_query($connn,"UPDATE wc_products SET rating=$votecnt1");
    mysqli_query($connn,"INSERT INTO rating_log (ip, product_id) VALUES ($userIP, $pid)");
    $v_msg = '<div style="color:green;">Thank you for voting! DEBUG['.$userIP.'-'.$pid.']</div>';
}
$conn->close();
} // end rating

All this should do is add a new entry which logs a user ip and the id of the product, then update the product db to register the vote. The update works fine but it wont log the user.

`$userIP` that contains a character that MySQL will complain about, being the dots and is considered as a string. Quote it. Checking for errors would have triggered the syntax error. http://php.net/manual/en/mysqli.error.php — Funk Forty Niner, May 08 '15 at 18:30
try to figure our error by writing or die(mysqli_error($conn));beside your mysli_query code. — Alive to die - Anant, May 08 '15 at 18:34

score 1 · Accepted Answer · edited May 23 '17 at 12:07

1

Try this:

$userIP = $mysqli->real_escape_string($userIP);
$pid = $mysqli->real_escape_string($pid);
 mysqli_query($connn,"INSERT INTO rating_log (ip, product_id) VALUES ('$userIP', '$pid')");

Single quotes should be used for string values like in the VALUES() list. for more details read this post answer: When to use single quotes, double quotes, and backticks in MySQL

edited May 23 '17 at 12:07

Community

1
1

answered May 08 '15 at 18:35

saqibahmad

962
1
9
18

This answer is susceptible to SQL injection. – Charles Sprayberry May 08 '15 at 18:36
your edit is even worse, OP is using `mysqli_` and not `mysql_` functions. – Funk Forty Niner May 08 '15 at 18:39
Please read up on the `mysqli_real_escape_string()` function - http://php.net/manual/en/mysqli.real-escape-string.php - *`string mysqli_real_escape_string ( mysqli $link , string $escapestr )`* - your edit will still fail. – Funk Forty Niner May 08 '15 at 18:41
looks good to me, thanks for fixing it. – Funk Forty Niner May 08 '15 at 18:46
@cspray is it fine now? – saqibahmad May 08 '15 at 18:47
however, including an explanation as to why OP's code is failing, will help future readers to the question (including the OP), know where they went wrong. "Try this" doesn't educate anyone. ;-) – Funk Forty Niner May 08 '15 at 18:47

SQL insert not saving to database

1 Answers1