<?php
include 'db.php';
$serial= $_POST['serial'];
$date_of_reg = $_POST['date_of_reg'];
$name = $_POST['name'];
$doc_type = $_POST['doc_type'];
$sql = "INSERT INTO clients (serial,date_of_reg,name,doc_type) VALUES ('$serial','$date_of_reg','$name', '$doc_type');";
$result = mysql_query($sql, $link);
if ($result == false) {
include "src/header.php";
include "src/mainmenu.php";
echo '<p>Error: cannot execute query</p>';
echo '<p><a href="register.php">Try again</a></p>';
include "src/footer.php";
exit;
}
else {
header('Location: private.php');
}
mysql_close($link);
?>
Asked
Active
Viewed 49 times
-5
Funk Forty Niner
- 74,450
- 15
- 68
- 141
-
what is the error bhai? – ɹɐqʞɐ zoɹǝɟ Jul 23 '15 at 03:42
-
too many unknowns. check for errors, there's bound to be something wrong somewhere – Funk Forty Niner Jul 23 '15 at 03:43
-
1[**guess what you're using**](https://dev.mysql.com/doc/refman/5.5/en/keywords.html) – Funk Forty Niner Jul 23 '15 at 03:44
-
Also ensure you sanitize your inputs before putting them into the query – GeorgeQ Jul 23 '15 at 03:45
-
when i try to add data into 'serial' from form it shows me empty row in mysql. i set type of 'serial' as 'text' – Kartik Chaudhari Jul 23 '15 at 03:46
-
@ssnobody yeah... `name` too and have added that to my answer, but have stated in there that I've seen many use "name" without ticking it and with no issues, including myself. Most baffingly bizarre. +1 on your comment. – Funk Forty Niner Jul 23 '15 at 04:20
1 Answers
4
You're assuming success without checking for errors, which by doing that, would have signaled a syntax error to the effect of:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'serial
while using or die(mysql_error()) to mysql_query() in your code.
Being the use of a MySQL reserved word, being serial (edit) and name, but strangely enough, many have used that (name) without issues, myself included which baffles me.
Either rename it to "serials" which is safe to use, or wrap it in ticks:
INSERT INTO clients (`serial`, date_of_reg, `name`, doc_type)
Full line rewrite:
$sql = "INSERT INTO clients (`serial`,date_of_reg, `name`, doc_type)
VALUES ('$serial','$date_of_reg','$name', '$doc_type');";
$result = mysql_query($sql, $link) or die(mysql_error());
You should also escape your data, should your inputted data contain anything that MySQL may complain about also.
For example: James O'Neil will cause an issue with the apostrophe. Escape it:
$name = mysql_real_escape_string($_POST['name']);
...as you should for all your inputs.
Plus, in regards to SQL injection which is something you are open to, use mysqli with prepared statements, or PDO with prepared statements, they're much safer.
Add error reporting to the top of your file(s) which will help find errors.
<?php
error_reporting(E_ALL);
ini_set('display_errors', 1);
// rest of your code
Sidenote: Error reporting should only be done in staging, and never production.
Should you get a deprecation notice, you will see what you'll have to do; switch to MySQLi or PDO, which you should do anyway, since it will be removed from future PHP release.
Be ahead of the game.
Footnotes:
Since you're using a form which is something you didn't post, make sure that it does use a POST method and that all inputs have the "name" attributes for them and with no typos. An insight.
I.e.:
<form action="" method="post">
<input type="text" name="serial">
...
</form>
etc.
Edit:
as per a link you left for your form:
<input type="text" name="name" id="serial" />
That should read as <input type="text" name="serial" id="serial" /> you used "name" instead of "serial", and error reporting would have spotted that.
Then <input type="text" name="name" id="date_of_reg" /> again, using the wrong name attribute for it, being "name".
<input type="text" name="date_of_reg" id="date_of_reg" />
You cannot rely on "id" alone.
Connection:
Plus, since we don't know which MySQL API you're connecting with, make sure that it is in fact mysql_ and not mysqli_ or PDO, since you need to use the same from connection to query.
- Those different APIs do not intermix.
References:
Community
- 1
- 1
Funk Forty Niner
- 74,450
- 15
- 68
- 141
-
-
-
-
@KartikChaudhari huh? are you trying to drop code in comments? – Funk Forty Niner Jul 23 '15 at 04:06
-
@KartikChaudhari copy my code **exactly** as shown. Those are not regular quotes `'` but ticks `\`` which resembles quotes but are **not** the same. either do that, or rename your column to "serials" in plural form. – Funk Forty Niner Jul 23 '15 at 04:09
-
register.php :- http://textuploader.com/a5pmd . register_action.php :- http://textuploader.com/a5pml – Kartik Chaudhari Jul 23 '15 at 04:13
-
for one thing `` that should read as `` you used "name" instead of "serial", and error reporting would have spotted that @KartikChaudhari – Funk Forty Niner Jul 23 '15 at 04:15
-
1A a note, `name` is also a reserved word so should also be backticked – ThatOneDude Jul 23 '15 at 04:17
-
@ssnobody yes I saw your comment under OP's question where I replied but you deleted it. Thanks for the input. – Funk Forty Niner Jul 23 '15 at 04:20
-
1Yup, apologies for altering the record but I thought it was more appropriate on the answer already referencing the reserved words. – ThatOneDude Jul 23 '15 at 04:24
-
-
@KartikChaudhari I've made a few edits since you first saw my answer and have spotted a few more errors you made. Reload it and read it carefully and in its entirety. Use error reporting and error checking on your query as shown in my answer. – Funk Forty Niner Jul 23 '15 at 04:39
-
@Fred-ii- You have way more patience than me to write such answers :) – Rizier123 Jul 23 '15 at 12:08
-
1