Why doesn't my php connect to sql database code work?

Question

/* I have set up a database in my php admin and use dreamweaver. Not sure why it doesn't work. The $ vars are taken from the ftp site i use. Here is the code: */

<?php
$db_host = "host";
$db_username = "user_name";
$db_pass = "password";
$db_name = "db_name";

@mysql_connect($db_host, $db_username $db_pass) or die ("Could not connect 
to MySQL");
@mysql_select_db($db_name) or die ("No database"); 

$sql = "INSERT INTO 'signups' (FirstName, LastName, email,CompanyName, 
JobTitle, ProductSector,ProductWebsite,ProductName,id)
VALUES ('$FirstName', '$LastName', '$email','$CompanyName', '$JobTitle', 
'$ProductSector','$ProductWebsite','$ProductName','$id')";
?>

miss [something](http://php.net/manual/it/function.mysql-query.php)? also the query contains syntax errors — Federkun, Sep 26 '15 at 21:19
? sorry, but i am a noob. i checked this syntax sooo many times with different srcs and it appear correct. not sure where this is wrong... — user3427435, Sep 26 '15 at 21:27

score 1 · Answer 1 · edited May 23 '17 at 12:29

I realize this is a 'quick and easy' way to connect to MySQL - but it is extremely prone to Sql injection. A parameterized query is a more secure approach. Additionally, the 'mysql' driver should not be used the driver is deprecated and will not exist in php7. Instead, MySQLi or PDO driver(preferred) for sql is to be used. The MySQL_connect is no longer documented on the PHP website.

Even if this is a test environment, I would strongly encourage switching to a secure driver early.

As Elias Nicolas pointed out... Placing the @ symbol in front of mysql_connect causes any error you are having to be 'skipped'. The error won't log, and it will make it look like there isn't a problem when there is.

Edit: This will get you close to Mysqli - should already exist in the extensions for php. You might need to enable it in the php.ini. Also, you might need single ' marks around the ?'s. i.e: ('?').

// don't forget to sub the vars!
$db_host = "host";
$db_username = "user_name";
$db_pass = "password";
$db_name = "db_name";

$link = new mysqli($db_host, $db_username, $db_pass, $db_name) or die ('Could not connect to the database server' . mysqli_connect_error());

$sql = <<<QUERY
INSERT INTO signups 
    (FirstName, LastName, email, CompanyName, JobTitle, ProductSector, ProductWebsite, ProductName, id)
VALUES
    (?,?,?,?,?,?,?,?,?);
QUERY;

if ($stmt = $mysqli->prepare($sql)) 
{
    $stmt->bind_param("sssssssss", $FirstName, $LastName, $email, $CompanyName, $JobTitle, $ProductSector, $ProductWebsite, $ProductName, $id);
    $stmt->execute();
}

$link->close();

score 0 · Answer 2 · answered Sep 26 '15 at 21:23

0

For your table name, and the names of the columns but not the values, you use ` instead of '. Your sql should look like this.

INSERT INTO `signups` (`FirstName`, `LastName` `email`, `CompanyName`, 
`JobTitle`, `ProductSector'`,`ProductWebsite`,`ProductName`,`id`)
VALUES ('$FirstName', '$LastName', '$email','$CompanyName', '$JobTitle', 
'$ProductSector','$ProductWebsite','$ProductName','$id')

Hope that helps.

answered Sep 26 '15 at 21:23

thanks but this doesn't work. i have edited the quotes to be straight quotes and it still doesn't show. can we confirm that this is a syntax issue? is the rest of the syntax ok? – user3427435 Sep 26 '15 at 21:39
I believe that it is. – Sep 26 '15 at 21:40
– user3427435 Sep 26 '15 at 21:46
Look at my code exactly. The quotes are different at certain points. Look at the quotes extremely carefully. – Sep 26 '15 at 21:48
thank you for your response. but even after direct c&p, it still doesn't work. – user3427435 Sep 26 '15 at 21:56
Are you putting the SQL into the $sql variable and then calling mysql_query($sql); – Sep 26 '15 at 22:50

Why doesn't my php connect to sql database code work?

2 Answers2