PHP Database: value not inserting in table

Question

insert.php

<?php
mysql_connect("localhost","root",""); mysql_select_db("basic");
$name=$_POST['fname'];
$twait=$_POST['twait'];
$cprice=$_POST['cprice'];
$dprice=$_POST['dprice'];
$order= "INSERT INTO calculator
        (name,total_wt,crt_price,dollar_rate) VALUES
        ('$name','$twait','$cprice','$dprice')";

$result = mysql_query('$order');
echo "Done";
?>

HTML page:

<!DOCTYPE html>
<html>
<head>
<title>JN DIAMONDS</title>
</head>
<body>
<form align="center" method="POST" action="insert.php">
    <fieldset>
        <legend>Info</legend><br>
        <input type="text" name="fname" placeholder="Name"><br><br>
        <input type="text" name="twait" placeholder="Total Rough Weight"><br><br>
        <input type="text" name="cprice" placeholder="1 Carat Price"><br><br>
        <input type="text" name="dprice" placeholder="Dollar Rate"><br><br>
        <input type="submit" name="submit"value="Submit"><br>
    </fieldset>
</form>
</body>
</html>

Hi John and welcome to SO (StackOverflow). I see you have just joined us. We strive to be a wonderful community and provide people with solutions to their coding problems as best we can. There are some basic fundamentals to [asking a good question](http://meta.stackexchange.com/help/how-to-ask) and consequently getting more experienced users to help you. In addition, most of us would like to see that you have put some effort into solving your problem. Show us what you've tried and what the results were. Again, welcome to SO! — Kuya, Oct 14 '15 at 06:55
Remove quotes form `$result = mysql_query($order);` And stop using mysql it is deprecated instead use `mysqli or PDO` — Saty, Oct 14 '15 at 06:59
If you are not going to use `mysqli or PDO` with bound parameters, which is a bad idea not to, at least don't directly put variable unsanitized into the sql — Rasclatt, Oct 14 '15 at 07:03
Do yourself a favor - **stop using mysql_**. `mysql_` has been [deprecated](http://us3.php.net/manual/en/intro.mysql.php) since PHP 5.5 and removed in PHP 7. Using `mysql_` leaves you wide open to [sql injection attacks](https://www.owasp.org/index.php/SQL_Injection). Soon your code will stop functioning completely and you'll be back asking a [question like this](http://stackoverflow.com/questions/13944956/). Start learning [pdo_mysql](http://php.net/manual/en/ref.pdo-mysql.php). When your host upgrades to PHP 7, you will be so happy you did. — Kuya, Oct 14 '15 at 07:04

score 3 · Accepted Answer · answered Oct 14 '15 at 07:02

3

$order is a variable containing your mysql string. When you put $order in quotes, then you are not sending $order into the mysql string, you are actually trying to execute the query '$order' which is not a valid mysql query.

Simply remove the quotes.

$result = mysql_query($order);

answered Oct 14 '15 at 07:02

Gravy

12,264
26
124
193

1

No problem. Please however take note of various comments suggesting that you move away from using `mysql` directly and using `pdo`. Mysql extension is deprecated. I recommend you also take a look at @VolkerK answer. – Gravy Oct 14 '15 at 07:15

score 1 · Answer 2 · answered Oct 14 '15 at 07:04

The actual error in your code has already been pointed out.
The mysql_* extension is deprecated and will be removed in the upcoming version 7 of php; choose another api to connect to your MySQL server, e.g. PDO. Using prepared statements will take care of the worst sql injections as well.

<?php
if ( !isset($_POST['fname'], $_POST['twait'], $_POST['cprice'], $_POST['dprice']) ) {
    trigger_error('missing POST parameter in '.var_export($_POST, true), E_USER_WARNING);
    echo '<html><head><title>...</title><body><h1>missing POST parameter</h1></body></html>';
}
else {
    $pdo = new PDO('mysql:host=localhost;dbname=basic;charset=utf8', 'root', '', array(
        PDO::ATTR_EMULATE_PREPARES=>false,
        PDO::MYSQL_ATTR_DIRECT_QUERY=>false,
        PDO::ATTR_ERRMODE=>PDO::ERRMODE_EXCEPTION
    ));
    $stmt = $pdo->prepare('
        INSERT INTO
            calculator
            (name,total_wt,crt_price,dollar_rate)
        VALUES
            (:fname,:twait,:cprice,:dprice)
    ');
    $stmt->execute(array(
        'fname'=>$_POST['fname'],
        'twait'=>$_POST['twait'],
        'cprice'=>$_POST['cprice'],
        'dprice'=>$_POST['dprice']
    ));
    echo "Done";
}

score 0 · Answer 3 · answered Oct 14 '15 at 07:03

Pls try this code

<?php
    mysql_connect("localhost","root",""); mysql_select_db("basic");
    $name=$_POST['fname']; 
    $twait=$_POST['twait'];
    $cprice=$_POST['cprice']; 
    $dprice=$_POST['dprice'];
    $order= "INSERT INTO calculator
            (name,total_wt,crt_price,dollar_rate) VALUES
            ('$name','$twait','$cprice','$dprice')";
    $result = mysql_query($order);
    echo "Done";
    ?>

Maha Dev · Answer 4 · 2015-10-14T07:08:22.477

0

Use mysqli instead of mysql.

$con = mysqli_connect('localhost', 'root', '', 'basic');
$name=$_POST['fname'];
$twait=$_POST['twait'];
$cprice=$_POST['cprice'];
$dprice=$_POST['dprice'];
$order= "INSERT INTO `calculator` (name,total_wt,crt_price,dollar_rate) 
VALUES ('".$name."','".$twait."','".$cprice."','".$dprice."')";

$result = mysqli_query($con,$order);
echo "Done";

edited Oct 14 '15 at 07:08

answered Oct 14 '15 at 07:03

Maha Dev

3,915
2
31
50

1

Solving an unrelated problem. Also, bug still in your code. Thumbs down. – Gravy Oct 14 '15 at 07:04
1

You fixed it yourself. `$result = mysqli_query($order);` was `$result = mysqli_query('$order');` – Gravy Oct 14 '15 at 07:08
2

Using mysqli just to ignore pepared statements is not an improvement – Mihai Oct 14 '15 at 07:12

PHP Database: value not inserting in table

4 Answers4