Unable to insert in mysql via php

Question

I have created a php script which insert values in my database, but it's not working, there no error in connection there is also no error in database.

I have also tried query in the phpmyadmin and it works perfectly, please help me out here's the code you can run it i've changed the password..

<?php
    $con= mysqli_connect("mysql.hostinger.in","u744363236_users","stackoverflow","u744363236_users");
        // Check connection
    if ($con->connect_error) {
        die("Connection failed: " . $con->connect_error);
    } 

    $name1 = $_POST['name'];
    $phone1 = $_POST['phone'];
    $password1 = $_POST['password'];
    $sql = "INSERT INTO users (name,phone,password) VALUES ($name1,$phone1,$password1)";
    if(mysqli_query($con,$sql)){        
        echo 'succeed';
    }   
    else{
        echo 'failure';     
    }
    mysqli_close($con);
?>

use single quotes for string values,or better yet prepared statements.Also dont put your credentials on a site with millions of users — Mihai, Apr 03 '16 at 09:34
i tried single quotes..still not working..result is failure...and thanks for tip although that's just rough database...bt still i've changed password.. :) other suggestions..??? — Chetan Pant, Apr 03 '16 at 09:38
i'm not implementing in html it's just php which i'm testing by POSTMAN ... actually your solution worked thanks a lot... :) .. bt know it's showing error Unknown column '$name' in 'field list' — Chetan Pant, Apr 03 '16 at 09:44
http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1 — Hanky Panky, Apr 03 '16 at 09:49

score 0 · Accepted Answer · answered Apr 03 '16 at 09:45

0

chetan. do change as i describe. for $sql

Do not use $name1 in string directlly, use like '".$name1."'

<?php
$con= mysqli_connect("localhost","root","","test");
// Check connection
if ($con->connect_error) {
    die("Connection failed: " . $con->connect_error);
}


$name1 = "Hirendrasinh";
$phone1 = "9428416590";
$password1 = "Test1234";
$sql = "INSERT INTO users (name,phone,password) VALUES ('".$name1."','".$phone1."','".$password1."')";

if(mysqli_query($con,$sql)){

    echo 'succeed';
}
else{
    echo 'failure';

}
mysqli_close($con);
?>

answered Apr 03 '16 at 09:45

Hirendrasinh S. Rathod

824
6
11

http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1 – Hanky Panky Apr 03 '16 at 09:49
thanks a lot...it's worked like a charm.. :) ...could you please tell me what was the problem in previous code.. :) – Chetan Pant Apr 03 '16 at 09:50
1

@Hirendrasinh S. Rathod: you can use `$name` directly inside double quotes. @ChetanPant: strings in SQL must be encapsulated within single quotes. So if you want to insert `$name` as value, you have to write `'$name'`. – Reversal Apr 03 '16 at 09:52
acctually, $name1 parse hirendrasinh to $sql string, an that sql going to fire query, at that time, i show that error -> column hirendrasinh is not found. so we had make change like this, it's call sql injection. :) – Hirendrasinh S. Rathod Apr 03 '16 at 09:52
1

This code is highly vulnerable towards SQL injection attacks! Use prepared statements! – Ikari Apr 03 '16 at 09:59
use escape string function to prevent sql injection attacks. ;) $name1 = mysqli_real_escape_string($con,"Hirendrasinh"); – Hirendrasinh S. Rathod Apr 03 '16 at 10:01
and also instead of data in phpmyadmin it's showing me nothing just blank nd in place of phone number it's zero..can you help me with this also..?? – Chetan Pant Apr 03 '16 at 10:08
@ChetanPant Print sql query in browser by echo $sql; exit; ;) , after you can verify your query is right ? or send it hear. – Hirendrasinh S. Rathod Apr 03 '16 at 10:11

Unable to insert in mysql via php

1 Answers1