-1

I am trying to INSERT data into a table and I am using mysqli API executing query.

$insert = "INSERT INTO pdhp_patient 
                   (username, password, email, first_name,     
                    last_name, dob, gender, s_s_n, i_n) 
            VALUES ('$username', '$password', '$email', '$first_name', 
                    '$last_name', '$dob', '$gender', '$s_s_n', '$i_n');";

This is the query I am trying to execute.

mysqli_query($connection, $insert);

The previous line of code is for executing the query. This time the query returns false. I am unable to understand what the mistake is I Have even tried without the single quotes in the query. This however does not work.

Editted:

$username = $_POST['username'];
$password = $_POST['password'];
$email = $_POST['email'];
$first_name = $_POST['first_name'];
$last_name = $_POST['last_name'];
$dob = $_POST['dob'];
$dob = date("m-d-Y", strtotime($dob));
$gender = $_POST['gender'];
$cid = $_POST['country'];
$sid = $_POST['city'];
$s_s_n = $_POST['s_s_n'];
$i_n = $_POST['i_n'];

global $connection;




if(isset($_POST['type']) && $_POST['type']==="patient"){
    $insert = "INSERT INTO pdhp_patient (username, password, email, first_name, last_name, dob, gender, s_s_n, i_n) VALUES ('$username', '$password', '$email', '$first_name', '$last_name', '$dob', '$gender', '$s_s_n', '$i_n');";

    $insert = mysql_prep($insert);

        $result = mysqli_query($connection, $insert); 
if ( $result === false ) {
echo mysqli_error($connection);
exit;
}
        if($val){
        echo "This must be working";
    }else{
        echo "This was not working";
    }
}elseif(isset($_POST['type']) && $_POST['type']==="doctor"){
    $insert = "INSERT INTO pdhp_doctor (username, password, email, first_name, last_name, dob, gender, s_s_n, i_n) VALUES ($username, $password, $email, $first_name, $last_name, $dob, $gender, $s_s_n, $i_n);";
    $insert = mysql_prep($insert);
    mysqli_query($connection, $insert);
}elseif(isset($_POST['environment_radio']) && $_POST['type']==="environment"){
    $insert = "INSERT INTO pdhp_environmentalist (username, password, email, first_name, last_name, dob, gender, s_s_n, i_n) VALUES ($username, $password, $email, $first_name, $last_name, $dob, $gender, $s_s_n, $i_n);";
    $insert = mysql_prep($insert);
    mysqli_query($connection, $insert);
}

Some more code for proper info. This code chunk is what I wanna achieve. this is the full code. Thanks.

Joy Ram Sen Gupta
  • 365
  • 1
  • 6
  • 16
  • Maybe one of your variables is null,maybe the table structure is not what you think it is or the connection has issues..Show more code – Mihai Apr 19 '16 at 16:26
  • have look at [mysqli_error_list](http://php.net/manual/en/mysqli.error-list.php) and see what it tells you. – Zimmi Apr 19 '16 at 16:28
  • I am using $_POST method to get the variables from a form. – Joy Ram Sen Gupta Apr 19 '16 at 16:28
  • Just not enough information for us to work with – RiggsFolly Apr 19 '16 at 16:34
  • The connection s $connection. @RiggsFolly. – Joy Ram Sen Gupta Apr 19 '16 at 16:40
  • I am preparing the query using $escaped_string = mysqli_real_escape_string($connection, $string); before making the query. – Joy Ram Sen Gupta Apr 19 '16 at 16:41
  • Did you define `mysql_prep`? Where are you using the `escape`? What does `mysqli_error` give you now? – chris85 Apr 19 '16 at 17:34
  • **WARNING**: When using `mysqli` you should be using parameterized queries and [`bind_param`](http://php.net/manual/en/mysqli-stmt.bind-param.php) to add user data to your query. **DO NOT** use manual escaping and string interpolation or concatenation to accomplish this because you will create severe [SQL injection bugs](http://bobby-tables.com/) if you ever forget to properly escape something. I don't know what `mysql_prep` does but I doubt it handles things correctly. – tadman Apr 19 '16 at 17:36
  • mysql_prep does this-> mysqli_real_escape_string($connection, $string); – Joy Ram Sen Gupta Apr 19 '16 at 17:51
  • One question per question. You cannot just keep adding more errors and expect us to keep on going until we have re-written your code for you – RiggsFolly Apr 19 '16 at 18:53

2 Answers2

0

Give a man a fish, he eats today. Teach a man to fish, he eats everyday

Add some error checking

$insert = "INSERT INTO pdhp_patient 
                   (username, password, email, first_name,     
                    last_name, dob, gender, s_s_n, i_n) 
            VALUES ('$username', '$password', '$email', '$first_name', 
                    '$last_name', '$dob', '$gender', '$s_s_n', '$i_n');";


$result = mysqli_query($connection, $insert); 
if ( $result === false ) {
    echo mysqli_error($connection);
    exit;
}

Then you can probably fix your own errors

RiggsFolly
  • 93,638
  • 21
  • 103
  • 149
  • You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '\'jay\', \'asd\', \'something@something.com\', \'Jay\', \'RSGH\', \'1997-01-06\'' at line 1 It says something like this. where might be the error and is date the error? – Joy Ram Sen Gupta Apr 19 '16 at 16:44
  • Not without being able to see you schema, sorry no, but at least now you know what the error is – RiggsFolly Apr 19 '16 at 16:52
  • the problem is somewhere else. I am editing the question to provide some more information. please have a look. @RiggsFolly – Joy Ram Sen Gupta Apr 19 '16 at 17:00
  • You can also [enable exceptions](http://stackoverflow.com/questions/14578243/turning-query-errors-to-exceptions-in-mysqli) to make errors harder to ignore. – tadman Apr 19 '16 at 17:36
0

Per your update and comment your issue is that you are escaping the whole query, and not the values that you are passing in. That is not how escaping works, with escaping you escape the values going in incase they contain 's which would break the SQL encapsulation. So instead do..

$username = mysqli_real_escape_string($connection, $_POST['username']);
$password = mysqli_real_escape_string($connection, $_POST['password']);
$email = mysqli_real_escape_string($connection, $_POST['email']);
$first_name = mysqli_real_escape_string($connection, $_POST['first_name']);
$last_name = mysqli_real_escape_string($connection, $_POST['last_name']);
$dob = mysqli_real_escape_string($connection, $_POST['dob']);
$dob = mysqli_real_escape_string($connection, date("m-d-Y", strtotime($dob)));
$gender = mysqli_real_escape_string($connection, $_POST['gender']);
$cid = mysqli_real_escape_string($connection, $_POST['country']);
$sid = mysqli_real_escape_string($connection, $_POST['city']);
$s_s_n = mysqli_real_escape_string($connection, $_POST['s_s_n']);
$i_n = mysqli_real_escape_string($connection, $_POST['i_n']);

and get rid of mysql_prep. You should probably read up a bit more on SQL injections:

http://php.net/manual/en/security.database.sql-injection.php
https://www.owasp.org/index.php/SQL_Injection

The more secure approach is using parameterized queries with prepared statements.

http://php.net/manual/en/mysqli.quickstart.prepared-statements.php

chris85
  • 23,846
  • 7
  • 34
  • 51