insert data to mysql in php

Question

I am trying to add data to a Mysql database with php. I am connected to the database but the data is not being inserted into the table. Here is my code and thank you in advance!

<?php
ob_start();
include("db.php");
if(isset($_POST['send'])!="")
{
$sql = "INSERT INTO `Scouting`(`Team #`,`High Goal Made`,`High Goal     Missed`)
                        VALUES(`$username`,`$usermail`,`$usermobile`)";
$username=mysql_real_escape_string($_POST['Team #']);
$usermail=mysql_real_escape_string($_POST['High Goal Made']);
$usermobile=mysql_real_escape_string($_POST['High Goal Missed']);

    if ($conn->query($sql) === TRUE) {
echo "New record created successfully";
    } else {
echo "Error: " . $sql . "<br>" . $conn->error;
    }

if($update)
{
  $msg="Successfully Updated!!";
  echo "<script type='text/javascript'>alert('$msg');</script>";
  header('Location:index.php');
}
else
{
 $errormsg="Something went wrong, Try again";
  echo "<script type='text/javascript'>alert('$errormsg');</script>";
  header('Location:index.php');
}
}
ob_end_flush();
?>

what the $update refeer to ?? if it is empty or not isset so the data would not be inserted and it's normal — PacMan, Apr 24 '16 at 03:33
Thank you for submitting your status report. Was there a **question** you were going to ask? HINT: "here's my broken code, fix it for me" is not a question. (I do have a questiion. Is "db.php" using mysql_ interface functions, or mysqli or PDO?*) Here's a comment. In a MySQL statement (such as an INSERT) backticks are used to escape identifiers. Single quotes enclose string literals. "`\`foo\``" is an identifier. "`'foo'`" is a string literal. HINT: take a look at the VALUES clause in the INSERT statement. The values should be string literals, not identifiers. — spencer7593, Apr 24 '16 at 04:09

score 2 · Answer 1 · edited May 23 '17 at 10:28

Your code has lots of problems:

Unless you really have multiple consecutive spaces in your column name

High Goal Missed

your query will never work.
Worse, you try to use variables in your query before you set them. That also will never work.
You also have syntax errors because you wrap your values in backticks (`) instead of quotes or single quotes.
And on top of all of that, you appear to be mixing the MySQL (mysql_*) and MySQLi APIs. It's impossible to tell without seeing the contents of db.php, but there's no way that, for example, mixing $conn->query(...) and mysql_real_escape_string(...)is correct.

Your code should look something like this (untested):

<?php

ob_start();
include("db.php");
if(isset($_POST['send'])!="")
{
    $sql = "INSERT INTO `Scouting`(`Team #`,`High Goal Made`,`High Goal Missed`)
      VALUES(?, ?, ?)";
    $stmt = $conn->prepare($sql);
    $stmt->bind_param('sss', $_POST['Team #'], $_POST['High Goal Made'], $_POST['High Goal Missed']);
    $result = $conn->execute();

    if (!$conn->error) {
        echo "New record created successfully";
    } else {
        echo "Error: " . $sql . "<br>" . $conn->error;
    }

    if($update) // you never set this; I have no idea what it is supposed to be
    {
        $msg="Successfully Updated!!";
        echo "<script type='text/javascript'>alert('$msg');</script>";
        header('Location:index.php');
    }
    else
    {
        $errormsg="Something went wrong, Try again";
        echo "<script type='text/javascript'>alert('$errormsg');</script>";
        header('Location:index.php');
    }
}
ob_end_flush();
?>

Other Problems

You should be using an IDE like PHPStorm, which would catch these things automatically.

Your variable names are extremely confusing and don't seem to match the fields from your form data. It looks like you are hacking together pieces of two or more scripts that you found somewhere. That's a recipe for disaster.

You are wide open to SQL injection. And please don't use mysql_*; the mysql_* functions are outdated, deprecated, and insecure. Use MySQLi or PDO instead.

Wrong identifiers qualifiers in values and op is mixing apis — Funk Forty Niner, Apr 24 '16 at 03:52
@Fred-ii- Added those points. Thanks for pointing them out. This is what I get for trying to fix utterly busted PHP/MySQL scripts tonight... — elixenide, Apr 24 '16 at 04:03
`$conn->query()` makes it look like mysqli. But I'm suspicious. Without looking at db.php (which could be one of those clever wrappers that newbies hide mysql_ functions in. +10. Prepared statements with bind placeholders. I'm confused why the contents of a variable named $username would be inserted into column named "Team #". Same for the values assigned to other columns... $usermobile into "High Goals Missed". What the plastic? It's like two different scripts were jumbled together. I have to stop trying to figure it out, it's making my head hurt. — spencer7593, Apr 24 '16 at 04:17
@spencer7593 Yeah, it's not entirely clear that it's MySQLi. I've added some clarification. Re the field and variable names: I'm with you. I have no idea what's going on there. It's beyond confusing. — elixenide, Apr 24 '16 at 04:21
I think `$username` (in the bind_param) should be replaced by `$_POST['Team #']`. That's what OP assigned to $username after the INSERT statement was executed. And it looks like `$update` is the return from query execution, evaluates to FALSE if there was an error in the SQL execution. (I'm cautiously optimistic that OP has created a table, and isn't expecting the INSERT to create a table.) — spencer7593, Apr 24 '16 at 04:26

insert data to mysql in php

1 Answers1