php api insert query do not add to database

Question

i've created below very simple script which is suppose to take information and insert it into a database, however nothing happens when i do, what could tricker this? i've tried running following in the url:

http://localhost/insert.php?title=test&body=lol&longitude=12&latitude=53&status=0

<?php

  $db = new mysqli("localhost","test","test", "test");

  // Check connection
  if (mysqli_connect_errno())
  {
    echo "Failed to connect to MySQL: " . mysqli_connect_error();
  }

  if (isset($_GET['title']) && isset($_GET['body']) && isset($_GET['longitude']) && isset($_GET['latitude'])) {
    $title = $_GET['title'];
    $body = $_GET['body'];
    $longitude = (float)$_GET['latitude'];
    $latitude = (float)$_GET['latitude'];


    $strSQL = $db->query("INSERT INTO camps (title, body, longitude, latitude, status) VALUES (`$title`,  `$body`, `$longitude`,`$latitude`, 0)");



  }



?>

Is your localhost running? Do you get php output if you navigate to something that you know works? — Richard, May 10 '16 at 18:21
Check for errors after running a database query. I'm sure MySQL is telling you all sorts of problems there. For starters, you're using back-ticks where you shouldn't be. You're also not quoting string values. Aside from that, you're wide open to SQL injection and could be trying to execute *anything* in that query really. — David, May 10 '16 at 18:22
$strSQL is true or false? Also, you could check if autocommit is enabled, by trying to add a "commit" after. — Felippe Duarte, May 10 '16 at 18:22
**WARNING**: When using `mysqli` you should be using [parameterized queries](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and [`bind_param`](http://php.net/manual/en/mysqli-stmt.bind-param.php) to add user data to your query. **DO NOT** use string interpolation or concatenation to accomplish this because you have created a severe [SQL injection bug](http://bobby-tables.com/). **NEVER** put `$_POST` or `$_GET` data directly into a query, it can be very harmful if someone seeks to exploit your mistake. — tadman, May 10 '16 at 18:23

score 1 · Accepted Answer · edited May 10 '16 at 18:49

You should check for Errors after executing an query.

Remove the back ticks around the values in your query, because These are for escaping column names. You should use single quotes instead:

 $strSQL = $db->query("INSERT INTO camps (title, body, longitude, latitude, status) VALUES ('$title',  '$body', '$longitude','$latitude', 0)");

But the best solution is to learn about prepared Statements.

php api insert query do not add to database

1 Answers1