Does anyone know why this PHP won't write data to my database?

Question

Here is mySQL view:

phpMyAdmin view And then here is my code:

<html>
    <head>
    </head>
    <body>
        <form action="formwrite.php" method="post">

            Description:<input type="text" name="description"><br/>
            Material:<input type="text" name="material"><br/>
            Type:<input type="text" name="type"><br/>
            Condition:<input type="text" name="condition"><br/>
            Price:<input type="text" name="price"><br/>

            <input type="submit" name="submit">

        </form>

        <?php

            if(isset($_POST['submit'])){

                $con=mysql_connect("localhost", "mysql", "test1");
                if (!$con) {
                    die ("Can not connect:". mysql_error() );
                }

                mysql_select_db("owenp",$con);

                $sql="INSERT INTO items(material,type,date,condition,price,description) VALUES('$_POST[material]','$_POST[type]',now(),'$_POST[condition]','$_POST[price]','$_POST[description]')";

                mysql_query($sql,$con);
                mysql_close($con);
            }
        ?>
    </body>
</html>

The problem that I'm experiencing is that the PHP runs without any errors but a record will not be created in my database. I have checked many times and everything points to the right place i.e. username and database/table names.

Thank in advance for any help.

[Little Bobby](http://bobby-tables.com/) says [your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! — Jay Blanchard, May 27 '16 at 13:23
Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). — Jay Blanchard, May 27 '16 at 13:23
Among other issues, `type` is a [MySQL Reserved Word](https://dev.mysql.com/doc/refman/5.5/en/keywords.html); so if you want to use it as a column or table name you must enclose it in backticks (`\``) — Mark Baker, May 27 '16 at 13:24
What does `mysql_error()` tell you? I bet the database is trying to tell you what's wrong. — David, May 27 '16 at 13:24
Sorry guys, my college uses an outdated version of PHP and I have to use mysql_* functions and the code itself can be whatever it can be as long as it works; i don't need to implement any additional measures such as protection against SQL injection attacks. Thanks for the help so far. — Owen Prescot, May 27 '16 at 13:25
mysql_error() doesn't come up with anything, it just runs normally without actually making a record. — Owen Prescot, May 27 '16 at 13:26
@MarkBaker *"Among other issues, type is a MySQL Reserved Word"* - I'm quite surprised you said that is a reserved word; keyword yes, reserved no. There is no `(R)` next to it. ;-) — Funk Forty Niner, May 27 '16 at 13:31
`condition` is a reserved keyword, and have to be wrapped in backticks. https://dev.mysql.com/doc/refman/5.5/en/keywords.html (`type`, `date` and `date` are also keywords (not reserved), but doesn't strictly have to be escaped - should be done none the less). — Qirel, May 27 '16 at 13:33
@Qirel now that is reserved ;-) not `type` - closing it as such. — Funk Forty Niner, May 27 '16 at 13:34
@Qirel Good spot on that. I had a funny feeling there was something in those columns, but just couldn't spot it. — Funk Forty Niner, May 27 '16 at 13:36

score 2 · Answer 1 · answered May 27 '16 at 13:24

2

 .....$_POST[material]....   <-- material should be between quotes

So as all the other parameters

answered May 27 '16 at 13:24

Johan

931
9
23

1

Yes - and no. If PHP sees these at will try to use them as constants, if not it will automatically convert them and add the quotes. – Jay Blanchard May 27 '16 at 13:25
After changing '$_POST[material]' to "$_POST[material]" and the other parameters in the same way it caused my webpage to produce a HTTP 500 error code. – Owen Prescot May 27 '16 at 13:35
1

@JayBlanchard Exactly. The *real* problem here is not that, it's something else and the question has been closed based on it. – Funk Forty Niner May 27 '16 at 13:35

mahethekiller · Answer 2 · 2016-05-27T13:39:46.693

-2

you need to replace $_POST[type] and other values to $_POST["type"]
as you are accessing array values you need to provide proper index, you can either store your values in variables and then pass them to the query string or you can use . to make query string like this...

$sql="INSERT INTO items(material,type,date,condition,price,description) VALUES('".$_POST["material"]."','".$_POST["type"]."',NOW(),'".$_POST["condition"]."','".$_POST["price"]."','".$_POST["description"]."')";

edited May 27 '16 at 13:39

answered May 27 '16 at 13:30

mahethekiller

514
3
17

1

Why do you "hope this works"? A ***good answer*** will always have an explanation of what was done and why it was done in such a manner, not only for the OP but for future visitors to SO. – Jay Blanchard May 27 '16 at 13:35
You *do* know the variables will be interpolated properly without concatenation, right? – Jay Blanchard May 27 '16 at 13:56

Does anyone know why this PHP won't write data to my database?

2 Answers2