0

It seems like a proper method. It shows all the messages and displays. But it doesn't show up i the actual mysqli database. Can someone help me find out where it is going wrong? HTML input is getting read into the PHP part and everything is going well except the part where it does not show up in the database.

Thanks in advance!

<!DOCTYPE html>
<html>
<?php
    $con = mysqli_connect("localhost","root","","bookstore"); // Establishing Connection with Server
    echo 'Connected to database...';


    $Title = $_POST['Title'];
    $Author = $_POST['Author'];
    $Price = $_POST['Price'];
    $StateOfCopy = $_POST['StateOfCopy'];
    echo 'Data posted...';

    //Insert Query of SQL
    $sql = "INSERT INTO bookstore.booklist (`Title`, `Author`, `Price`, `StateOfCopy`)
             VALUES ('B10037', 'Children', $Title, $Author, $Price, 'Faerie Publishers','P10012', $StateOfCopy)";
    echo $Title;
    echo $Author;
    echo $Price;
    echo $StateOfCopy;

    // mysql_close($connection); // Closing Connection with Server
    /*
    INSERT INTO bookstore.booklist (`BookID`, `Category`, `Title`, `Author`, `Price`, `Publisher`, `PublisherID`, `StateOfCopy`) 
 VALUES ('B10036', 'Children', 'The Snow Queen', 'Hans Christian Anderson', 23.84, 'Faerie Publishers', 'P10012', '1st edition, Binded')
    */
    if($con->query($sql) === TRUE)
    {
        echo "<br/><br/><span>Data Inserted successfully...!!</span>";
    }
    else
    {
        echo "Error: ".$sql."<br>".$con->error;
    }
    $query = "SELECT * FROM bookstore.booklist";
    $result = mysqli_query($con,$query);

    $num = mysqli_num_rows($result);
    echo $num;
?>

<head>
    <title>PHP insertion</title>
</head>
<body>
    <div>
    <!--HTML Form -->
        <div>
            <div>
                <h2>Insert Data In Database Using PHP.</h2>
            </div>
            <form action="insert.php" method="post">
                <!-- Method can be set as POST for hiding values in URL-->
                <h2>Form</h2>
                <label>Title:</label>
                <input class="input" name="Title" type="text" value="">
                
                <label>Author:</label>
                <input class="input" name="Author" type="text" value="">
                
                <label>Price:</label>
                <input class="input" name="Price" type="text" value="">
                
                <label>State of Copy:</label>
                <input class="input"name="StateOfCopy" type="text" value="">
                <br>
                <input name="submit" type="submit" value="Insert">
            </form>
        </div>
    </div>
</body>
</html>
  • if you where checking for mysql errors, you would get some –  Aug 15 '16 at 02:07
  • Also note `mysqli` is not a database, it is a driver that connects to a `mysql` database. It doesn't do anything to prevent SQL injections on its own, you need to parameterize your queries. http://php.net/manual/en/mysqli.quickstart.prepared-statements.php – chris85 Aug 15 '16 at 02:12
  • This is the error I am getting once I run the program: Connected to database...Data posted...Beautiful CreaturesYasmin45.99Hardcover, 1st editionError: INSERT INTO bookstore.booklist (`Title`, `Author`, `Price`, `StateOfCopy`) VALUES (Beautiful Creatures, Yasmin, 45.99, Hardcover, 1st edition) You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'Creatures, Yasmin, 45.99, Hardcover, 1st edition)' at line 219 –  Aug 15 '16 at 02:19
  • see the dupe, strings should be quoted. and your open to be hacked (http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1) –  Aug 15 '16 at 02:26
  • The issue would be solved by using parameterized queries. The SQL in your question has 4 columns but is trying to assign 8 values, that's a different issue. – chris85 Aug 15 '16 at 02:34

0 Answers0