Insert MYSQL PHP into database

Question

I'm trying to insert some data to my database, but it will only insert an unique id and userid. Rest of the attributes wont follow. Any suggestions?

Image of insert:

<?php

if(isset($_POST['project']))
{
    // Escape user inputs for security
    $stripped = mysql_real_escape_string($_GET['id']);
    $title = mysqli_real_escape_string($_POST['title']);
    $about = mysqli_real_escape_string($_POST['about']);
    $code = mysqli_real_escape_string($_POST['code']);

    mysql_query("INSERT INTO cms_prosjekt (userid, title, about, code) VALUES 
        ('".$_SESSION['user']['id']."', '".$title."', '".$about."', '".$code."')") or die(mysql_error());

}
?>

HTML

<form action="" method="post">

    <input type="text" class="form-control" type="text" name="title" id="title" placeholder="Fullt navn" style="margin-bottom:10px">
    <input type="text" class="form-control" type="text" name="about" id="about" placeholder="Kode bedrift" style="margin-bottom:10px">
    <input type="text" class="form-control" type="text" name="code" id="code" placeholder="Passord" style="margin-bottom:10px">

    <button type="submit" name="project" class="button" class="btn btn-success" style="margin-bottom:10px;">Register prosjekt nå</button>

</form>

if it only works for unique entries, then this tells me you've some type of constraint. — Funk Forty Niner, Sep 27 '16 at 13:11
Say hello to your new debugging friend: `var_dump`. Right AFTER you get the variables, put `var_dump($title)`. What do you see? Is there anything in it? Even better would be to build your query in a string (as in `$query = "INSERT INTO....`), then `var_dump($query)`. What does it output? Lastly, it might be useful to understand your data structure (what type of column is `title`, for example)? — random_user_name, Sep 27 '16 at 13:12
btw, you're mixing APIs here with `mysql_real_escape_string` and `mysqli_real_escape_string()` and that one needs a connection for it. We don't know what API you're using to connect with neither. `die(mysql_error()` that won't work if your connection is MySQLi_. So your question is way too unclear. — Funk Forty Niner, Sep 27 '16 at 13:13
Check the answer below, and @Fred-ii- comment. They've got it - the mysqli_real_escape_string needs the `$link` passed in (your mysqli connection) — random_user_name, Sep 27 '16 at 13:15
The problem was mysql_real_escape_string and mysqli_real_escape_string(). Thank you! — Vegard Berg, Sep 27 '16 at 13:15
@VegardBerg I noticed you accepted my answer then unaccepted it and accepted the other one just being a "try this" type of answer. You can do what you want, but that one is just a "spoonfeed" answer with no explanation given. This is all in the name of "learning" and not do the same mistake again. — Funk Forty Niner, Sep 27 '16 at 13:33

score 1 · Answer 1 · answered Sep 27 '16 at 13:13

1

you need to provide the $link argument which is your connection to properly escape your values.

mysqli_real_escape_string ( mysqli $link , string $escapestr )

answered Sep 27 '16 at 13:13

R. Chappell

1,184
6
17

I changed mysqli_real_escape_string to mysql_real_escape_string. That solved my problem – Vegard Berg Sep 27 '16 at 13:17
@VegardBerg Please be aware that `mysql_real_escape_string` has been deprecated since PHP 5.5.0 and is no longer in PHP 7.0.0, this may cause issues if you publish your code to a server with these versions. – R. Chappell Sep 27 '16 at 13:24

score 1 · Answer 2 · edited May 23 '17 at 12:33

Seeing your code and that it only enters one value, this tells me you are using the mysql_ API to connect with, and you're mixing those with mysqli_real_escape_string(), and requires a db connection for it and as the first argument.

Since $stripped = mysql_real_escape_string($_GET['id']); is all that is getting entered in db, after seeing your screenshot.

Those different APIs do not intermix. You need to use the same one from connecting to querying.

In your case, that would be mysql_* - mysql_real_escape_string().

I suggest you start using a prepared statement right away.

https://en.wikipedia.org/wiki/Prepared_statement

Note: Using mysql_real_escape_string() doesn't fully protect against an SQL injection. Read the following Q&A on the subject;

SQL injection that gets around mysql_real_escape_string()

Footnotes:

The MySQL_ API has been removed as of PHP 7.0. Should your server eventually get upgraded to it, you will no longer be able to use your present code.

It's time to switch over to either using the MySQLi_ or PDO API and with a prepared statement.

References:

You should also check for any empty fields. Just an isset() against your submit button isn't enough.

If your site is live or will be live soon, someone may enter empty values and could trigger errors or insert empty values in your database, which I'm sure you're not going to appreciate.

Reference:

http://php.net/manual/en/function.empty.php

Kamran Khatti · Accepted Answer · 2016-09-28T06:28:41.997

-2

You have used both mysqli and mysql it should be anyone of them.

if (isset($_POST['project'])) {
        $stripped = mysql_real_escape_string($_GET['id']);
        $title = mysql_real_escape_string($_POST['title']);
        $about = mysql_real_escape_string($_POST['about']);
        $code = mysql_real_escape_string($_POST['code']);

        mysql_query("INSERT INTO cms_prosjekt (userid, title, about, code) VALUES ('" . $_SESSION['user']['id'] . "', '" . $title . "', '" . $about . "', '" . $code . "')") or die(mysql_error());
    }

edited Sep 28 '16 at 06:28

answered Sep 27 '16 at 13:19

Kamran Khatti

3,754
1
20
31

You used both mysqli and mysql in your query it should be only mysqli or mysql. NOTE - mysql is deprecated – Kamran Khatti Sep 28 '16 at 06:26

Insert MYSQL PHP into database

3 Answers3