0

I have yet to find the mistake i make in my coding. I try inserting a data and the code shows no error and when i want to view data it display a blank data like this for example. How do I fix this?

<?php
$connect = mysql_connect('localhost','root','');
$database = mysql_select_db('songdb');

$title = $_POST['title'];
$artist = $_POST['artist'];
$genre = $_POST['genre'];
$language = $_POST['language'];
$lyrics = $_POST['lyrics'];

$insert = "INSERT INTO `songs`(`title`,`artist`,`genre`,`language`,`lyrics`) VALUES('$title','$artist','$genre','$language','$lyrics')";

if(!mysql_query($insert)) {
    echo "Error." .mysql_error();
} else {
    header("Location: insert.php?msg=1");
}
?>
Manoj Sharma
  • 1,467
  • 2
  • 13
  • 20
Zirah
  • 11
  • 7
  • 2
    Please [don't use `mysql_*`](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php?rq=1); the `mysql_*` functions are outdated, [deprecated](http://us3.php.net/manual/en/intro.mysql.php), and insecure - they have been removed entirely from modern versions of PHP (version 7.0 and higher). Use [`MySQLi`](http://us3.php.net/manual/en/book.mysqli.php) or [`PDO`](http://us3.php.net/manual/en/intro.pdo.php) instead. – elixenide Jan 09 '17 at 06:27
  • 1
    Also, you are wide open to [**SQL injection**](https://www.owasp.org/index.php/SQL_Injection). You need to use prepared statements, rather than concatenating variables into your query. See [How can I prevent SQL injection in PHP?](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1). – elixenide Jan 09 '17 at 06:27
  • 1
    where is your listing code ? – Rohit Bhalani Jan 09 '17 at 06:28
  • R u getting values in $_POST array?. Please confirm it by the print_r($_POST). – dhi_m Jan 09 '17 at 06:30

1 Answers1

0

First of all you have to use mysqli extension. Because mysql extension is deprecated and then you have to use prepared statements for preventing from sql injection.

 $connect = mysqli_connect('localhost','root','');
 mysqli_select_db($connect,'songdb');


    $title = $_POST['title'];
    $artist = $_POST['artist'];
    $genre = $_POST['genre'];
    $language = $_POST['language'];
    $lyrics = $_POST['lyrics'];

    //Preapared statement for inserting
    $insert = mysqli_prepare("INSERT INTO songs(title,artist,genre,language,lyrics) VALUES(?,?,?,?,?)");
    mysqli_stmt_bind_param($insert,'sssss', $title,$artist,$genre,$language,$lyrics);

if(!mysqli_stmt_execute($insert)){
echo "Error." .mysqli_error();
}
else { header("Location: insert.php?msg=1"); } ?>

For more see here http://php.net/manual/en/mysqli.prepare.php

Hikmat Sijapati
  • 6,869
  • 1
  • 9
  • 19
  • 1
    **WARNING**: When using `mysqli` you should be using [parameterized queries](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and [`bind_param`](http://php.net/manual/en/mysqli-stmt.bind-param.php) to add user data to your query. **DO NOT** use manual escaping and string interpolation or concatenation to accomplish this because you will create severe [SQL injection bugs](http://bobby-tables.com/) if you ever forget to properly escape something. Using parameterized queries is *less code* than this answer. – tadman Jan 09 '17 at 06:38
  • 1
    You don't need to use `*_real_escape_string()` when using prepared statement. You also need to `execute()` your query in order for it to run – Logan Wayne Jan 09 '17 at 06:48
  • 1
    You're half-way there. When using prepared statements it's important to *not* escape the values on the way in, supply them raw. In its current form this double-escapes things which is bad. Since you're using `mysqli`, it's probably a good habit to get into using the object-oriented interface, it's less verbose and harder to mess up: `$conn->prepare(...)` and `$insert ->bind_param(...)`. Right now the `prepare` statement is missing an argument. – tadman Jan 09 '17 at 06:48
  • @Logan Wayne and tadman thanks a lot.. i hope now it is perfect. – Hikmat Sijapati Jan 09 '17 at 06:52
  • 1
    I'm not sure if using `mysqli_query()` is feasible to execute a query, but in your case, it is usually used with `mysqli_stmt_execute($insert);` – Logan Wayne Jan 09 '17 at 06:53
  • 1
    You are still missing an argument (**TIP:** *First argument for your INSERT query*) – Logan Wayne Jan 09 '17 at 07:03