0

Really simple code

$device = $_GET['device'];
$voltage = $_GET['voltage'];
$current = $_GET['current'];
$power = $current * $voltage;

mysqli_query($connect, "insert into device$device (time, voltage, current, power)
    values (curtime(), $voltage, $current, $power);");

The problem is, it used to work whatever device number I put. It only works with device 1. Didn't change anything with the mysql database or the php code, it just suddenly didn't work anymore, except if $device=1.

No errors are reported either.

soundslikeodd
  • 1,078
  • 3
  • 19
  • 32
mage
  • 9
  • 1
  • 1
    Are you merging device with device name ? – msk Jan 19 '17 at 05:45
  • 1
    What are the `$device` values that are not working? You could try wrapping the table name in backticks -> `insert into \`device$device\` ...` – Sean Jan 19 '17 at 05:47
  • 1
    how your table name becomes : device1, device2 ??? – Niklesh Raut Jan 19 '17 at 05:47
  • 1
    DB Scheme? Are you checking for errors with the error function? – chris85 Jan 19 '17 at 05:48
  • 3
    might be a good time to read up on [How can I prevent SQL injection in PHP?](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). Never use user data, `$_GET`, directly in your query. sanitize sanitize sanitize! – Sean Jan 19 '17 at 05:49
  • Tried the backticks, still didn't work. Yes table names are device1, device2, device3, and so on. – mage Jan 19 '17 at 05:59
  • 4
    **WARNING**: When using `mysqli` you should be using [parameterized queries](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and [`bind_param`](http://php.net/manual/en/mysqli-stmt.bind-param.php) to add user data to your query. **DO NOT** use string interpolation or concatenation to accomplish this because you have created a severe [SQL injection bug](http://bobby-tables.com/). **NEVER** put `$_POST` or `$_GET` data directly into a query, it can be very harmful if someone seeks to exploit your mistake. – tadman Jan 19 '17 at 06:10
  • 1
    Table names like that are a sign you're probably violating the [Zero, One or Infinity Rule](http://en.wikipedia.org/wiki/Zero_one_infinity_rule) of [database normalization](http://en.wikipedia.org/wiki/Database_normalization). Why are you splitting up data like this? Use partitions if you need to. – tadman Jan 19 '17 at 06:11
  • It's working now thank you guys! Saw the problem was not in that code, but on the number tables themselves. – mage Jan 19 '17 at 06:40

2 Answers2

0
$device1 = $_GET['device']; 
 $device = "device".$device1;
  mysqli_query($connect, "insert into  '".$device." (time, voltage, current, power)
values (curtime(), '$voltage', '$current', '$power')");

Change Query

Meena patel
  • 149
  • 1
  • 4
  • 16
0
mysqli_query($connect, "insert into device'".$device."' (time, voltage, current, power)
values (curtime(), $voltage, $current, $power);");

or

mysqli_query($connect, "insert into device".$device." (time, voltage, current, power) values (curtime(), $voltage, $current, $power);");

since $device is an int number.

chris85
  • 23,846
  • 7
  • 34
  • 51
Earvin Nill Castillo
  • 70
  • 1
  • 11