Data not inserted in the database using PHP

Question

EDIT TO CORRECT THE LINE echo "Error: " + $e->getMessage;.

I am trying to make a simple example just to add data from a form and with PHP upload the data to the database.

HTML code:

<!DOCTYPE html>
<html>
<head>
    <meta charset="utf-8">
    <title>Rich Text</title>
    <script src="//cdn.tinymce.com/4/tinymce.min.js"></script>
    <script>tinymce.init({
        selector:'textarea',
        plugins: "link"
    });</script>
</head>
<body>
    <form class="formulario" action="index.php" method="post">
        <p>Inserta título</p>
        <textarea name="texto" rows="8" cols="80"></textarea>
        <input type="submit" name="enviar" value="enviar">
    </form>
</body>
</html>

And PHP code:

<?php

try {
$conexion = new PDO('mysql:host;localhost=Blog', 'root', '' );
} catch (Exception $e) {
echo "Error: " . $e->getMessage;
}

if (isset($_POST['enviar']) and $conexion) {
   $texto = $_POST['texto'];
   echo $texto;

   $statement = $conexion->prepare("INSERT INTO art (ID, articulo) VALUES     (NULL, $texto)");
   $statement->execute();
}

require 'index.view.php';

?>

Is it necessary to specify the ID column as it is autoincrement?

No, you only insert the columns necessary. You may want to turn on error reporting in your page to see what the issue is if that doesn't work. http://php.net/manual/en/function.error-reporting.php — Paul, Jan 25 '17 at 16:16
You are wide open to [SQL Injections](http://php.net/manual/en/security.database.sql-injection.php) and should really use [Prepared Statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) instead of concatenating your queries. Specially since you're not escaping the data at all. — M. Eriksson, Jan 25 '17 at 16:23
this is **NOT** how you are meant to use Prepared statements. Your script is set out using prepared statements but your line involving the SQL and the `$texto` var is undoing all that good promise. [learn how to use prepared statements properly](http://prash.me/php-pdo-and-prepared-statements). — Martin, Jan 25 '17 at 16:23
Your variable `$texto` is unquoted in the query. That is a syntax error. See [When to use single quotes, double quotes, backticks in MySQL](http://stackoverflow.com/questions/11321491/when-to-use-single-quotes-double-quotes-and-backticks-in-mysql) to correct it as is. But more importantly, you should be using a named parameter. See [How can I prevent SQL injection in PHP](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php#60496) for examples on how to do it correctly, which will solve this issue. — Michael Berkowski, Jan 25 '17 at 16:24
All of the above. But the very first problem is probably the dsn, that looks really off as well. The `mysql:host;localhost=Blog` part that is. — jeroen, Jan 25 '17 at 16:26
Thanks to all. Finally I solve the problem thanks specially to @MichaelBerkowski answer. The other two problems in the code were my fault. — JetLagFox, Jan 25 '17 at 17:02

score 4 · Answer 1 · edited Jan 25 '17 at 16:29

4

Change this:

$statement = $conexion->prepare("INSERT INTO art (ID, articulo) VALUES (NULL, $texto)");

To this:

$statement = $conexion->prepare("INSERT INTO art (articulo) VALUES (:texto)"); 
$statement->bindParam(':texto', $texto, PDO::PARAM_STR);

You do not need to specify columns you don't change, such as your auto-increment column (ID). This column will look after itself.

Using BindParam is one of the correct ways of inserting data safely into your database.

edited Jan 25 '17 at 16:29

Martin

22,212
11
70
132

answered Jan 25 '17 at 16:24

Diego Luiz

145
1
9

Should note that `BindParam` is not the *only* correct way ;) – Terry Jan 25 '17 at 16:28
If you have further issues you should use [PHP Error logging](http://stackoverflow.com/questions/3531703/how-to-log-errors-and-warnings-into-a-file) to find and identify your problems – Martin Jan 25 '17 at 16:28
@JetLagFox Why do you used "$_POST['enviar']"? I think that "$_POST['texto']" is the right way here... – Diego Luiz Jan 25 '17 at 16:44
@DiegoMedeiros is to check if it has been send something (submit button). – JetLagFox Jan 25 '17 at 16:53

score 0 · Answer 2 · edited May 23 '17 at 10:29

0

See How do I get PHP errors to display?

You can't concatenate strings in php with + symbol, you may use . to concatenate

echo "Error: " . $e->getMessage;

To connect to a database you should use

$conexion = new PDO("mysql:host=localhost;dbname=Blog", root, '');

You don't need to insert ID if you configured your table to autoincrement.

edited May 23 '17 at 10:29

Community

1
1

answered Jan 25 '17 at 16:30

Otto

4,020
6
35
46

2

Er, you're incorrect here. you can happily pass `NULL` to an auto-increment field in MySQL – Martin Jan 25 '17 at 16:31
You are right, I have edited the code because that has been a mistake as I am studying java...my fault. I have changed the conexion code, but I keeps not working. – JetLagFox Jan 25 '17 at 16:40

Data not inserted in the database using PHP

2 Answers2