-2

Okay, so this allows me to create projects and add them to the database, but for some reason, it's not adding anything, I know there's a typo or something in the code, but I can't find it for the life of me. It's been racking my brain for a while. 

if(isset($_POST['project_name'])&&isset($_POST['project_lead'])&&isset($_POST['project_type'])&&isset($_POST['project_start'])&&isset($_POST['project_due'])&&isset($_POST['project_link'])&&isset($_POST['project_desc'])) {

    $project_name = $_POST['project_name'];
    $project_lead = $_POST['project_lead'];
    $project_type = $_POST['project_type'];
    $project_start = $_POST['project_start'];
    $project_due = $_POST['project_due'];
    $project_link = $_POST['project_link'];
    $project_desc = $_POST['project_desc'];

    $esc_project_link = mysql_real_escape_string($project_link);
    $esc_project_desc = mysql_real_escape_string($project_desc);

    if(!empty($project_lead)&&!empty($project_name)&&!empty($project_type)&&!empty($project_start)&&!empty($project_due)&&!empty($project_link)&&!empty($project_desc)) {

        $insert_new_project = "INSERT INTO projects VALUES ('','$project_name','$project_lead','$project_type','$project_start','$project_due','$esc_project_link','$esc_project_desc')";

        if($insert_success = mysql_query($insert_new_project)) {
            header('Location: projects.php?new=true');
        } else {
            header('Location: projects.php?new=fail');
        }
    }
}

Thanks in advance!

IceCreative
  • 1
  • 1
  • where is the columns names in insertion query??? – Soniya Basireddy Jan 30 '17 at 12:45
  • What do you mean? Sorry confused, been looking at this too long – IceCreative Jan 30 '17 at 12:46
  • $insert_new_project = "INSERT INTO projects VALUES ('','$project_name','$project_lead','$project_type','$project_start','$project_due','$esc_project_link','$esc_project_desc')"; this is your insert query right for what what columns you are adding this values ?? – Soniya Basireddy Jan 30 '17 at 12:47
  • The columns are in a table named 'projects' in my database – IceCreative Jan 30 '17 at 12:48
  • can you please provide the database screenshot once – Soniya Basireddy Jan 30 '17 at 12:49
  • project is a database table name and we need to give column names before inserting into the database for example:$sql = "INSERT INTO persons (person_id, first_name, last_name, email_address) VALUES (1, 'Peter', 'Parker', 'peterparker@mail.com')"; like this – Soniya Basireddy Jan 30 '17 at 12:50
  • I've always done my queries without doing that and they've always worked, unless there's a typo. – IceCreative Jan 30 '17 at 12:52
  • What happens on execution? Error? Use 1 isset. Why aren't you escaping the other inputs? You should update to `mysqli` or `pdo` and use parameterized queries. – chris85 Jan 30 '17 at 12:57
  • 1
    ***Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php).*** [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Jan 30 '17 at 13:25
  • 1
    [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)***. Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Jan 30 '17 at 13:26

1 Answers1

0

You should declare your columns which are you inserting your data:

$insert = "INSERT INTO table_name 
           (column1, column2, column3,...)
           VALUES (value1, value2, value3,...) 
           WHERE value1 = 'yourvalue'";

This is a insert with correct syntax from w3schools.com .

For more information check out w3schools.com

SacrumDeus
  • 156
  • 1
  • 13
  • No, you dont have to. Refer to primary sources. https://dev.mysql.com/doc/refman/5.7/en/insert.html `If you do not specify a list of column names for INSERT ... VALUES or INSERT ... SELECT, values for every column in the table must be provided by the VALUES list ` – chris85 Jan 30 '17 at 13:04
  • Although this is possible, I never would use this syntax. In my opinion your example is less readable and could cause errors, if you are adding a field to your table. However it's a good hint :D – SacrumDeus Jan 30 '17 at 13:33
  • I agree less readable but still valid. Also that's not my example, that is `mysql`s. So `You have to declare your columns` is not a true statement. Also dont refer to `w3schools`, the mysql docs are much more thorough. – chris85 Jan 30 '17 at 13:39
  • I edit my little fault `"have to" -> "should"`. You are correct. I should use mysql.dev for reference. W3SCHOOLS dont refer to W3C. – SacrumDeus Jan 30 '17 at 13:52