-2

im trying to add data to my database but this code seems to just add blank data. Any solutions would be much appreciated. Thanks in advance.

<?php
session_start();
include 'dbh.php';

$start = $_POST['starttime'];
$finish = $_POST['finishtime'];
$dat = $_POST['date'];
$id = $_POST['userid'];

$sql = "INSERT INTO shift (shiftStart, shiftFinish, shiftDate) 
VALUES ('$start', '$finish', '$dat')";
$result = mysqli_query($conn, $sql);

if ($result->affected_rows){
$row=$result->fetch_assoc();
echo'<pre>',print_r($row),'</pre>';
}else{
echo"didnt work";
}


//header("Location: index.php");
?>
Darren
  • 1
  • 1
  • print your sql query like `echo $sql` and check what it returns? – Mayank Pandeyz Mar 06 '17 at 14:45
  • I will try this, however the code works when i GET instead of POST the data from the form?... this is what i get when i echo "connected INSERT INTO shift (shiftStart, shiftFinish, shiftDate) VALUES ('', '', '')didnt work" – Darren Mar 06 '17 at 14:47
  • 1
    `For successful SELECT, SHOW, DESCRIBE or EXPLAIN queries mysqli_query() will return a mysqli_result object. For other successful queries mysqli_query() will return TRUE.` So why do you expect to be able to fetch a row from `$result` after an INSERT query? – Mark Baker Mar 06 '17 at 14:48
  • Ignore the query below that was me experimenting with other results before this. – Darren Mar 06 '17 at 14:49
  • 5
    ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** – hassan Mar 06 '17 at 14:52
  • Maybe a silly question but, does your form (html) has type="POST"? – Marvinoo_ Mar 06 '17 at 14:59
  • Following @Marvinoo_'s comment, you should check that your parameters are set. – NaeiKinDus Mar 06 '17 at 15:00
  • **The mysqli_affected_rows() function returns the number of affected rows in the previous SELECT, INSERT, UPDATE, REPLACE, or DELETE query.** – Masivuye Cokile Mar 06 '17 at 15:24
  • *however the code works when i GET instead of POST the data from the form?* if its working when u have used $_GET that means ur form method is get if u wanna use post change method to post – Masivuye Cokile Mar 06 '17 at 15:25
  • If an answer solved your problem, consider accepting the answer. Here's how http://meta.stackexchange.com/questions/5234/how-does-accepting-an-answer-work then return here and do the same with the tick/checkmark till it turns green. This informs the community, a solution was found. Otherwise, others may think the question is still open and may want to post (more) answers. You'll earn points and others will be encouraged to help you. *Welcome to Stack!* – Jay Blanchard Apr 03 '17 at 14:27

2 Answers2

0
$sql = "INSERT INTO shift (shiftStart, shiftFinish, shiftDate) 
VALUES (".$start.", ".$finish.", ".$dat.")";
$result = mysqli_query($conn, $sql);

Try the above if any are string values you will need to add quotation marks around them single one ('".$start."').

Toxide82
  • 277
  • 1
  • 7
0

First of all, use var_dump() to check all $_POST variables - do they have values? If the method of your form is "get" you should use $_GET.

Step 2. After finding the (probably missing) variables please change you SQL query, otherwise you will have big risk of injection. You should use prepared statements everywhere dealing with database. Check manual - http://php.net/manual/ru/mysqli.quickstart.prepared-statements.php . And, by the way, you missing execute () function in your code.

labris
  • 111
  • 1
  • 6
  • *And, by the way, you missing execute () function in your code.* what is he going to execute? – Masivuye Cokile Mar 06 '17 at 15:27
  • How it should be: `code /* Prepared statement, stage 1: prepare */ if (!($stmt = $mysqli->prepare("INSERT INTO test(id) VALUES (?)"))) { echo "Prepare failed: (" . $mysqli->errno . ") " . $mysqli->error; } /* Prepared statement, stage 2: bind and execute */ $id = 1; if (!$stmt->bind_param("i", $id)) { echo "Binding parameters failed: (" . $stmt->errno . ") " . $stmt->error; } if (!$stmt->execute()) { echo "Execute failed: (" . $stmt->errno . ") " . $stmt->error; }` – labris Mar 07 '17 at 13:11