database problems with php

Question

I am trying to insert a row into my data base, but what ever i seem to do I am always getting an error.

Sometimes I get parse errors and sometimes I get column errors.

Here is my code.

Thanks in advance.

<?php
include_once('config.php');



$asin = $_POST['asin'];
// $title = "<script>document.write(title)</script>";
// $mpn =  "<script>document.write(mpn)</script>";
// $price = "<script>document.write(price)</script>";

$sql = "INSERT INTO `amazon`.`amazon` (`asin`, `title`, `mpn`, `price`) VALUES ($asin, "test", 1, 2)";


  // $sql = 'INSERT INTO amazon'.
  //     '(asin, title, mpn,price) '.
  //     'VALUES ('{$asin},' "test", 1, 2)';

   mysql_select_db('amazon');
   $retval = mysql_query( $sql, $conn );
   if(! $retval ) {
        die('Could not enter data: ' . mysql_error());
     }

     echo "Entered data successfully\n";


     ?>

Please [don't use `mysql_*`](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php?rq=1); the `mysql_*` functions are outdated, [deprecated](http://us3.php.net/manual/en/intro.mysql.php), and insecure - they have been removed entirely from modern versions of PHP (version 7.0 and higher). Use [`MySQLi`](http://us3.php.net/manual/en/book.mysqli.php) or [`PDO`](http://us3.php.net/manual/en/intro.pdo.php) instead. — elixenide, Mar 14 '17 at 05:19
Also, you are wide open to [**SQL injection**](https://www.owasp.org/index.php/SQL_Injection). You need to use prepared statements, rather than concatenating variables into your query. See [How can I prevent SQL injection in PHP?](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1). — elixenide, Mar 14 '17 at 05:20
you have the answer, but Ed Cottrell comment is more important than the answer — arif_suhail_123, Mar 14 '17 at 05:22

score 2 · Answer 1 · answered Mar 14 '17 at 05:18

2

You need to use '' against your variable $asin as:

$sql = "INSERT INTO `amazon`.`amazon` (`asin`, `title`, `mpn`, `price`) VALUES ('".$asin."', 'test', 1, 2)";

answered Mar 14 '17 at 05:18

Vikas Umrao

2,800
1
15
23

Please escape the values! – fateddy Mar 14 '17 at 06:19

shubham715 · Answer 2 · 2017-03-14T05:21:29.540

1

Note:-

You can't use double quotes in double quotes. Replace double quote(") with single quote(') around test value.
use variables in single quotes.(Example - $asin to '$asin')

Replace your query with this:-

$sql = "INSERT INTO `amazon`.`amazon` (`asin`, `title`, `mpn`, `price`) VALUES ('$asin', 'test', 1, 2)";

edited Mar 14 '17 at 05:21

answered Mar 14 '17 at 05:15

shubham715

3,324
1
17
27

please upvote and accept my answer if its helpful for you . :) – shubham715 Mar 14 '17 at 05:23

GYaN · Answer 3 · 2017-03-14T05:38:38.980

You have made two mistakes. in

$sql = "INSERT INTO `amazon`.`amazon` (`asin`, `title`, `mpn`, `price`) VALUES ($asin, "test", 1, 2)";

$asin and "test".

if $asin is an integer value always THEN it's okay otherwise you have to write it '".$asin."'

and for "test" the error is the comma you use here (") because you query is starting with same (") comma, so when you put same comma before test then query ends here and give you error. So replace this comma by (').

replace "test" by 'test'.

Now correct query is -

$sql = "INSERT INTO `amazon`.`amazon` (`asin`, `title`, `mpn`, `price`) VALUES ('".$asin."', 'test', 1, 2)";

database problems with php

3 Answers3