-1

I'm trying to insert in to a table video_advert but it's failing,

    $result=mysqli_query($db_handle,"INSERT INTO video_advert(title,video,date_out,gender,quantity,room,description) VALUES('".$_POST['adtitle']."','".$imagename."','".$_POST['addate']."','".$_POST['adgender']."','".$_POST['adquantity']."','".$_POST['adroom']."','".$_POST['addescription']."',)");
 if($result){
    $message1="you are now SignUp";
header("Location:index.php?msid=$message1");

    }
    else{
        echo "not done!";
        }

all my field names are correct, but it's returning not done, please help

benyusouf
  • 325
  • 2
  • 6
  • 17
  • 1
    [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! [Don't believe it?](http://stackoverflow.com/q/38297105/1011527) – Jay Blanchard Mar 15 '17 at 13:04
  • you have a syntax error - a typo matter 'o fact. – Funk Forty Niner Mar 15 '17 at 13:04
  • `echo "not done!";` did not help you, `mysqli_error($db_handle)` will. – Funk Forty Niner Mar 15 '17 at 13:05
  • You should take a look at http://bobby-tables.com ... your code is very vulnerable to SQL injections... your database can be hacked in a few seconds. Learn about prepared statements and use them. NEVER, really NEVER put in `$_POST` variabels into q SQL statement. NEVER let user input parameters directly. – Twinfriends Mar 15 '17 at 13:06
  • The extra comma – Masivuye Cokile Mar 15 '17 at 13:07
  • please help me identify it @Fred – benyusouf Mar 15 '17 at 13:07

1 Answers1

-1

You have an extra comma after description. Remove it and it will be fine.

Alex
  • 436
  • 4
  • 9
  • yes that's really the case, thanks, my eyes never see that – benyusouf Mar 15 '17 at 13:10
  • 2
    Love how @AbdullahiYusuf just looks for answers and completly ignore our recommends to prepared statements. As we said... your application is really really unsafe. – Twinfriends Mar 15 '17 at 13:13
  • I understand that @twinfriends, actually I'm just testing something, but what i usually used to do is assigned the post data into php variables and then use the variables as VALUES in mysql insert thanks alot – benyusouf Mar 15 '17 at 13:33
  • 1. You should always code the propper way, even if you're just testing. 2: That won't help anything!!!! You really have to use prepared statements. To assign post data to variables and use them in the statement won't change anything. The SQL injection still works the exact same way. – Twinfriends Mar 15 '17 at 13:37