PHP, query failed

Question

I have this code and variable "p1" is an int. Debugger shows it takes values properly. But I get "query failed". Database values are set to int. Any help?

<?php
    session_start();
    include 'connect_db.php'; 
    $con = $_SESSION['connection'];

        $query = "SELECT * FROM class WHERE id_class ='".$_GET['p1']."'";
        $result=@mysql_query($con,$query) or die('Error, query1 failed');
        $num_result=mysqli_num_rows($result);


        if($num_result>0){

                $insert_query= " INSERT INTO user_program SET 
                                            id_class='".$_POST['id_class']."'
                                            WHERE id_user='".$_SESSION['id_user']."'";

        $insert=mysqli_query($con,$insert_query) or die('Error,query2 failed');


            if ($insert) {
                echo '<html><meta charset="UTF-8"><script language="javascript">alert("ok!"); document.location="add_classes_form.php";</script></html>';
            }
            else {
                echo '<html><meta charset="UTF-8"><script language="javascript">alert("not ok.")</script></html>';
                echo '<script language="javascript"> document.location="add_classes_form.php";</script>';
                exit();
            }   
        }

?>

Answer 1

First of all, u can't mix mysql with mysqli as u can see in your example.

Mysql is deprecated but i will give u example just to see how it works in mysql and mysqli and what is diference between those two approach.

Avoid to use @ in query because u can't see if real error appear, this is a bad practice.

First of all this is a bad practice in both ways because its not secure even if u escape variables with mysql_real_escape_string() or mysqli_real_escape_string(). Instead of using this use PDO with prepared statements.

Use of mysqli

// mysqli connection
$con = mysqli_connect('host', 'username', 'password', 'database_name');

Code

<?php

session_start();
include 'connect_db.php';
$con = $_SESSION['connection'];

$p1 = mysqli_real_escape_string($con, $_GET['p1']);

$query = "SELECT * FROM class WHERE id_class = '$p1'";
$result = mysqli_query($con, $query) or die('Error, query failed');
$num_result = mysqli_num_rows($result);

$id_class = mysqli_real_escape_string($con, $_POST['id_class']);
$id_user = mysqli_real_escape_string($con, $_SESSION['id_user']);

if ($num_result > 0)
{
    $insert_query = "UPDATE user_program SET id_class = '$id_class' WHERE id_user = '$id_user'";

    $insert = mysqli_query($con, $insert_query) or die('Error,query failed');


    if ($insert)
    {
        echo '<html><meta charset="UTF-8"><script language="javascript">alert("OK!"); document.location="add_classes_form.php";</script></html>';
    }
    else
    {
        echo '<html><meta charset="UTF-8"><script language="javascript">alert("Not OK.")</script></html>';
        echo '<script language="javascript"> document.location="add_classes_form.php";</script>';
        exit();
    }   
}
?>