Php wont input data into database

Question

So im trying to get my data from my form submission to be put into a mysql database but whenever i submit a form it gives me this error: Error: INSERT INTO form_submissions(ID, first, last, phone, class) VALUES ([value-1],[value-2],[value-3],[value-4],[value-5])

Now here is my PHP code:

<?php
$servername = "localhost";
$username = "root";
$password = "";
$dbname = "form_database";

$value = $_POST['first'];
$value1 = $_POST['last'];
$value2 = $_POST['phone'];
$value3 = $_POST['class'];

$conn = new mysqli($servername, $username, $password, $dbname);

if ($conn->connect_error){
die("connection failed: " . $conn->connect_error);
    }

$sql = "INSERT INTO `form_submissions`(`ID`, `first`, `last`, `phone`,
`class`) VALUES ([value-1],[value-2],[value-3],[value-4],[value-5])";

if ($conn->query($sql) === TRUE) {
echo "Submitted Successfully";
} else {``
    echo "Error: " . $sql . "<br>" . $conn->error;
    }

$conn->close();
?>

Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). — John Conde, Mar 22 '17 at 19:46
what you have there `[value-x]` is mssql/oracle syntax, not mysql — Funk Forty Niner, Mar 22 '17 at 20:26
and make sure that you have the right privileges to do that operation, after seeing this comment from you [*"Table 'form_submissions' is read only"*](http://stackoverflow.com/questions/42961285/php-wont-input-data-into-database#comment73017240_42961366) - You are reading comments here, right? — Funk Forty Niner, Mar 22 '17 at 20:30

score 0 · Answer 1 · answered Mar 22 '17 at 19:50

0

assuming that ID is auto-incrementing, and that the others are text,

 $sql = "INSERT INTO `form_submissions`(`first`, `last`, `phone`,
 `class`) VALUES ('$value','$value1','$value2','$value3')";

answered Mar 22 '17 at 19:50

user7355700

87
8

ID is auto-incrementing and others are text yes, changed to that but still prompts me with error: Error: INSERT INTO `form_submissions`(`first`, `last`, `phone`,`class`) VALUES ('Anna','brown','07666435756','Big band sound') Table 'form_submissions' is read only – Brogan Shead Mar 22 '17 at 19:59

score 0 · Answer 2 · edited May 23 '17 at 12:17

0

Your query should be like:

INSERT INTO `form_submissions`(`first`, `last`, `phone`, `class`) 
VALUES ('John','doe', '98564', 'SOMECLASS');

To check: echo the $sql query and debug it in phpmyadmin.
Note: If you enabled AUTO_INCREMENT, you can ignore the data feed of that column. It will do its job automatic.

Security tip - > To prevent SQLi Injection check out this post.

edited May 23 '17 at 12:17

Community

1
1

answered Mar 22 '17 at 19:59

Anbuselvan Rocky

606
6
22

[Escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Apr 10 '17 at 13:18

Jos Luijten · Answer 3 · 2017-03-22T20:22:55.057

-2

There are two things wrong.

The first thing is you give 5 fields (ID, First, last, phone, class) And you only have 4 variables in your post. I think you don’t need to send the ID on an insert if the column is set to auto increment in the database, So don’t send an value for the ID field.

Your variables are not correctly inserted in the query. The [value-1] douse not mean the $value1 variable will automatically be injected in there. This can be done in a lot of way’s I wil give you a simple solution, (but it wil be a bad one for real websites). The simple solution is:

$sql = "INSERT INTO `form_submissions`(`first`, `last`, `phone`,`class`) VALUES (`$value`,`$value1`,`$value2`, `$value3`)";

The reason this is bad is: You are directly entering post data inside your query and are now vounerable to SQL-Injections. You need to escape your post data befoure inserting it in a query. Or better yet don’t use ‘mysqli’ but an PDO. An good PDO example can be found here https://www.w3schools.com/php/php_mysql_insert.asp

I hope this helps.

edited Mar 22 '17 at 20:22

answered Mar 22 '17 at 20:02

Jos Luijten

621
5
9

Done this and prompted with error: Error: INSERT INTO form_submissions(first, last, phone, class) VALUES (‘”.Anna.”’,‘”.brown.”’,‘”.07666435756.”’, ‘”.Big band sound.”’) You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '��”.Anna.”’,‘”.brown.”’,‘�' at line 1 – Brogan Shead Mar 22 '17 at 20:05
Something is going wrong with the quotes. So I will try to fix that, you will se an eddit shortly – Jos Luijten Mar 22 '17 at 20:15
Becouse my spelling is so bad, i use word to correct my spelling befoure I past it here. But word changes the single quotes to other simbols. I removed the double quotes and changed the single quotes to the correct ones – Jos Luijten Mar 22 '17 at 20:24

score -3 · Answer 4 · answered Mar 22 '17 at 19:49

-3

Your SQL is apparently wrong. It should look's like with something like that:

$sql = "INSERT INTO `form_submissions`(`ID`, `first`, `last`, `phone`,
`class`) VALUES ($value1,$value2,$value3,$value4,$value5)";

The field ID should be auto_increment. If it is, you don't need to pass value to it.

answered Mar 22 '17 at 19:49

Wellington Braga

65
3

http://stackoverflow.com/questions/11321491/when-to-use-single-quotes-double-quotes-and-backticks-in-mysql – Jay Blanchard Apr 10 '17 at 13:18

Php wont input data into database

4 Answers4