-1

I am having an issue in inserting into a table. The connection file is correct and is coming from the header.php. There are no errors but when I go within the table no records are being inserted. 

<?php

include('header2.php');

if(isset($_POST['done'])) {
    $title = $_POST['title'];
    $description = $_POST['description'];
    $link = $_POST['link'];
    $company = $_POST['company'];

    $sql = "INSERT INTO placements (title, description, link, company)
    VALUES ('$title', '$description', '$link','$company')";
    // use exec() because no results are returned
    echo "New record created successfully";
}

?>

<html>
<head>
    <title> Add a Placement </title>
</head>
<body>

<form method="post">
    <input type="text" name="title" placeholder="title">
    <input type="text" name="description" placeholder="description">
    <input type="text" name="company" placeholder="company">
    <input type="text" name="link" placeholder="link">
    <input type="submit" name="done">

</form>

</body>
</html>
aynber
  • 22,380
  • 8
  • 50
  • 63
minal.m
  • 149
  • 1
  • 5
  • 1
    You only have a comment where you should have code to exec the query. – Sloan Thrasher Apr 14 '17 at 15:33
  • 2
    Your code is vulnerable to [**SQL injection attacks**](https://en.wikipedia.org/wiki/SQL_injection). You should use [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php) prepared statements with bound parameters as described in [**this post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). – Alex Howansky Apr 14 '17 at 15:33
  • (1) Print out `$sql` after variable substitution and the answer will probably be obvious. (2) Learn to use parameters. Munging variables into a query string is just asking for trouble and for unexpected syntax errors in queries. – Gordon Linoff Apr 14 '17 at 15:33
  • 2
    You never execute the query – John Conde Apr 14 '17 at 15:34
  • 1
    And no point do you actually *run* your insert query. – aynber Apr 14 '17 at 15:35
  • how do i run it? thanks – minal.m Apr 14 '17 at 15:38
  • and Lord only knows which API is used to connect with, so it's anyone's guess really. – Funk Forty Niner Apr 14 '17 at 15:38

1 Answers1

0

You are not executing the query at all. I assume your database connection as below and run your query. It should work.

Tested.

$servername = "localhost";
$username = "username";
$password = "password";
$dbname = "myDB";

// Create connection
$conn = mysqli_connect($servername, $username, $password, $dbname);
// Check connection
if (!$conn) {
    die("Connection failed: " . mysqli_connect_error());
}

if(isset($_POST['done'])) {
    $title = $_POST['title'];
    $description = $_POST['description'];
    $link = $_POST['link'];
    $company = $_POST['company'];

    $sql = "INSERT INTO placements (title, description, link, company)
    VALUES ('$title', '$description', '$link','$company')";

    if (mysqli_query($conn, $sql)) {
    echo "New record created successfully";
    } else {
    echo "Error: " . $sql . "<br>" . mysqli_error($conn);
    }

}
Fahad Almehaini
  • 233
  • 3
  • 18