PHP & MySQL - not inserting into database

Question

I've got an problem in my code. The insert is not working. The code is below.

HTML:

<form action="staff.php" method="post" class="center" enctype="multipart/form-data" autocomplete="off">
    <input type="hidden" name="size" value="1000000">
    <input type="text" placeholder="headline of the news" name="title">
    <input type="file" accept="image/*" name="image">
    <select name="side" value="side">
        <option>Left</option>
        <option>Header</option>
        <option>Main</option>
        <option>Ending</option>
    </select>
    <textarea name="desc" id="description" cols="30" rows="10" placeholder="full news" name="desc"></textarea>
    <input type="submit" name="go" value="Post">
</form>

PHP:

<?php
$db = mysqli_connect("DB SERVER", "DB USER", "DB PASS", "DataBase");
$charset = mysqli_set_charset($db,"utf8");
$msg = "";
if (isset($_POST['go'])) {
    $target = "images/".basename($_FILES['image']['name']);
    $title = $_POST['title'];
    $image = $_FILES['image']['name'];
    $side = $_POST['side'];
    $desc = $_POST['desc'];
    $sql = "INSERT INTO contents (title, image, side, description) 
    VALUES ('$title', '$image', '$side', '$desc')";
    $result = mysqli_query($db, $sql);
    if (move_uploaded_file($_FILES['image']['tmp_name'], $target)) {
        $msg = "<p class='success'>Image uploaded successfully</p>";
    } else {
        $msg = "<p class='error'>There was a problem uploading the image</p>";
    }
}
?>

Everything is fine except the inserting into database.

Have you tried with print query and manually paste in database if its inserting or not? — Ajay Korat, Jul 05 '17 at 10:26
This code is wide open to SQL injection, you could be executing *anything* in that SQL code. What is the actual runtime value of `$sql`? If `mysqli_query()` is returning `false`, what does `mysqli_error($db)` tell you? Chances are if you fix the SQL injection problem, the current problem becomes moot. — David, Jul 05 '17 at 10:29
See [How to get mysql errors in different environments](https://stackoverflow.com/questions/22662488/how-to-get-mysqli-error-in-different-environments) — Masivuye Cokile, Jul 05 '17 at 10:31
Could you please update the code to show what kind of error there is in the mysql command? if(!$result){ printf("Errormessage: %s\n", $mysqli->error); } — mighTY, Jul 05 '17 at 10:33

score 2 · Accepted Answer · answered Jul 05 '17 at 10:25

2

add concatenation in the query like this

$sql = "INSERT INTO contents (title, image, side, description) 
        VALUES ('".$title."', '".$image."', '".$side."', '".$desc."')";

answered Jul 05 '17 at 10:25

Bilal Ahmed

4,005
3
22
42

This is not the issue since double quoting accepts variables inside, so echo "I am $var" will print out whatever in var is. – mighTY Jul 05 '17 at 10:30
`print_r($sql);` execute this line and update the question – Bilal Ahmed Jul 05 '17 at 10:30
2

Anyone looking at this answer should note that it is open to SQL Injection attacks, and should really be using [prepared statements](http://php.net/manual/en/mysqli.prepare.php) instead! – crazyloonybin Jul 05 '17 at 10:33
@Soumya: Note that it's likely to be by coincidence alone that this is "working", because this is functionally no different from what you have. The code presented in this answer is still fundamentally "broken" in the same way your original code is, in that you blindly execute any SQL code your users send you. – David Jul 05 '17 at 11:32

score 1 · Answer 2 · answered Jul 05 '17 at 10:36

Your query is fine, it should work.

But you're allowing SQL injections, so if you send within parameter single quotes your query will not work as expected and will throw out an error...

You should first:

clear passed strings (use mysqli_real_escape_string), http://php.net/manual/en/mysqli.real-escape-string.php
Check if mysqli_query executed if not then use mysqli_error to find out what error caused your query to not work: http://php.net/manual/en/mysqli.error.php

Gyan · Answer 3 · 2017-07-06T05:54:29.707

Use as

<?php
$db = mysqli_connect("DB SERVER", "DB USER", "DB PASS", "DataBase") or die(mysqli_error("Could not connect to Database"));
mysqli_query($db,"SET NAMES 'utf8'");
$msg = "";
if (isset($_POST['go'])) {
    $target = "images/".basename($_FILES['image']['name']);

    $title = mysqli_real_escape_string($db,$_POST['title']);
    $image = mysqli_real_escape_string($db,$_FILES['image']['name']);
    $side = mysqli_real_escape_string($db,$_POST['side']);
    $desc = mysqli_real_escape_string($db,$_POST['desc']);
    $sql = "INSERT INTO contents (title, image, side, description) 
    VALUES ('$title', '$image', '$side', '$desc')";
    $result = mysqli_query($db,$sql) or die(mysqli_error($db));
    if (move_uploaded_file($_FILES['image']['tmp_name'], $target)) {
       $msg = "<p class='success'>Image uploaded successfully</p>";
    }else{
       $msg = "<p class='error'>There was a problem uploading the image</p>";
    }
}
?>

score 1 · Answer 4 · answered Jul 06 '17 at 05:41

1

$sql = "INSERT INTO contents VALUES ('".$title."', '".$image."', '".$side."', '".$desc."')";

This could be a shorter way.

answered Jul 06 '17 at 05:41

Nica

177
4
17

score 0 · Answer 5 · answered Jul 05 '17 at 10:26

0

$sql = "INSERT INTO contents (title, image, side, description) VALUES ('".$title."', '".$image."', '".$side."', '".$desc."')";

The problem is here use this.

answered Jul 05 '17 at 10:26

Kunal Awasthi

310
2
14

PHP & MySQL - not inserting into database

5 Answers5