-4

<form method='post' action=''>
    Category name: <input type='text' name='cat_name' />
    Category description: <textarea name='cat_desc' /></textarea>
    <input type='submit' value='Add category' />
</form>

  <?php

  if($_SERVER['REQUEST_METHOD'] != 'POST')

  {
      $catname=mysql_real_escape_string('cat_name');
      $catdesc=mysql_real_escape_string('cat_desc');

      $sql = mysql_query("INSERT INTO fcategories (cat_name, cat_desc) 
      VALUES('','$catname','$catdesc')");

      $result = mysql_query($sql);
      if(!$result)
      {
          //something went wrong, display the error
          echo 'Error' . mysql_error();
      }
      else
      {
        echo 'New category successfully added.';
      }
  }

  ?>

I have included connection to database. When I run the code, the there is an error in the bottom of my form. enter image description here

Jay Blanchard
  • 34,243
  • 16
  • 77
  • 119
ANF
  • 1
  • 3
    Your code is vulnerable to [**SQL injection**](https://en.wikipedia.org/wiki/SQL_injection) attacks. You should use prepared statements with bound parameters, via either the [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php) drivers. [**This post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) has some good examples. – Alex Howansky Jul 10 '17 at 16:19
  • 2
    Don't use the `mysql_*` functions. They have been deprecated since v5.5 (Jun 2013) and removed since v7.0 (Dec 2015). Instead use the [**mysqli_***](https://secure.php.net/manual/en/book.mysqli.php) or [**PDO**](https://secure.php.net/manual/en/book.pdo.php) functions with [**prepared statements**](https://secure.php.net/manual/en/pdo.prepare.php) and [**bound parameters**](https://secure.php.net/manual/en/pdostatement.bindparam.php). – Alex Howansky Jul 10 '17 at 16:20
  • 3
    You declare two fields, but provide three values. – u_mulder Jul 10 '17 at 16:20
  • You have specified 2 field name and passing 3 value – Jigar Shah Jul 10 '17 at 16:20
  • 1
    You're running the query twice, so it fails on the second query. `$sql` is either going to be the mysql_results or it's going to be null. – aynber Jul 10 '17 at 16:20

1 Answers1

0
$sql = "INSERT INTO fcategories (cat_name, cat_desc) 
      VALUES('$catname','$catdesc')" ;

 $result = mysql_query($sql, $dbconnection);
Kalaivani M
  • 1,250
  • 15
  • 29
  • 2
    These queries (in the question and in your answer) are **exactly** the same, and you have two syntax-errors in your answer too. (edit: you fixed those) - What exactly are you trying to improve with OPs code? – Qirel Jul 10 '17 at 16:29
  • 1
    Turn the tide against teaching/propagating sloppy and dangerous coding practices. If you post an answer without prepared statements [you may want to consider this before posting](http://meta.stackoverflow.com/q/344703/). Additionally [a more valuable answer comes from showing the OP the right method](https://meta.stackoverflow.com/a/290789/1011527). – Jay Blanchard Jul 10 '17 at 16:30
  • Please stop encouraging a use of mysql – Saad Suri Jul 10 '17 at 16:31
  • While this code snippet may solve the question, [including an explanation](//meta.stackexchange.com/questions/114762/explaining-entirely-code-based-answers) really helps to improve the quality of your post. Remember that you are answering the question for readers in the future, and those people might not know the reasons for your code suggestion. Please also try not to crowd your code with explanatory comments, as this reduces the readability of both the code and the explanations! – Blue Jul 10 '17 at 20:54