query is not getting updated

Question

I am trying to insert the input received from a text box in a table. The result I am getting in php page are below: Before entering the input, on page load i get Connected successfullyError: INSERT INTO tested (itemno, item, quantity) VALUES ('1', , )

On entering the input and submitting, I get the result , connected successfully and item is not empty msg but the query is not executed and a row is not getting inserted. Can someone help me?

<!DOCTYPE html>
<html>
<body>
<?php
$servername = "localhost";
$username = "learnphp@localhost";
$password = "password";
$dbname = "my_learnphp";
$result="";
$result1="";
$item = $_POST["item"];
$quantity = $_POST["quantity"];

?>
<form action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>" method = "POST">
 Item name: <input type="text" name="item"><br>
 Quantity : <input type="number" name="quantity"><br>
<input type="submit" name="upd" value="Insert"/>
<input type="submit" name="item_update" value="Update"/>
</form>
<?php
// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
 if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);} 
echo "Connected successfully";
$sql = "INSERT INTO tested (itemno, item, quantity) VALUES ('1', $item, $quantity)";
  if (!empty($item)) {
 echo "item is not empty";
 $result = $conn->query($sql);
 if($result){
 echo $_POST["item"];
echo $_POST["quantity"];
    echo "New record created successfully";
    }
} else {
    echo "Error: " . $sql . "<br>" . $conn->error;
}

$conn->close();
?> 
</body>
</html>

Answer 1

Change your syntax from

$sql = "INSERT INTO tested (itemno, item, quantity) VALUES ('1', $item, $quantity)";

to

$sql = "INSERT INTO tested (itemno, item, quantity) VALUES ('1', '$item', '$quantity')";

Answer 2

If user input is inserted without modification into an SQL query, then the application becomes vulnerable to Sql Injection.

$someVariable = $_POST['user_input'];     
mysql_query("INSERT INTO `table` (`column`) VALUES ('$someVariable')");

user can input something like value'); DROP TABLE table;--, and the query becomes:

INSERT INTO `table` (`column`) VALUES('value'); DROP TABLE table;--')

So this is not Secure Way.

and in this example your mistake is you miss single quote in variable that you pass in values of query.

Your Query

  $sql = "INSERT INTO tested (itemno, item, quantity) VALUES ('1', $item, $quantity)";

New Query

$sql = "INSERT INTO tested (itemno, item, quantity) VALUES ('1', '$item', '$quantity')";

double quotes are for delimited identifiers.and single quotes are for literals.

for more you can see this stack overflow answer

Answer 3

You should put values under single quotes. This will work for you but this will not prevent your code from sql injection:

$sql = "INSERT INTO tested (itemno, item, quantity) VALUES ('1', '$item', '$quantity')";

So the above method is correct but not secure.

When creating a prepared statement, you create a query in which you add placeholders instead of the raw values:

$stmt = $conn->prepare("INSERT INTO Users (email, pw) VALUES (?, ?)");

The question marks are the placeholders and are later replaced by using the bind_param method:

$stmt->bind_param('ss', $email, $pw);

The ss part of the bind call tells the mysql db that its two strings that are passed to the database.

(s for string, i for int etc).

Answer 4

Use prepared statements. It'll prevent sql injection

$sql = "INSERT INTO tested (itemno, item, quantity) VALUES (?,?,?)";//3placeholders for three variables 

$statement = $conn->prepare($sql); 
$statement->bind_param('iss',1,$item, $quantity);//the letter i denotes an integer, while s is a string 
if(statement->execute() === true) {//did it save successfully?
//everything went fine
echo 'saved'; 
} else {
echo $conn->error; 
}