0

I have this php code. I am connected successfully to access database, i can retrieve data just fine. However when i want to add a row I'm having an error. If i enter all integer values, the sql is properly working but when one input is a string the statement fails. I need to know the error I'm getting so i can tell what to fix.

This is my php function to add the row

$sql = "INSERT INTO Connections (ServerName, DatabaseName, UID,PWD, Type,Port)

VALUES (".$_POST['serverip'].", ".$_POST['dbname'].", ".$_POST['dbuid'].",".$_POST['dbpwd'].",".$_POST['dbtype'].",".$_POST['dbport'].")";

$rs = $GLOBALS['dbNew']->query($sql);
if($rs){echo"<br/>Connection Submitted Successfully";}
 else {echo "<br/>Connection Submittion Failed";}
Gordon Linoff
  • 1,242,037
  • 58
  • 646
  • 786
Eddy
  • 9
  • 1
  • 2
    Your script is wide open to [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) in either the `MYSQLI_` or `PDO` API's – RiggsFolly Jul 26 '18 at 09:24
  • The [PHP Manual is always a good place to start](http://php.net/manual/en/pdo.errorinfo.php) – RiggsFolly Jul 26 '18 at 09:26
  • SQL Injection is not really an issue for this case. This website will be used internally and by professional users only – Eddy Jul 26 '18 at 09:28
  • And of course none of them could ever get upset by the company? Most hacks in fact originate from or are at least linkable to a complicite person inside the company. – RiggsFolly Jul 26 '18 at 09:31

0 Answers0