SQL is not reading symbols in PHP

Question

Good day to all! While Im tring to insert ', ), (, and other smybols, sql is not working. I cannot insert the sybols. I made my db utf8-general-ci but it does not help me. How can I fix it?

My Query is :

<?php
$con = mysqli_connect("localhost", "root", "", "db");
if(isset($_POST['submit'])){
    $name = $_FILES['file']['name'];
    $temp = $_FILES['file']['tmp_name'];
    $depart=$_POST['depart']; 
    $boshqarma=$_POST['boshqarma'];
    $mavzu=$_POST['mavzu'];
    $qisqacha=$_POST['qisqacha'];
    $hodim=$_POST['hodim'];
    $tel=$_POST['tel'];
    move_uploaded_file($temp, "upload/".$name);
    $sql = "INSERT INTO video (id, name, depart, boshqarma, mavzu, hodim, tel, qisqacha ) 
    VALUES
     ('', '$name','$depart', '$boshqarma', '$mavzu', '$hodim', '$tel', '$qisqacha')";
    if(mysqli_query($con,$sql)){    
    }       
}
?>

$sql = "INSERT INTO video (id, name, depart, boshqarma, mavzu, hodim, tel, qisqacha ) VALUES ('', '$name','$depart', '$boshqarma', '$mavzu', '$hodim', '$tel', '$qisqacha')"; — Akmaljon_Usmonov, Aug 09 '18 at 06:21
Please use prepared statements and bind variables, this should solve this and a lot of other problems. — Nigel Ren, Aug 09 '18 at 06:24
just the data cannot be inserted when I try to write < bo'lim > ]things like that. no error. — Akmaljon_Usmonov, Aug 09 '18 at 06:24
https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php — Nikita U., Aug 09 '18 at 06:25
Here is a nice explanation on how to use php variables in normal mySql https://stackoverflow.com/a/7537500/4244684 — Stender, Aug 09 '18 at 06:26

score 0 · Answer 1 · answered Aug 09 '18 at 06:26

0

[...] VALUES ('' [...]

Field id is often a primary key so '' would not fit with the column description (usually non-negative integer).

By the way you should be using PDO and prepared statements for a safer use of your database. Good luck!

answered Aug 09 '18 at 06:26

Chocorean

807
1
8
25

If the field `id` is defined to be an auto-increment-field, that is perfectly fine – Nico Haase Aug 09 '18 at 06:31
Good to know. Just hope he did ! – Chocorean Aug 09 '18 at 06:34

score 0 · Accepted Answer · answered Aug 09 '18 at 07:28

Try like this

<?php
$con = mysqli_connect("localhost", "root", "", "db");
if(isset($_POST['submit'])){
    $name = $_FILES['file']['name'];
    $temp = $_FILES['file']['tmp_name'];
    $depart= mysqli_real_escape_string ($con,$_POST['depart']); 
    $boshqarma= mysqli_real_escape_string($con,$_POST['boshqarma']);
    $mavzu= mysqli_real_escape_string($con,$_POST['mavzu']);
    $qisqacha= mysqli_real_escape_string($con,$_POST['qisqacha']);
    $hodim= mysqli_real_escape_string($con,$_POST['hodim']);
    $tel= mysqli_real_escape_string($con,$_POST['tel']);
    move_uploaded_file($temp, "upload/".$name);
    $sql = "INSERT INTO video (id, name, depart, boshqarma, mavzu, hodim, tel, qisqacha ) 
    VALUES
     ('', '$name','$depart', '$boshqarma', '$mavzu', '$hodim', '$tel', '$qisqacha')";
    if(mysqli_query($con,$sql)){    
    }       
}
?>

One more thing you are inserting id hope you doing correctly in most of the cases, id is auto increment so we don't have to insert in query.

SQL is not reading symbols in PHP

2 Answers2