Why is my query not executing / why isn't a record being added to my database?

Question

I have a form that submits user inputs to the following php script (i've excluded the lines which define the mysql info):

if (isset($_POST['ttname'])); {


$dbc = @mysql_connect(DB_HOST, DB_USER, DB_PASS, DB_NAME) OR die('No DB connection');

$ttarray = array(1=> $_POST['mon1'], $_POST['mon2'], $_POST['mon3'], $_POST['mon4'], $_POST['mon5'], $_POST['tue1'], $_POST['tue2'], $_POST['tue3'], $_POST['tue4'],
 $_POST['tue5'], $_POST['wed1'], $_POST['wed2'], $_POST['wed3'], $_POST['wed4'], $_POST['wed5'], $_POST['thu1'], $_POST['thu2'], $_POST['thu3'], $_POST['thu4'],
 $_POST['thu5'], $_POST['fri1'], $_POST['fri2'], $_POST['fri3'], $_POST['fri4'], $_POST['fri5']);

$name = $_POST['ttname'];

$tt = implode(',', $ttarray);



$query = "INSERT INTO Timetable ('NAME','TIMETABLE')
VALUES ($name,$tt)";


$result = mysql_query($query,$dbc) or die('Query Failed');
}

However, whenever i try to to submit data to the form the query fails to execute.

I would be greatful to anybody who could help explain to me why this is happening.

This code is open as a barn door for SQL injection attacks. You must rewrite it. — Tomalak, Jun 12 '11 at 11:14

score 1 · Accepted Answer · answered Jun 12 '11 at 11:19

At least something like that:

$tt = mysql_real_escape_string(implode(',', $ttarray));
$query = "INSERT INTO Timetable ('NAME','TIMETABLE') VALUES ('$name','$tt')";

1) $tt was not escaped at all

2) You've tired to insert more values than fields available. By changing $tt to '$tt' you will make number of fields the same.

score 1 · Answer 2 · answered Jun 12 '11 at 12:20

You're passing 4 params to mysql_connect, AFAIK the DB must not be one of them.

resource mysql_connect ([ string $server = ini_get("mysql.default_host") [, string $username = ini_get("mysql.default_user") [, string $password = ini_get("mysql.default_password") [, bool $new_link = false [, int $client_flags = 0 ]]]]] )

At the VERY LEAST rewrite your code like this (quite verbose):

  if (isset($_POST['ttname'])); 
    {
    $dbc = mysql_connect(DB_HOST, DB_USER, DB_PASS) OR die('No DB connection');
    mysql_select_db(DB_NAME); 

    $ttarray = array($_POST['mon1'], $_POST['mon2'], $_POST['mon3'], $_POST['mon4'], $_POST['mon5'], $_POST['tue1'], $_POST['tue2'], $_POST['tue3'], $_POST['tue4'],
    $_POST['tue5'], $_POST['wed1'], $_POST['wed2'], $_POST['wed3'], $_POST['wed4'], $_POST['wed5'], $_POST['thu1'], $_POST['thu2'], $_POST['thu3'], $_POST['thu4'],
    $_POST['thu5'], $_POST['fri1'], $_POST['fri2'], $_POST['fri3'], $_POST['fri4'], $_POST['fri5']);

    $sanitized = array();

    foreach($ttarray as $value)
    {
       $sanitized[] = mysql_real_escape_string($value);
    }

    $name = mysql_real_escape_string($_POST['ttname']);
    $tt = implode(',', $sanitized);

    $query = "INSERT INTO Timetable ('name','timetable') VALUES ('".$name."', '".$tt."')";
    $result = mysql_query($query, $dbc) or die('Query Failed');

    }

But I strongly suggest you using PDO and prepared statements in the future to prevent high-flawed queries like that. mysql_real_escape_string is a great function but it's not 100% accurate and doesn't make your queries injection-proof.

if properly used `mysql_real_escape_string()` **does** make your queries every bit as injection proof as PDO. Please list evidence to the contrary. — Johan, Jun 12 '11 at 20:57
@Johan when encoding is not utf-8, for example. Read this [mysql_real_escape_string vs pdo](http://ilia.ws/archives/103-mysql_real_escape_string-versus-Prepared-Statements.html) or [this question on SO](http://stackoverflow.com/questions/2353666/php-is-mysql-real-escape-string-sufficient-for-cleaning-user-input) for indications — Damien Pirsy, Jun 12 '11 at 21:05

Why is my query not executing / why isn't a record being added to my database?

2 Answers2