0

I'm trying to post the date and time at the time I create a new record. The record is created but the 'add_time' column is blank in mySQL.

What's wrong with it?

$date = date("Y-m-d G:i:s") ; 

$order = "INSERT INTO cartons_added (add_time, type, part_no, add_type, add_qty, 
add_ref, add_by, add_notes)

VALUES
('$_POST[date]',
 '$_POST[type]', 
 '$_POST[part_no]', 
 '$_POST[add_type]', 
 '$_POST[add_qty]', 
 '$_POST[add_ref]', 
 '$_POST[add_by]', 
 '$_POST[add_notes]')";

 $result = mysql_query($order);
Erik
  • 5,701
  • 27
  • 70
  • 119
  • 4
    Depends on what type the `add_time` column is and what `$_POST[date]` contains. Also, your script is vulnerable to [SQL injection](http://php.net/manual/en/security.database.sql-injection.php) – Pekka Sep 25 '11 at 21:05
  • 2
    It's a very bad idea to simply use `$_POST` data inside a query. Consider using [PDO](http://php.net/pdo) or at least [`mysql_real_escape_string()`](http://php.net/mysql_real_escape_string). – rid Sep 25 '11 at 21:06

4 Answers4

2

You're never using the $date variable you created. You probably meant to use that instead of $_POST[date].

rid
  • 61,078
  • 31
  • 152
  • 193
1

I believe instead of:

VALUES
('$_POST[date]',
 '$_POST[type]', 
 '$_POST[part_no]', 
 '$_POST[add_type]', 
 '$_POST[add_qty]', 
 '$_POST[add_ref]', 
 '$_POST[add_by]', 
 '$_POST[add_notes]')";

You mean to use 

// Use your $date variable

VALUES
('$date',
 '$_POST[type]', 
 '$_POST[part_no]', 
 '$_POST[add_type]', 
 '$_POST[add_qty]', 
 '$_POST[add_ref]', 
 '$_POST[add_by]', 
 '$_POST[add_notes]')";

All of this needs a great deal of treatment for protection against SQL injection. The easiest path to take is to surround all $_POST vars in mysql_real_escape_string():

"...
VALUES
('$date',
 '" . mysql_real_escape_string($_POST['type']) ."', 
 '" . mysql_real_escape_string($_POST['part_no']) ."', 
 '" . mysql_real_escape_string($_POST['add_type']) ."', 
 '" . mysql_real_escape_string($_POST['add_qty']) ."', 
 '" . mysql_real_escape_string($_POST['add_ref']) ."', 
 '" . mysql_real_escape_string($_POST['add_by']) ."', 
 '" . mysql_real_escape_string($_POST['add_notes']) ."')";
Michael Berkowski
  • 267,341
  • 46
  • 444
  • 390
  • 4
    -1, with 23k rep you cannot leave that big SQL-injection hole open. That's just negligent. Also, you have a syntax error in your code, so it will not even work. – Johan Sep 25 '11 at 21:06
  • @Micheal, I suggest you keep editing, because the syntax errors are still there. – Johan Sep 25 '11 at 21:13
  • @Johan, where are the syntax errors please? And I hope you are not calling `$_POST[param]` vs. `$_POST['param']` a *syntax error*. – Majid Fouladpour Sep 25 '11 at 21:27
  • @MajidFouladpour, that is the issue I'm referring to. What would you call it then? – Johan Sep 25 '11 at 21:33
  • To be really strict, that could be described as a bad practice (yet syntactically 100% correct). – Majid Fouladpour Sep 25 '11 at 21:37
  • 1
    @MajidFouladpour, I just tested it and it works, `'$_POST[name]'` seems to be equivalent to `$_POST['name']` Thanks for enlightening me there. – Johan Sep 25 '11 at 21:42
  • @Johan Actually pretty surprised that notation doesn't throw strict warnings. – Michael Berkowski Sep 25 '11 at 21:44
  • The worst scenario is when you have a constant named `param` with the value of `foo`, then `$_POST[param]` would effectively be `$_POST['foo']`; but if you don't (which will be 99.99% of cases, PHP decides you meant `'param'` as there is no `param` constant, and would issue a `E_NOTICE`. – Majid Fouladpour Sep 25 '11 at 21:52
0

Try this:

date('Y-m-d H:i:s');
Chaney Blu
  • 343
  • 2
  • 7
0

You have to fix that SQL-injection hole:
There's also a syntax error, it's not $_POST[add_ref], but $_POST['add_ref']
You can write '$_POST[name]' (bad) instead of $_POST['name'], (good) but don't it's bad practice.

Change the code to:

$query = "INSERT INTO cartons_added (add_time, type, part_no, add_type, add_qty, 
                                     add_ref, add_by, add_notes)
    VALUES
    ('$date',
     '{mysql_real_escape_string($_POST['type'])}', 
     '{mysql_real_escape_string($_POST['part_no'])}', 
     '{mysql_real_escape_string($_POST['add_type'])}', 
     '{mysql_real_escape_string($_POST['add_qty'])}', 
     '{mysql_real_escape_string($_POST['add_ref'])}', 
     '{mysql_real_escape_string($_POST['add_by'])}', 
     '{mysql_real_escape_string($_POST['add_notes'])}') ";

Never ever ever insert a $_POST, $_GET, $_SESSION and alike stuff directly into a query.
See: How does the SQL injection from the "Bobby Tables" XKCD comic work?

Community
  • 1
  • 1
Johan
  • 74,508
  • 24
  • 191
  • 319
  • It's sort of implied that SQL injection protection is used. Please don't -1 everyone for not having the correct answer - a simple comment is enough, unless you're disturbingly elitist. – Bojangles Sep 25 '11 at 21:13
  • SQL-injection protection is not elitist, it essential and if people post answers with `$_POST['injectmehere']` directly into a query then that doesn't imply anything other than complete disregard for basic protection. – Johan Sep 25 '11 at 21:19
  • And besides the downvotes where for SQL-injection **and** syntax errors. The two answers involved (one of which you rightfully deleted) will not even run! – Johan Sep 25 '11 at 21:20
  • I never said SQL injection protection is elitist, only your downvoting of everything unnecessarily in my opinion. – Bojangles Sep 25 '11 at 21:21
  • @JamWaffles I gave a -1 for an answer that has syntax errors and will not work for that reason. Please explain how an answer that does not work, will never work and has SQL-injection issues as a cherry on top does not deserve a downvote. – Johan Sep 25 '11 at 21:25