My MySQL query doesn't work, nothing goes to the database

Question

I am trying to put a single article to the database, but fail:

$con = mysql_connect("localhost","root","") or die(mysql_error());
mysql_select_db("easy_db",$con);
mysql_query("INSERT INTO easy_db.article (Title, Article, Topics, author) VALUES($title, $data, $topic, $author)");

mysql_close();

I checked the spelling and printed all the variables ($title, $data, $topic, $author), that I got from the post-http..

Nothing is being inserted to the database with that statement. Why?

UPDATED

I have got an error in this one too:

= mysql_query("SELECT page FROM `easy_db`.`article` ORDER BY article_id DESC LIMIT 1")  or die(mysql_error());

You do no error checking (and no `mysql_real_string_escape()` as well), nor do you put quotes aroun the strings that are intended to be put into the database. — glglgl, Oct 12 '11 at 14:32
possible duplicate of [How to include a PHP variable inside a mysql insert statement](http://stackoverflow.com/questions/7537377/how-to-include-a-php-variable-inside-a-mysql-insert-statement) — Your Common Sense, Oct 12 '11 at 14:50
**what** error you've got, silly? It should be plain english describing what's wrong with your query. care to read it? — Your Common Sense, Oct 12 '11 at 15:11

Damien Pirsy · Accepted Answer · 2011-10-15T04:57:02.940

Use an error checking statement after your query, so you know what's going wrong. Also, beware of SQL INJECTION, and put single quotes around your values:

 $con=mysql_connect("localhost","root","") or trigger_error(mysql_error());
    mysql_select_db("easy_db",$con);
    $title = mysql_real_escape_string($title);
    $article = mysql_real_escape_String($article);
    $topic = mysql_real_escape_string($topic);
    $author = mysql_real_escape_string($author);
    mysql_query("INSERT INTO easy_db.article (Title, Article, Topics, author)
                 VALUES('".$title."', '".$data."', '".$topic."', '".$author."')") 
                 or die ('Error: '.mysql_error());


   // mysql_close();  this is not necessary, though

Thanks for the sql injection warning!!1 – Dmitry Makovetskiyd Oct 12 '11 at 15:13 — Dmitry Makovetskiyd, Oct 12 '11 at 15:13

score 1 · Answer 2 · edited Sep 23 '12 at 18:39

Please replace

mysql_query("INSERT INTO easy_db.article (Title, Article, Topics, author) VALUES($title, $data, $topic, $author)");

with

mysql_query("INSERT INTO easy_db.article (Title, Article, Topics, author) VALUES($title, $data, $topic, $author)") or die(mysql_error();

And try again. If there is an error, tell us. Be sure that you of your variable where you got it.

You should use the global variables $_POST and $_GET.

score 1 · Answer 3 · edited Sep 23 '12 at 18:44

As this question is an exact duplicate of thousands already answered others (but never be closed though), I am going to point out to one somewhat different thing.

It seems everyone in the world are writing SQL errors into the browser and even killing their scripts in the middle of execution. Leaving the user with a cyphered message and no controls, yet providing a potential attacker with quite useful information. And at the same time leaving programmer totally ignorant of the errors occurred on the site. Funny, eh?

That's the dark side of PHP language in general, which suffer from terrible code examples spread over the world and is a bad side of this site of Stack Overflow as well, as it takes huge part in spreading these bad practices, wrong code, ridiculous habits and weird superstitions.

Because answer quality will never affect its rep points. So, one can write any nonsense and it will be upvoted, accepted, and copied further.

So, if you want to make your code a little better - never use die(). In case of running queries use trigger_error() instead, it will populate the error information according to current PHP settings: on a test server it will go onto screeen, but on a live server it will be logged for the site programmer. And it won't kill your script.

+1 Nice point you have Col., honestly I'm accustomed to use frameworks now so I quite lost the habit of writing queries with mysql_* and how to handle that. And, I must admint, I don't have years and years of experience, so I'm well aware of the quality of my code. I just read about trigger_error() after you mentioned it and I see how useful it could be, and how right you are in criticizing the use of die(). You never stop learning, as they say, thanks! — Damien Pirsy, Oct 12 '11 at 15:22

score 0 · Answer 4 · answered Oct 12 '11 at 14:32

0

You have no single-quotes around your VALUES('val1', 'val2'...) variables::

mysql_query("INSERT INTO easy_db.article (Title, Article, Topics, author) VALUES('$title', '$data', '$topic', '$author')");

You should check the success of the query like:

$result =  mysql_query("INSERT INTO easy_db.article (Title, Article, Topics, author) VALUES('$title', '$data', '$topic', '$author')");
if (!$result) {
  echo mysql_error(); // find out what went wrong...
}

We don't see the rest of your code, but please be sure you have also sanitized all your input variables from $_POST using mysql_real_escape_string():

$title = mysql_real_escape_string($_POST['title']);
// etc...

answered Oct 12 '11 at 14:32

Michael Berkowski

267,341
46
444
390

1

what does that sanitizing do?? I also made another update. I get an error in the second statement i posted – Dmitry Makovetskiyd Oct 12 '11 at 14:55
@DmitryMakovetskiyd Sanitizing protects against http://en.wikipedia.org/wiki/Sql_injection and is _essential_ to protect your database. – Michael Berkowski Oct 12 '11 at 15:11

score 0 · Answer 5 · answered Oct 12 '11 at 14:33

0

Most likely you've forgotten to quote your inserted data. The query should look more like:

INSERT ... VALUES ('$title', '$data', '$topic', '$author')

and your code should be:

$result = mysql_query(...) or die(mysql_error());

Had you had the 'or die()' portion included, you'd get a syntax error from mysql telling you why the query failed. It is almost never a good idea to NOT check for error conditions after running a query. Even if the SQL is syntactically perfect, there's far too many other reasons for a query to fail to NOT check.

answered Oct 12 '11 at 14:33

Marc B

356,200
43
426
500

weird, when i was building a site for asp.net, The syntax that I wrote was enough, I didnt have to put any qoute marks around any variables..Thanks for the help – Dmitry Makovetskiyd Oct 12 '11 at 14:36
Any string data must be quoted. Only numbers don't have to be. Perhaps something in ASP was adding them for you automatically, but PHP (and things like mysql_real_escape_string()) won't. – Marc B Oct 12 '11 at 14:38

My MySQL query doesn't work, nothing goes to the database

UPDATED

5 Answers5