Unable to post text to MySQL using "Insert Into"

Question

I am using this query to input info for front end editing. 2 problems. First, input works fine as number, but will not post text. Second, new_type1 and new_type2 are checkboxes and do not post correctly.

$query = "DELETE p.* FROM #__bl_press as p WHERE p.match_id = ".$row->id;
$db->setQuery($query);
$db->query();

if(isset($_POST['new_source']) && count($_POST['new_source'])){
   for ($i=0; $i< count($_POST['new_source']); $i++){
      $new_event1 = $_POST['new_source'][$i];
      $query = "INSERT INTO #__bl_press(n_source, n_title, n_link, match_id, type1, type2) VALUES(".$new_event1.",".$_POST['new_title'][$i].",".$_POST['new_link'][$i].",".$row->id.",".intval($_POST['new_type1'][$i]).",".intval($_POST['new_type2'][$i]).")";
      $db->setQuery($query);
      $db->query();
   }
}

Answer 1

You need quotes round the string values:

$query = "INSERT INTO #__bl_press(n_source,n_title,n_link,match_id,type1,type2)".
         "VALUES('".$new_event1."','".$_POST['new_title'][$i]."','" . // etc
//               ^               ^ ^                           ^ ^

Also you should use mysql_real_escape_string or parameterized queries to avoid SQL injection vulnerabilities and runtime errors when the posted data contains characters such as quotes or backslashes. See also this question for more information:

• Best way to stop SQL Injection in PHP

Answer 2

You're not adding quotes (') around them. A number is just a number but a string has to be written as "string" instead of string.

Also, to avoid SQL injections, always use mysql_real_escape_string or other escaping features.

Answer 3

May be you forgot to use single quote (') for string. Just a silly mistake:

$query = "INSERT INTO #__bl_press(n_source,n_title,n_link,match_id,type1,type2) VALUES('".$new_event1."','".$_POST['new_title'][$i]."','".$_POST['new_link'][$i]."',".$row->id.",'".intval($_POST['new_type1'][$i])."','".intval($_POST['new_type2'][$i])."')";