INSERT statement just not working! (PHP+MYSQL)

Question

I have a problem with INSERT SQL sentence. It just do nothing! (and not showing any error). When I am printing $qry, it looks just fine. what can be the problem? This is the code:

<?php 
include('conn.php');
$result=mysql_query("SET NAMES utf8 COLLATE utf8_general_ci",$mysql_link);
$result=mysql_query("SELECT * FROM users where userID=".$_SESSION['IDENT'],$mysql_link);
if (!$result)
{

    echo "ERROR: error occured in MySQL query.";

}
else 
{

    if(mysql_num_rows($result)==1)
    {

    //This will be shown only to registered users.
    while ($row=mysql_fetch_array($result))
        {
            if (($row['userRank']==100)||($row['userRank']==10))
                {
                    $qry="INSERT INTO users (NickName, username, userpass, userEmail, userRank, userOOlamR, userPhone, userPhone2, userStr, userCity, userMikud, userOOlamID) VALUES ('" . $_POST['nname'] . "', '" . $_POST['username'] . "', '" . md5($_POST['userpass']) . "', '" . $_POST['email'] . "', 2, 1, '" . $_POST['cellphone1'] . "', '" . $_POST['cellphone2'] . "', '" . $_POST['street'] . "', '" . $_POST['city'] . "', " . $_POST['mikud'] . ", " . $_POST['oolam'] . ")";
                    $res=mysql_query($qry ,$mysql_link);
                    ?><div align="center">
                    <table width="50%" height="20%" style="Border-Style:dotted;Border-Width:1px;Border-Color:a01220;background-color: rgba(190, 200, 230, 0.5);">
                    <td><div align="Center"><font face="Arial" size="2" color="Black"> SUCCESS!<br></div></td>
                    </table>
                    </div><div align="left">
                    <?php
                    echo $qry; ?>
                    </div><?php
                }
            Else
                {
                    //SECURITY
                }



        }
    }
}
include('cconn.php');
?>

The problem was I had another field in the table that I didn't treat in my INSERT statement at all.

Your indentation style is horrible. Put your curly brackets on the same indentation level as the control statement they belong to. Besides that, your large if..else blocks can be optimized and you need to fix the SQL injection issues in your code. And you might want to consider not using HTML elements that are deprecated for years now (``). — ThiefMaster, Jan 05 '12 at 01:25
As for the identation style, sorry I'm a newbie to PHP. I just whant it to work and then continue with sql injections issues... it just adding nothing to the DB... — Tzahi Serruya, Jan 05 '12 at 01:28
Are you sure your input isn't terminating the query? You'll likely be lectured on security for blindly accepting session and post data in your query. look into mysql_real_escape_string — Kai Qing, Jan 05 '12 at 01:29
@Tzahi: I don't understand what you expect to happen in this code that is not happening. You mentioned "update SQL" but I don't see any updates. Is it failing to insert a record into the users table? Did I understand correctly that it is echoing out the insert statement to the screen, or is it not getting to that point in the code? — ryanlahue, Jan 05 '12 at 01:30
You can see that I wrote echo $qry in my code for checking if the input is ok, IT IS! And as I said: after It'll work and update the DB I'll add input validations. Please focus the main question, Why isn't the DB being update by this sentence? — Tzahi Serruya, Jan 05 '12 at 01:34
@rla: It's echoing the insert statement and it looks just fine. SORRY I'M MISTAKING- THE INSERT STATEMENT (not update...) — Tzahi Serruya, Jan 05 '12 at 01:37
What is the return value of `mysql_query`? Are there any errors in the logs? If you take the raw query and manually execute it against the database, what is the result? — David, Jan 05 '12 at 01:47
There are no errors in the logs. How can I know the return value of mysql_query?(I'm a newbie..) also didn't understand at your last question what should I try to do — Tzahi Serruya, Jan 05 '12 at 01:52
@Tzahi: Check out the first example in the documentation for mysql_query. http://php.net/manual/en/function.mysql-query.php Do what that example does, checking the value of your $res variable and if it evaluates to false, print the value of mysql_error() — ryanlahue, Jan 05 '12 at 02:10
@rla Thanks alot!- just done it and so the silly mistake! it was a problem with one of table column which didn't get default value and I didn't want to insert any data in it... so the mistake was: Invalid query: Field 'userLLTimeStamp' doesn't have a default value. now it works!! Thanks! — Tzahi Serruya, Jan 05 '12 at 02:19

Manigandan Arjunan · Answer 1 · 2012-01-07T01:49:58.427

2

In your query the mistake lines here..

$qry="INSERT INTO users (NickName, username, userpass, userEmail, userRank, userOOlamR, userPhone, userPhone2, userStr, userCity, userMikud, userOOlamID) VALUES ('" . $_POST['nname'] . "', '" . $_POST['username'] . "', '" . md5($_POST['userpass']) . "', '" . $_POST['email'] . "', 2, 1, '" . $_POST['cellphone1'] . "', '" . $_POST['cellphone2'] . "', '" . $_POST['street'] . "', '" . $_POST['city'] . "', " . $_POST['mikud'] . ", " . $_POST['oolam'] . ")";

use this

  $nickname=mysql_real_escape_string($_POST['nname']);
    $username=mysql_real_escape_string($_POST['username']);
    $userpass=md5(mysql_real_escape_string($_POST['userpass']));
    $useremail=mysql_real_escape_string($_POST['email']);
    $userrank=2;
    $useroolamR=1;
    $userphone=mysql_real_escape_string($_POST['cellphone1']);
    $userphone2=mysql_real_escape_string($_POST['cellphone2']);
    $userstr=mysql_real_escape_string($_POST['street']);
    $usercity=mysql_real_escape_string($_POST['city']);
    $usermikud=$_POST['mikud'];
    $useroolamid=$_POST['oolam'];

    $qry="INSERT INTO users (NickName, username, userpass, userEmail, userRank, userOOlamR, userPhone, userPhone2, userStr, userCity, userMikud, userOOlamID) VALUES ('$nickname','$username','$userpass','$useremail', $userrank, $useroolamR,'$userphone','$userphone2','$userstr','$usercity',$usermikud,$useroolamid)";

edited Jan 07 '12 at 01:49

answered Jan 05 '12 at 01:40

Manigandan Arjunan

2,260
1
25
42

Well, thank you for your answer, it is more arranged this way, but still it isn't working, and echoing it OK, just as it was before... – Tzahi Serruya Jan 05 '12 at 01:44
That wasn't a mistake because "userMikud" and "userOOlamID" are setted to be an int in the MySQL DB. – Tzahi Serruya Jan 05 '12 at 01:50
now it says: Parse error: syntax error, unexpected '=' [on the line $qry="INSERT INTO users...] – Tzahi Serruya Jan 05 '12 at 02:08
if you can let us know the table structure so it will be easy to solve the issue – Manigandan Arjunan Jan 05 '12 at 02:11
OOPS, I've pasted it without the "$" sign so that was why the error appeared. now I fixed it and it still the same... :( – Tzahi Serruya Jan 05 '12 at 02:12
userID- int A_I::NickName- text::username- text:: userpass- text:: userEmail-text::userRank-int::userOOlamR-int::userPhone-text::userPhone2-text::userStr-text::userCity-text::userMikud-int::userOOlamID-int:: [That's all...] – Tzahi Serruya Jan 05 '12 at 02:15
just update your question with the new answer.. it seems to be the error is not in the query – Manigandan Arjunan Jan 05 '12 at 02:22
@Ampere Don't you think your example should demonstrate protection from sql injection? – Rob Apodaca Jan 05 '12 at 02:42
I feel compelled to mention that both the question and the answer are suspect to a SQL Injection attack. Give this question a look: http://stackoverflow.com/questions/60174/best-way-to-stop-sql-injection-in-php – Aaron Jan 05 '12 at 02:42
-1 example does not demonstrate protection from sql injection – Rob Apodaca Jan 06 '12 at 17:31

INSERT statement just not working! (PHP+MYSQL)

1 Answers1