Adding to database from PHP inserts NULL

Question

THE MISSING _ WAS A TYPO ON STACKOVERFLOW, I WAS TESTING.

I'm trying to insert a value to my database using the following two files:

Add Record:

 <form action="AddVenue.php" method="post" />
<p>Venue Name: <input type="text" name="venue_name" /></p>
<p>Venue Capacity: <input type="text" name="venue_capacity" /></p>
<input type="submit" value="Submit" />
</form>

AddVenue.php

<?php
require("dbconnection.php"); // Connect to Database

// Select Database

$db= 'database';  
mysql_select_db($db) or die("Could not select database");


$venue_name = $_POST['venue_name'];
$venue_capacity = $_POST['venue_capacity'];

$sql = "INSERT INTO Venues (venue_name) VALUES ('$venue_name')";
$sql = "INSERT INTO Venues (venue_capacity) VALUES ('$venue_capacity')";

if (!mysql_query($sql))
{
       die('Error: ' . mysql_error());
}



mysql_close();
?>

At the moment, it adds the to the field venue_capacity without fault, however it always adds NULL to the venue_name field. The capacity field is an INT, and the name field is VARCHAR.

I have no idea why it's doing it, they are the same a pat from the names, which I have double and triple checked. Does anyone have any ideas?

You should escape your input: $venue_name = mysql_real_escape_string($_POST['venue_name']); — Martin, Mar 09 '12 at 20:31

score 4 · Answer 1 · edited Mar 09 '12 at 20:30

4

You've missed a _ in name="venuename"

edited Mar 09 '12 at 20:30

Martin.

10,494
3
42
68

answered Mar 09 '12 at 20:29

joakimdahlstrom

1,575
1
11
23

1

that's not the only problem. He isn't performing the first query. – Jon Egeland Mar 09 '12 at 20:33

score 4 · Accepted Answer · answered Mar 09 '12 at 20:32

You are resetting $sql with a new query without performing it first.

You should combine the two queries into one:

INSERT INTO Venues (venue_name, venue_capacity) VALUES ('$venue_name', '$venue_capacity');

Your form also needs to have the field named venue_name instead of venuename.

score 2 · Answer 3 · answered Mar 09 '12 at 20:30

2

You mean on the same record?

You have to insert them in the same statement like this:

$sql = "INSERT INTO Venues (venue_name, venue_capacity) VALUES ('$venue_name', '$venue_capacity')";

And please use prepared statements. At the moment your code is extremly vunerable to SQL Injections, because your just reading the values from the POST-Variables without any checks.

answered Mar 09 '12 at 20:30

kufi

2,418
19
14

Thanks. This won't be live at any point, i'm just trying to learn. Could you possibly direct me to any information regarding the prevention of the attacks you mentioned? – Alex Mar 10 '12 at 20:29
You'll find plenty of information on the web for it. php.net offers a good starting point for prepared statements: [php.net](http://php.net/manual/de/pdo.prepared-statements.php) or here on [stackoverflow](http://stackoverflow.com/questions/1457131/php-pdo-prepared-statements) – kufi Mar 11 '12 at 16:42

mason81 · Answer 4 · 2012-03-09T21:31:28.107

Try this:

Add Record:

<form action="AddVenue.php" method="post" />
  <p>Venue Name: <input type="text" name="venue_name" /></p>
  <p>Venue Capacity: <input type="text" name="venue_capacity" /></p>
  <input type="submit" value="Submit" />
</form>

AddVenue.php

<?php

$venue_name = mysql_real_escape_string($_POST['venue_name']);
$venue_capacity = mysql_real_escape_string($_POST['venue_capacity']);

$sql = "INSERT INTO Venues (venue_name,venue_capacity) VALUES ('$venue_name','$venue_capacity')";

if (!mysql_query($sql))
{
       die('Error: ' . mysql_error());
}

?>

EDIT (to explain above changes) You had a typo in your input for the "venu_name" and also were using 2 different SQL strings (which if they actually executed would have inserted the data in 2 different fields, depending on your table's configuration). The 2nd query string overwrote the first so it was never executed.

Also, one very important thing is that you were not sanitizing your data in any way! Perhaps you intended to use JavaScript for that? If you don't check your input you will be vulnerable to a lot of nasty attacks.

ChapMic · Answer 5 · 2012-03-09T20:37:01.770

First thing :

How can you do this : $venue_name = $_POST['venue_name']; ?

When you use do this before: <input type="text" name="venuename" /></p>

-> You forgot the small _ in your input name code.

Second thing :

You will put a new value for $sql without executing the first one if you do it like that.

Try it instead:

$sql = "INSERT INTO Venues (venue_name, venue_capacity) VALUES ('$venue_name', '$venue_capacity')";

Adding to database from PHP inserts NULL

5 Answers5