0

I am having some difficulties using the PHP insert into statement to add a new row to a MYSQL Table. I have granted all privileges to the remote user and I have been able to view to table fine. However, when I try to insert into the table I also get A NULL return. Any suggestions?

Here is the code:

<?php
$ID1=$_REQUEST["ID1"];
$ID2=$_REQUEST["ID2"];
$ID3=$_REQUEST["ID3"];
$ID4=$_REQUEST["ID4"];
$ID5=$_REQUEST["ID5"];
$return = "0";

$link = mysql_connect('my-remote-server', 'root', 'pwd');
if (!$link) {echo $return; $end ="1";}

$db_selected = mysql_select_db($ID3, $link);
if (!$db_selected) {echo $return; $end ="1";}

if ($end != "1") 
{
    if (($ID5 == "1") && ($ID4 == "%%%"))
    {
        $check = mysqli_query($link,"INSERT INTO Students (NetID, GroupID)
        VALUES ('%s', '%s')",
        mysql_real_escape_string($ID1),
        mysql_real_escape_string($ID2));
        echo var_dump($check);
        echo "1";   

     }
}
Improve this question
6
  • 3
    you're mixing mysql and mysqli. Stick to a single module. Then try again. (In this case, stick to MySQLi since mysql is deprecated and should NOT be used anymore) Commented Feb 3, 2014 at 21:04
  • Did you forget a sprintf somewhere? (Go for real prepared statements though). Commented Feb 3, 2014 at 21:04
  • @Wrikken that too, but he uses a mysql-resource $link) and a mysqli_query (MySQLi function) which obviously returns an error, since they don't work together. Commented Feb 3, 2014 at 21:05
  • Yeah, saw that later, multiple issues it seems ;) Commented Feb 3, 2014 at 21:05
  • You do not use mysql_reaL_escape_string() when you are using prepared statements. Commented Feb 3, 2014 at 21:08

1 Answer 1

Reset to default
2

Like we said in the initial comments, stick to a single extension: mysql or MySQLi. In this case, I would strongly advise MySQLi due to the deprecation of the mysql extension in PHP 5.3+.

Your code can be changed (and made more secure) by modifying it to:

<?php
$ID1=$_REQUEST["ID1"];
$ID2=$_REQUEST["ID2"];
$ID3=$_REQUEST["ID3"]; // database name apparently ?
$ID4=$_REQUEST["ID4"];
$ID5=$_REQUEST["ID5"];
$return = "0";

$db = new mysqli('my-remote-server', 'root', 'pwd', $ID3);

if($db) {
   if (($ID5 == "1") && ($ID4 == "%%%")) {
        $statement = $db->prepare("INSERT INTO Students (NetID, GroupID) VALUES (?, ?)"); // prepare the query, this prevents SQL injection
        $statement->bind_param('ss', $ID1, $ID2); // this tells MySQLi that the 2 variables are strings and should be properly escaped to fit in the query (automatically)
        $statement->execute(); // run the actual query
   }
}
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

I'd still change your code though. ID1-5 are very bad names for variables since they don't actually mean anything. Use descriptive names, like $db_name, $netID, $groupID, etc. Now I have to mentally make a note of the fact that $ID1 is a NetID, $ID2 is a GroupID, $ID3 is a database name, and I have no idea what $ID4 or $ID5 even stand for.
Yeah I agree, I was just using them as placeholders for a test, which is probably bad practice as well. For future projects I will utilize your advice.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.