0

So I'm using a little script on php for a webpage adminisitration, and I get to do an item registration, so I get all my params and send them to the script to build an INSERT for the database (mysql). Here's my piece of code:

//Getting the params
    $title = $_POST["title"];
    $date = $_POST["date"];
    $hour = $_POST["hour"];
    $description = $_POST["description"];
    $link = $_POST["link"]; 
    $speaker = $_POST["speaker"];
    $site = $_POST["site"];
    $file = $_POST["file"];
//Link and File are optional, so I'll be using NULL instead if they're empty
    $link = !empty($link) ? ("'".$link."'") : ("'". NULL ."'");
    $file = !empty($file) ? ("'".$file."'") : ("'". NULL ."'");
//Now I'm ready to build the query
    $query = "INSERT INTO ".$type;
    $query = $query . "(title,data,hour,description,link,speaker,site,file)";
    $query = $query . "VALUES (";
    $query = $query . "'" .$title."'";
    $query = $query . ",'".$date."'";
    $query = $query . ",'".$hour."'";
    $query = $query . ",'".$description."'";
    $query = $query . ",".$link;
    $query = $query . ",'".$speaker."'";
    $query = $query . ",'".$site."'";
    $query = $query . ",".$file.")";
//Finally, I'll be sending the INSERT as a query using:
    $result = mysql_query($query);
    if(!$result)
        echo "SQL Error"

And so, I'm always getting inside the error statment. I've others INSERTS in other scripts on the same webpage, and they work well, this one mimics them. I've checked:

  1. mysql_connect() and mysql_select_db() are ok
  2. Database user I use has GRANTS to do the INSERT
  3. Database connectivity (checked using a SELECT query)

Any hint will be appreciated.

[SOLVED] Strings were not escaped, so the quotes were breaking the query. So if you're still issuing this kind of trouble and using the deprecated mysql _ API, you may as well need for the mysql_escape_string method (check Escaping single quote in PHP when inserting into MySQL ).

Improve this question
9
  • enter your table structure as well as the coding of form Commented May 31, 2016 at 7:31
  • 2
    Stop using deprecated mysql_ API. use mysqli_ or PDO instead with prepared statement Commented May 31, 2016 at 7:32
  • 1
    Call the mysql_error() function to find out what the error is. Commented May 31, 2016 at 7:32
  • 1
    Where is $type variable is coming from. Also your code is open for sql injections Commented May 31, 2016 at 8:21
  • @ytturi, have you checked my answer below and tried it. Commented May 31, 2016 at 8:55

2 Answers 2

Reset to default
0

use these lines.

$link = !empty($link) ? $link : NULL;
$file = !empty($file) ? $file  :NULL ;

in PHP null is NULL without quotes also don't use extra "" in $link and $file.

before running query try to print it and run in PhpMyadmin

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Hey ,thank you for answering. As answered to @Ms.Nehal, I missed on transcripting from my original code, I'm using no quotes for the NULL value, but I'm adding the quotes for the concatenation string. Sorry about that, I'm editing it now.
0

You have issues with concatenation. Try to change your code lines with this :

 //Link and File are optional, so I'll be using NULL instead if they're empty
  $link = !empty($link) ? ($link) : (NULL);
  $file = !empty($file) ? ($file) : (NULL);
//Now I'm ready to build the query
  $query = "INSERT INTO $type (title,data,hour,description,link,speaker,site,file) VALUES ('" .$title."','".$date."'
           ,'".$hour."','".$description."','".$link."','".$speaker."','".$site."','".$file."')";

Also, NULL is never passed as a string. Otherwise, it'll be treated as a string instead.

Improve this answer

4 Comments

Yup, thank you about that. I saw that same mistake in other instances in this page. I think i did some transcription errors when erasing sensitive data from the comments, my line for empty link/files are: $link = !empty($link) ? ("'".$link."'") : ("'". NULL ."'"); $file = !empty($file) ? ("'".$file."'") : ("'". NULL ."'"); So in the query sent, if you print the string, the result looks as '' when the value is NULL.
@ytturi, I'm sorry what you're trying to say is not clear. Please can you specify more breifly
I did an error when I wrote the post. The concatenation is working well and the NULL value is sent properly.
@ytturi, so you have solved your issue. So better you should post your and accept it as well, which shows the solution to the problem

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.