Adding to database from PHP inserts NULL

Question

THE MISSING _ WAS A TYPO ON STACKOVERFLOW, I WAS TESTING.

I'm trying to insert a value to my database using the following two files:

Add Record:

 <form action="AddVenue.php" method="post" />
<p>Venue Name: <input type="text" name="venue_name" /></p>
<p>Venue Capacity: <input type="text" name="venue_capacity" /></p>
<input type="submit" value="Submit" />
</form>

AddVenue.php

<?php
require("dbconnection.php"); // Connect to Database

// Select Database

$db= 'database';  
mysql_select_db($db) or die("Could not select database");


$venue_name = $_POST['venue_name'];
$venue_capacity = $_POST['venue_capacity'];

$sql = "INSERT INTO Venues (venue_name) VALUES ('$venue_name')";
$sql = "INSERT INTO Venues (venue_capacity) VALUES ('$venue_capacity')";

if (!mysql_query($sql))
{
       die('Error: ' . mysql_error());
}



mysql_close();
?>

At the moment, it adds the to the field venue_capacity without fault, however it always adds NULL to the venue_name field. The capacity field is an INT, and the name field is VARCHAR.

I have no idea why it's doing it, they are the same a pat from the names, which I have double and triple checked. Does anyone have any ideas?

You should escape your input: $venue_name = mysql_real_escape_string($_POST['venue_name']); — Martin
– Martin, Commented Mar 9, 2012 at 20:31

Jon Egeland · Accepted Answer · 2012-03-09 20:32:40Z

4

You are resetting $sql with a new query without performing it first.

You should combine the two queries into one:

INSERT INTO Venues (venue_name, venue_capacity) VALUES ('$venue_name', '$venue_capacity');

Your form also needs to have the field named venue_name instead of venuename.

answered Mar 9, 2012 at 20:32

Jon Egeland

12.7k8 gold badges49 silver badges64 bronze badges

Sign up to request clarification or add additional context in comments.

Comments

Martin. · Accepted Answer · 2012-03-09 20:30:38Z

4

You've missed a _ in name="venuename"

edited Mar 9, 2012 at 20:30

Martin.

10.5k3 gold badges44 silver badges69 bronze badges

answered Mar 9, 2012 at 20:29

joakimdahlstrom

1,6051 gold badge12 silver badges26 bronze badges

1 Comment

Jon Egeland Over a year ago

that's not the only problem. He isn't performing the first query.

kufi · Accepted Answer · 2012-03-09 20:30:12Z

2

You mean on the same record?

You have to insert them in the same statement like this:

$sql = "INSERT INTO Venues (venue_name, venue_capacity) VALUES ('$venue_name', '$venue_capacity')";

And please use prepared statements. At the moment your code is extremly vunerable to SQL Injections, because your just reading the values from the POST-Variables without any checks.

answered Mar 9, 2012 at 20:30

kufi

2,45819 silver badges14 bronze badges

2 Comments

Alex Over a year ago

Thanks. This won't be live at any point, i'm just trying to learn. Could you possibly direct me to any information regarding the prevention of the attacks you mentioned?

kufi Over a year ago

You'll find plenty of information on the web for it. php.net offers a good starting point for prepared statements: php.net or here on stackoverflow

mason81 · Accepted Answer · 2012-03-09 21:31:28Z

Try this:

Add Record:

<form action="AddVenue.php" method="post" />
  <p>Venue Name: <input type="text" name="venue_name" /></p>
  <p>Venue Capacity: <input type="text" name="venue_capacity" /></p>
  <input type="submit" value="Submit" />
</form>

AddVenue.php

<?php

$venue_name = mysql_real_escape_string($_POST['venue_name']);
$venue_capacity = mysql_real_escape_string($_POST['venue_capacity']);

$sql = "INSERT INTO Venues (venue_name,venue_capacity) VALUES ('$venue_name','$venue_capacity')";

if (!mysql_query($sql))
{
       die('Error: ' . mysql_error());
}

?>

EDIT (to explain above changes) You had a typo in your input for the "venu_name" and also were using 2 different SQL strings (which if they actually executed would have inserted the data in 2 different fields, depending on your table's configuration). The 2nd query string overwrote the first so it was never executed.

Also, one very important thing is that you were not sanitizing your data in any way! Perhaps you intended to use JavaScript for that? If you don't check your input you will be vulnerable to a lot of nasty attacks.

ChapMic · Accepted Answer · 2012-03-09 20:37:01Z

0

First thing :

How can you do this : $venue_name = $_POST['venue_name']; ?

When you use do this before: <input type="text" name="venuename" /></p>

-> You forgot the small _ in your input name code.

Second thing :

You will put a new value for $sql without executing the first one if you do it like that.

Try it instead:

$sql = "INSERT INTO Venues (venue_name, venue_capacity) VALUES ('$venue_name', '$venue_capacity')";

edited Mar 9, 2012 at 20:37

answered Mar 9, 2012 at 20:31

ChapMic

28.3k1 gold badge24 silver badges20 bronze badges

Collectives™ on Stack Overflow

Adding to database from PHP inserts NULL

5 Answers 5

Comments

1 Comment

2 Comments

Comments

Comments

Linked

Hot Network Questions

Collectives™ on Stack Overflow

5 Answers 5

Comments

1 Comment

2 Comments

Comments

Comments

Linked

Related