0

PHP mysqli_query problem

Hello! I've got a problem with my php. Connection with the database is fine, POST collects the data fine, SQL request is perfectly fine too, $con is global with the database credentials, the only thing that I can see is that mysqli_query responds false. Does anyone know why? <?php require('connect.php'); if ($_SERVER["REQUEST_METHOD"] == "POST") { $name = $_POST["name"]; $quantity = $_POST['quantity']; $sqladd = "INSERT INTO ingredients VALUES(null, $name, $quantity, null)"; if(mysqli_query($con, $sqladd)){ echo "Success!"; } else { echo "Sheep, here we go again..."; } } else { echo "Go away"; } ?>

28th Aug 2020, 6:36 PM
Michał Cukrowski
Michał Cukrowski - avatar
11 odpowiedzi
+ 1
This should be your query $name = mysqli_real_escape_string($_POST['name']); $quantity = mysqli_real_escape_string($_POST['quantity']); "INSERT INTO ingredients VALUES(null, '$name', $quantity, null)";
28th Aug 2020, 7:19 PM
Мг. Кнап🌠
Мг. Кнап🌠 - avatar
+ 2
You are not getting rid of anything, you are just escaping the string, string can have characters which could be part of string, but they could damage the query, Iike name can be O'Brien, here single qoutes will break the query, So u need to make sure that the data is passed along with the single qoutes, because that's also part of your data.. So you need to escape the string type values
28th Aug 2020, 7:05 PM
Мг. Кнап🌠
Мг. Кнап🌠 - avatar
+ 1
The reason why we are escaping straight forward is to avoid SQL injection attacks, if you are building something you should be concerned about security as well, and some other methods are also there which we use along with it...
28th Aug 2020, 7:21 PM
Мг. Кнап🌠
Мг. Кнап🌠 - avatar
+ 1
You're a magician man, thank you a lot!
28th Aug 2020, 7:24 PM
Michał Cukrowski
Michał Cukrowski - avatar
+ 1
Nah that's jus the practice of doing it, you will be well versed
28th Aug 2020, 7:25 PM
Мг. Кнап🌠
Мг. Кнап🌠 - avatar
0
What values are you setting null? Is name a string?? If so enclose it in single qoutes or escape the variable using $name = mysqli_real_escape_string($con,$_POST['name']); And to check if your query is right or wrong, print the mysqli_error($con); in the inner else block
28th Aug 2020, 6:48 PM
Мг. Кнап🌠
Мг. Кнап🌠 - avatar
0
Null is the ID of the element so an integer and the other one is the path to an image, I wanted to skip that. The only thing that worked here was getting rid of the variables and inserting a string into the SQL request. But why?
28th Aug 2020, 7:01 PM
Michał Cukrowski
Michał Cukrowski - avatar
0
Well the data I'm writing in is some simple asd so I don't get how it could damage the query and putting mysqli_real_escape_string didn't work, but the data type of name is char - maybe that has something to do with that? What should I do?
28th Aug 2020, 7:12 PM
Michał Cukrowski
Michał Cukrowski - avatar
0
What about quantity? What type of value does it has?
28th Aug 2020, 7:15 PM
Мг. Кнап🌠
Мг. Кнап🌠 - avatar
0
Integer
28th Aug 2020, 7:15 PM
Michał Cukrowski
Michał Cukrowski - avatar
0
Interestingly if I set the query as (null, null, $quantity, null) it returns success so something is definitely wrong with the data type
28th Aug 2020, 7:18 PM
Michał Cukrowski
Michał Cukrowski - avatar