0
PHP mysqli_query problem
Hello! I've got a problem with my php. Connection with the database is fine, POST collects the data fine, SQL request is perfectly fine too, $con is global with the database credentials, the only thing that I can see is that mysqli_query responds false. Does anyone know why? <?php require('connect.php'); if ($_SERVER["REQUEST_METHOD"] == "POST") { $name = $_POST["name"]; $quantity = $_POST['quantity']; $sqladd = "INSERT INTO ingredients VALUES(null, $name, $quantity, null)"; if(mysqli_query($con, $sqladd)){ echo "Success!"; } else { echo "Sheep, here we go again..."; } } else { echo "Go away"; } ?>
11 ответов
+ 1
This should be your query
$name = mysqli_real_escape_string($_POST['name']);
$quantity = mysqli_real_escape_string($_POST['quantity']);
"INSERT INTO ingredients VALUES(null, '$name', $quantity, null)";
+ 2
You are not getting rid of anything, you are just escaping the string, string can have characters which could be part of string, but they could damage the query,
Iike name can be O'Brien, here single qoutes will break the query,
So u need to make sure that the data is passed along with the single qoutes, because that's also part of your data..
So you need to escape the string type values
+ 1
The reason why we are escaping straight forward is to avoid SQL injection attacks, if you are building something you should be concerned about security as well, and some other methods are also there which we use along with it...
+ 1
You're a magician man, thank you a lot!
+ 1
Nah that's jus the practice of doing it, you will be well versed
0
What values are you setting null?
Is name a string?? If so enclose it in single qoutes or escape the variable using $name = mysqli_real_escape_string($con,$_POST['name']);
And to check if your query is right or wrong, print the mysqli_error($con); in the inner else block
0
Null is the ID of the element so an integer and the other one is the path to an image, I wanted to skip that. The only thing that worked here was getting rid of the variables and inserting a string into the SQL request. But why?
0
Well the data I'm writing in is some simple asd so I don't get how it could damage the query and putting mysqli_real_escape_string didn't work, but the data type of name is char - maybe that has something to do with that? What should I do?
0
What about quantity? What type of value does it has?
0
Integer
0
Interestingly if I set the query as (null, null, $quantity, null) it returns success so something is definitely wrong with the data type