INSERT PHP Statement not working

Question 1

So, I'm not exactly sure what the problem is, but, when I try to INSERT into a table, it doesn't work.

All the variables are working. I've echoed and tested them, they are working.

$username = $_SESSION['username'];
$update = $_GET['update'];
mysql_query("INSERT INTO updates (username, update) VALUES ('$username', '$update')");

So it must be a problem with my mySQL query. This mySQL query is one of two in the .php folder. If that makes any difference.

Question 2

1. mysql_error() 2. google for "sql injections"

Question 3

What do the variables contain? Could it be that you have unescaped apostrophes in there?

Question 4

There is no error, it does not update the database. The database has id, username, update that's it.

Question 5

maybe columns properties are wrong.

Question 6

I've proof read them many times over, they are correct.

Question 7

Error in SQL

There is an error in your SQL. You cannot use MySQL keywords in column names without quoting them.

In this case update needs to be enclosed in backticks:

$query = "INSERT INTO updates (`username`, `update`) 
 VALUES ('$username', '$update')";

SQL injection

Your code is susceptible to SQL injection attacks. You should escape quoted strings that are placed into an SQL statement with mysql_real_escape_string() or bind your data using PHP PDO prepared statements.

$username = mysql_real_escape_string($_SESSION['username']);
$update = mysql_real_escape_string($_GET['update']);

Putting it together

$username = mysql_real_escape_string($_SESSION['username']);
$update = mysql_real_escape_string($_GET['update']);
$query = "INSERT INTO updates (`username`, `update`) 
 VALUES ('$username', '$update')";

I have written little SQLFiddle for you so you can see this in action: http://sqlfiddle.com/#!2/c25b1/1

Question 8

Thanks Treffy, it worked. Surprisingly the first INSERT statement works, but, not the second without the back ticks. Any reason as to why?

Question 9

I am not sure what you mean exactly, but you cannot have column names that are MySQL keywords like SELECT, UPDATE, INSERT, etc.

Question 10

OHH everything makes sense now.

Question 11

You need to escape the data you are about to insert. You also want to separate the string from the variables. Try something like this:

$username = mysql_real_escape_string($_SESSION['username']);
$update = mysql_real_escape_string($_GET['update']);
mysql_query("INSERT INTO `updates` (username, update) VALUES ('" . $username . "', '" . $update . "')") or die(mysql_error());

That's untested but should work.

Question 12

This should work so long as you first mysql_select_db so that you have an active database selected and updates is a valid table in said database.

Question 13

Your mysql_real_escape_string did nothing, the database is not updating. The correct database is selected, and, one table works, but, the other doesn't. I checked for spelling mistakes, anything, and, no dice.

Question 14

Have you made sure you have connected and selected the database successfully, as Mike said. Could you show us more of the file?

Question 15

As I've said before, one table works in the exact same .php file, and updates the database, the other one doesn't.

Question 16

Treffynnon has made a useful answer here, go check that out.

Question 17

mysql_error() is the best way but you can also echo your query and run it directly against the database to see what is the problem.

$username = $_SESSION['username'];
$update = $_GET['update'];
$query = "INSERT INTO updates (username, update) VALUES ('$username', '$update')";
mysql_query($query);
echo "My Query : $query";

Question 18

try this:

$username = $_SESSION['username'];
$update = $_GET['update'];
mysql_query("INSERT INTO updates (username, update) VALUES ('+$username', '+$update')");

also is better is create a variable to put the query string and then you make the query

Treffynnon 21.6k6 gold badges68 silver badges99 bronze badges · Accepted Answer · 2012-03-01 20:35:20Z

Error in SQL

There is an error in your SQL. You cannot use MySQL keywords in column names without quoting them.

In this case update needs to be enclosed in backticks:

$query = "INSERT INTO updates (`username`, `update`) 
 VALUES ('$username', '$update')";

SQL injection

Your code is susceptible to SQL injection attacks. You should escape quoted strings that are placed into an SQL statement with mysql_real_escape_string() or bind your data using PHP PDO prepared statements.

$username = mysql_real_escape_string($_SESSION['username']);
$update = mysql_real_escape_string($_GET['update']);

Putting it together

$username = mysql_real_escape_string($_SESSION['username']);
$update = mysql_real_escape_string($_GET['update']);
$query = "INSERT INTO updates (`username`, `update`) 
 VALUES ('$username', '$update')";

I have written little SQLFiddle for you so you can see this in action: http://sqlfiddle.com/#!2/c25b1/1

Thanks Treffy, it worked. Surprisingly the first INSERT statement works, but, not the second without the back ticks. Any reason as to why?
I am not sure what you mean exactly, but you cannot have column names that are MySQL keywords like SELECT, UPDATE, INSERT, etc.

CollectivesTM on Stack Overflow

INSERT PHP Statement not working

4 Answers 4

Error in SQL

SQL injection

Putting it together

3 Comments

5 Comments

Comments

Comments

Your Answer

Sign up or log in

Post as a guest

Post as a guest

Hot Network Questions

CollectivesTM on Stack Overflow

4 Answers 4

Error in SQL

SQL injection

Putting it together

3 Comments

5 Comments

Comments

Comments

Your Answer

Sign up or log in

Post as a guest

Post as a guest

Related