1

I am trying to insert values in database and values are not being inserted, here is the code i have:

    $user_name = "username";
    $password = "password";
    $database = "database";
    $server = "localhost";
    $db_handle = mysql_connect($server, $user_name, $password);
    $db_found = mysql_select_db($database, $db_handle);

    if ($db_found) {

    $SQL = 'INSERT INTO table (anInt, DomainName, URL, Rank, PageRank, Google, Bing, Boss, IndexedPage, Backlinks) VALUES ($anInt, $Domain, $URL, $Rank, $Pagerank, $Google, $Bing, $Yahoo, $Pages, $backlinks)';
    $result = mysql_query($SQL);
    mysql_close($db_handle);

    print "Records added to the database";

it is printing that records added to the database but when looking at the database nothing is being added. some of the values are doubles, text, and ints. Is there anyway to debug this? I will be adding more information to the post if someone asks me to.

and of course I have an else statement i just thought it is not relevant since it is telling me that records are added.

Improve this question
4
  • 3
    Run away - we're under SQL injection attack! en.wikipedia.org/wiki/SQL_injection Commented Feb 23, 2010 at 11:42
  • 1
    read the wikipedia article and contemplate. Commented Feb 23, 2010 at 11:45
  • I think we need a bit more code: how are you declaring the variables that are being inserted? Also, your if block is incomplete—is this because you have missed out some code when pasting or is it like that in the actual code? Commented Feb 23, 2010 at 11:47
  • 1
    Sorry, ignore the bit about the 'if' block—I just read the end sentence of your answer again. Commented Feb 23, 2010 at 11:48

7 Answers 7

Reset to default
4

First of all, you should escape the string values you are passing into the SQL query, using mysql_real_escape_string.

Then, you should add quotes, in your SQL query, arround the fields that are meant to contain strings.


I don't really know which fields are integers and which fields are strings, but you should be using something like this to build your SQL query :

// Escape the string data, and make sure integer really contain integers
$anInt = intval($anInt);
$Domain = mysql_real_escape_string($Domain);
$URL = mysql_real_escape_string($URL);
$Rank = intval($Rank);
$Pagerank =  = intval($Pagerank);
$Google = intval($Google);
$Bing = intval($Bing);
$Yahoo = intval($Yahoo);
$Pages = intval($Pages);
$backlinks = intval($backlinks );

// Build the SQL query, using the "safe" variables
$SQL = 'INSERT INTO table (anInt, DomainName, URL, Rank, PageRank, Google, Bing, Boss, IndexedPage, Backlinks) 
        VALUES ($anInt, '$Domain', '$URL', $Rank, $Pagerank, $Google, $Bing, $Yahoo, $Pages, $backlinks)';

This is supposing that only DomainName and URL are meant to contain strings -- you might have to use mysql_real_escape_string and add quotes arround the values for some other fields too, if needed.


Then, you should take a look at the return value of mysql_query : for an insert query, in case of an error, it'll return false.

Here, if your $result variable is false, you should use mysql_error and mysql_errno : they'll allow you to know what error happened -- it will help detecting errors in your SQL query, for instance.


If this doesn't solve the problem, you should try outputting the SQL query, and run it using something like phpMyAdmin, to make sure it's OK.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

what do we use for doubles? (i mean instead of intval) ? thanks!
For doubles, I suppose floatval (see php.net/floatval ) would do the trick -- the idea, again, being to be sure that the variable contains what you expect it to contain.
2

I am no PHP expert, but I have 2 remarks.

  1. You don't check the error (perhaps with mysql_errno()) so you don't know whether the records were added

  2. I think the values, if they are strings, should be given like

    '$Domain'

that is, escaped with ' characters.

better would be, of course, using something like

$sql = sprintf("INSERT ... VALUES(%d, '%s', '%s',...)", 
               $anInt, mysql_real_escape_string($Domain), ...);

if you insert user-supplied input.

Improve this answer

Comments

2

You could examine the $result:

$result = mysql_query($query);
if (!$result) {
    print "An error occured: " . mysql_error() . "\n";
}

My guess is that you're passing a string without quotes, like:

VALUES (Hello)

where you should pass it like:

VALUES ('Hello')

Like the commenter said, if the user can control these strings, you are open to an SQL Injection attack. You can prevent that attack by escaping the strings, for example:

$query = sprintf("INSERT INTO table (DomainName) VALUES ('%s')",
        mysql_real_escape_string($domain_name));
Improve this answer

Comments

2

In SQL queries, you need to enquote strings correctly, or it will produce an error. So all your variables that are used to store non-int or non-boolean values in the database need quotes around the values.

Additionally you should make sure that SQL injections are not a problem by escaping all values with mysql_real_escape_string first.

Improve this answer

Comments

2

Apart from sql injections your error handling is not complete...

if (!$db_found) {
  echo "datbase not found.";
}
else {
  $SQL = 'INSERT INTO
      table
      (...)
    VALUES
      (...)
  ';
  $result = mysql_query($SQL, $db_handle);
  if ( !$result ) {
    echo "error: ", mysql_error($db_handle);
  }
  else {
    print "Records added to the database";
  }
}
mysql_close($db_handle);

In case a query causes an error mysql_query() return FALSE and mysql_error() will tell you more about the error.

Improve this answer

Comments

1

Well there are security issues with the code but to address one problem

you are not enclosing your string values in quotes in the SQL statement.

Improve this answer

Comments

0

First of all, please regard everybody else's advice on safe database handling and avoiding injection.

The reason your query isn't doing anything is probably that you enclosed the string in single quotes. In PHP single quotes enforce the string to be literal. Unlike when using double quotes, variables will NOT be substituted. So '$foo' represents the sequence of characters '$'.'f'.'o'.'o'. "$foo" on the other hand represents the sequence of characters of whatever the variable $foo contains at the time of the string's definition.

You can use mysql_error() to catch most problems with MySQL. Even if the message isn't helping you, you at least know whether the query was parsed properly, i.e. on which end of the connection the problem lies.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.