0

insert.php

<?php
mysql_connect("localhost","root",""); mysql_select_db("basic");
$name=$_POST['fname'];
$twait=$_POST['twait'];
$cprice=$_POST['cprice'];
$dprice=$_POST['dprice'];
$order= "INSERT INTO calculator
        (name,total_wt,crt_price,dollar_rate) VALUES
        ('$name','$twait','$cprice','$dprice')";

$result = mysql_query('$order');
echo "Done";
?>

HTML page:

<!DOCTYPE html>
<html>
<head>
<title>JN DIAMONDS</title>
</head>
<body>
<form align="center" method="POST" action="insert.php">
    <fieldset>
        <legend>Info</legend><br>
        <input type="text" name="fname" placeholder="Name"><br><br>
        <input type="text" name="twait" placeholder="Total Rough Weight"><br><br>
        <input type="text" name="cprice" placeholder="1 Carat Price"><br><br>
        <input type="text" name="dprice" placeholder="Dollar Rate"><br><br>
        <input type="submit" name="submit"value="Submit"><br>
    </fieldset>
</form>
</body>
</html>
Improve this question
4
  • 5
    Hi John and welcome to SO (StackOverflow). I see you have just joined us. We strive to be a wonderful community and provide people with solutions to their coding problems as best we can. There are some basic fundamentals to asking a good question and consequently getting more experienced users to help you. In addition, most of us would like to see that you have put some effort into solving your problem. Show us what you've tried and what the results were. Again, welcome to SO! Commented Oct 14, 2015 at 6:55
  • 3
    Remove quotes form $result = mysql_query($order); And stop using mysql it is deprecated instead use mysqli or PDO Commented Oct 14, 2015 at 6:59
  • If you are not going to use mysqli or PDO with bound parameters, which is a bad idea not to, at least don't directly put variable unsanitized into the sql Commented Oct 14, 2015 at 7:03
  • 1
    Do yourself a favor - stop using mysql_. mysql_ has been deprecated since PHP 5.5 and removed in PHP 7. Using mysql_ leaves you wide open to sql injection attacks. Soon your code will stop functioning completely and you'll be back asking a question like this. Start learning pdo_mysql. When your host upgrades to PHP 7, you will be so happy you did. Commented Oct 14, 2015 at 7:04

4 Answers 4

Reset to default
3

$order is a variable containing your mysql string. When you put $order in quotes, then you are not sending $order into the mysql string, you are actually trying to execute the query '$order' which is not a valid mysql query.

Simply remove the quotes.

$result = mysql_query($order);

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

No problem. Please however take note of various comments suggesting that you move away from using mysql directly and using pdo. Mysql extension is deprecated. I recommend you also take a look at @VolkerK answer.
1

The actual error in your code has already been pointed out.
The mysql_* extension is deprecated and will be removed in the upcoming version 7 of php; choose another api to connect to your MySQL server, e.g. PDO. Using prepared statements will take care of the worst sql injections as well.

<?php
if ( !isset($_POST['fname'], $_POST['twait'], $_POST['cprice'], $_POST['dprice']) ) {
    trigger_error('missing POST parameter in '.var_export($_POST, true), E_USER_WARNING);
    echo '<html><head><title>...</title><body><h1>missing POST parameter</h1></body></html>';
}
else {
    $pdo = new PDO('mysql:host=localhost;dbname=basic;charset=utf8', 'root', '', array(
        PDO::ATTR_EMULATE_PREPARES=>false,
        PDO::MYSQL_ATTR_DIRECT_QUERY=>false,
        PDO::ATTR_ERRMODE=>PDO::ERRMODE_EXCEPTION
    ));
    $stmt = $pdo->prepare('
        INSERT INTO
            calculator
            (name,total_wt,crt_price,dollar_rate)
        VALUES
            (:fname,:twait,:cprice,:dprice)
    ');
    $stmt->execute(array(
        'fname'=>$_POST['fname'],
        'twait'=>$_POST['twait'],
        'cprice'=>$_POST['cprice'],
        'dprice'=>$_POST['dprice']
    ));
    echo "Done";
}
Improve this answer

Comments

0

Pls try this code

<?php
    mysql_connect("localhost","root",""); mysql_select_db("basic");
    $name=$_POST['fname']; 
    $twait=$_POST['twait'];
    $cprice=$_POST['cprice']; 
    $dprice=$_POST['dprice'];
    $order= "INSERT INTO calculator
            (name,total_wt,crt_price,dollar_rate) VALUES
            ('$name','$twait','$cprice','$dprice')";
    $result = mysql_query($order);
    echo "Done";
    ?>
Improve this answer

Comments

0

Use mysqli instead of mysql.

$con = mysqli_connect('localhost', 'root', '', 'basic');
$name=$_POST['fname'];
$twait=$_POST['twait'];
$cprice=$_POST['cprice'];
$dprice=$_POST['dprice'];
$order= "INSERT INTO `calculator` (name,total_wt,crt_price,dollar_rate) 
VALUES ('".$name."','".$twait."','".$cprice."','".$dprice."')";

$result = mysqli_query($con,$order);
echo "Done";
Improve this answer

3 Comments

Solving an unrelated problem. Also, bug still in your code. Thumbs down.
You fixed it yourself. $result = mysqli_query($order); was $result = mysqli_query('$order');
Using mysqli just to ignore pepared statements is not an improvement

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.