Inserting data into mySQL withPHP

Question

spyros.lois 0 Newbie Poster

11 Years Ago

hello
i try this form and script
_____________________________________________________

<form action="insert.php" method="REQUEST">backend - insert new record<br>
id: <input type="number" name="id"><br>
manufacturer: <input type="text" name="manufacturer"><br>
transferrate: <input type="text" name="transferrate"><br>
cache: <input type="text" name="cache"><br>
size: <input type="text" name="size"><br>
RPM: <input type="text" name="RPM"><br>
use: <input type="text" name="use"><br>
price: <input type="text" name="price"><br>
seller: <input type="text" name="seller"><br>
detail: <input type="text" name="detail"><br>
<input type="submit">
</form>

insert.php:
_______________________________________

$sql="INSERT INTO hdd(id, manufacturer,transferrate,cache,size,RPM,use,price,seller,detail)
VALUES
($_REQUEST[id],'$_REQUEST[manufacturer]','$_REQUEST[transferrate]','$_REQUEST[cache]','$_REQUEST[size]','$_REQUEST[RPM]','$_REQUEST[use]','$_REQUEST[price]','$_REQUEST[seller]','$_REQUEST[detail]')";

if (!mysqli_query($con,$sql))
  {
  die('Error: ' . mysqli_error($con));
  }
echo "1 record added";

mysqli_close($con);
?>

To pass values in the database but i get errors like:

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'use,price,seller,detail) VALUES (7,'SamsungSpinpoint','7MB','8 MB','160GB','5400' at line 1................what can be goin wrong?

id is int ,all others are varchar.

mysql php

5 Contributors
5 Replies
274 Views
3 Hours Discussion Span
Latest Post 11 Years Ago Latest Post by diafol

cereal 1,524 Nearly a Senior Poster

11 Years Ago

use is a reserved word so, or you use backticks around the word or you alter the table.

In addition: the methods available for the form are POST, GET, PUT and other methods. REQUEST is a generic method used to retrieve data in PHP, don't use it in the method attribute, and avoid $_REQUEST if you can, because it allows a client to submit data also through a cookie.

Edited 11 Years Ago by cereal

mmcdonald 28 Posting Pro

11 Years Ago

@KingGold

You've ignored the two posts above yours - the reserved keyword use was entered into his SQL query; you've also done the same thing in your response therefore it still wouldn't work..?

KingGold171 commented: The 2 above comments weren't there when I orignally posted. +0

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

mmcdonald 28 Posting Pro · Answer 1 · 2013-07-19T17:40:49+00:00

Cereal is spot on - use is a reserved keyword for PHP. For all reserved keywords check here: http://www.php.net/manual/en/reserved.keywords.php

KingGold171 0 Newbie Poster · Answer 2 · 2013-07-19T17:48:01+00:00

Hiya spyros.lois, Try ....

insert.php
_______________________________________

    <?php
    $id = $_POST['id'];
    $manufacturer = $_POST['manufacturer'];
    $transferrate = $_POST['transferrate'];
    $cache = $_POST['cache'];
    $size = $_POST['size'];
    $RPM = $_POST['RPM'];
    $use = $_POST['use'];
    $price = $_POST['price'];
    $seller = $_POST['seller'];
    $detail = $_POST['detail'];




$sql="INSERT INTO hdd(id, manufacturer,transferrate,cache,size,RPM,use,price,seller,detail)
VALUES
($id,'$manufacturer','$transferrate','$cache','$size','$RPM','$use','$price','$seller','$detail')";

    if (!mysqli_query($con,$sql))
    {
    die('Error: ' . mysqli_error($con));
    }
    echo $sql; /*DEBUG the insert string */
    echo "1 record added";
    mysqli_close($con);
?>

diafol · Answer 3 · 2013-07-19T20:25:40+00:00

@KIngGold - you should never do this. All the input data is unsanitized, leaving the OP open to sql injection. As you're using mysqli, you should use parameterized queries. Check out the php.net manual on this.