Jim R Posted March 26, 2020 Share Posted March 26, 2020 I'm wanting to insert the following when someone submits a form. I know I have a connection to the database, and I know grade and position are coming from the form. $grade = $_POST['grade']; $position = $_POST['position']; $query = "INSERT INTO a_rankings_select (grade,position) VALUES ('" .$grade. "', '" .$position. "')"; echo mysqli_error($con); Quote Link to comment Share on other sites More sharing options...
Barand Posted March 26, 2020 Share Posted March 26, 2020 To insert a record you need to execute the sql, not just define a string. Quote Link to comment Share on other sites More sharing options...
Jim R Posted March 26, 2020 Author Share Posted March 26, 2020 Got it...thank you! I did forget that line. I'll likely come up with another hitch. 😐 Quote Link to comment Share on other sites More sharing options...
gizmola Posted March 26, 2020 Share Posted March 26, 2020 Use parameters in your mysqli code. DO NOT interpolate or you will be creating code that is open to SQL injection. $query = "INSERT INTO a_rankings_select (grade ,position) VALUES (?, ?)"; // $con would be the mysqli connection resource $stmt = mysqli_prepare($con, $query); //2nd param is a string of character(s) describing type of param. In your case these are strings, so 'ss' mysqli_stmt_bind_param($stmt, 'ss', $grade, $position); if (mysqli_stmt_execute ($stmt) { // Insert succeeded } else { echo 'Error: Grade ranking insert failed. Check input/or database status'; } If you spit out the contents of mysql_error, just be aware you could be leaking database connection information which attackers would love to have. Better to log that data, and provide your own customized error message as I illustrated here. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.