Jump to content

Not sure why this INSERT isn't working...


Recommended Posts

I'm wanting to insert the following when someone submits a form.  

I know I have a connection to the database, and I know grade and position are coming from the form.  

 

$grade = $_POST['grade'];
$position = $_POST['position'];



$query = "INSERT INTO a_rankings_select (grade,position)
VALUES ('" .$grade. "', '" .$position. "')";
	
echo mysqli_error($con);

 

Link to post
Share on other sites

Use parameters in your mysqli code.  DO NOT interpolate or you will be creating code that is open to SQL injection.

$query = "INSERT INTO a_rankings_select (grade ,position) VALUES (?, ?)";
// $con would be the mysqli connection resource
$stmt = mysqli_prepare($con, $query);
//2nd param is a string of character(s) describing type of param.  In your case these are strings, so 'ss'
mysqli_stmt_bind_param($stmt, 'ss', $grade, $position);

if (mysqli_stmt_execute ($stmt) {
  // Insert succeeded
} else {
  echo 'Error:  Grade ranking insert failed. Check input/or database status';
}

If you spit out the contents of mysql_error, just be aware you could be leaking database connection information which attackers would love to have.  Better to log that data, and provide your own customized error message as I illustrated here.

Link to post
Share on other sites
This thread is more than a year old.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.