More help needed :( PHP Form and SQL query to add info to database

[Jax2]

I am using a form to pass the following variable to a script that will enter the info into my data base: $img $link $category $desc

 

I have checked with an echo $query and it is passing the data just fine from the form. The problem is, it will NOT enter the data into my database. Here is the code I am using. Note, i have a lot of // <description>'s to show what's doing what, mostly for my own use.

 

<?php

$host="FOOOO"; // Host name 
$username="FOOO"; // Mysql username 
$password="FOOO"; // Mysql password 
$db_name="FOOO"; // Database name 
$tbl_name="games"; // Table name 

// Connect to server and select database.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

// Get values from form 
$img=$_POST['img'];
$link=$_POST['link'];
$category=$_POST['category'];
$desc=$_POST['desc'];

// Insert data into mysql 
$sql="INSERT INTO $tbl_name(img, link, category, desc)VALUES('$img', '$link', '$category', '$desc')";
$result=mysql_query($sql);

// if successfully insert data into database, displays message "Successful". 
if($result){
echo "Successful";
echo "<BR>";
echo "<a href='addgame.php'>Back to main page</a>";
}

else {
echo "ERROR";
}

// close connection 
mysql_close();
?>

 

When I run this, it just comes back with the "Error" echo, and the data is not placed into the DB. I have double checked all my connection info, and it is correct. I have tried several different code snippets I have found that are almost exactly like this, and none of them will work.

 

Question:

 

One of the fields I am passing is a link to open the game, it pretty much consists of:

<FORM> 
<INPUT type="button" value="Play Now!" onClick="window.open ''http://www.****.com/action/tacofu.html'',''mywindow'',''width=600,height=500'')"> 
</FORM>

 

Could this be messing up the insert? Or should it just insert it like it does if I add it manually through phpMyAdmin ?

 

I could really use some help as this would save me a ton of time having to do it all manually. Thank you in advance!

 

 

[Jax2]

Also, forgot to mention, my table is set up like this:

 

field:

id (int, auto-incriment) (I don't need to put anything into this field?)

name (varchar, 225)

img (varchar, 225)

link (text)

category (varchar, 225)

desc (varchar, 225)

 

so, when I am passing variable, as shown above, as long as I used INSERT INTO (name, img, link, category, desc) VALUES (...etc, it shouldn't need anything else, it will skip the ID field and just add the next number automatically like it does when I leave ID field blank in phpMyAdmin, right? Or could this be part of the problem why it's not sending the data through into the db?

 

 

[mem0ri]

You want to sanitize all of your strings for the database so that the information you attempt to INSERT doesn't cut off or error due to ' or other symbols.  Remember also that SQL-injection hacks can occur when you don't sanitize your strings.

 

Try passing all of your $_POST variables through:  mysql_escape_string()

[Jax2]

Ok, a lot of the variables I am passing contain " 's and such, but unfortunately, I'm not sure exactly what you're talking about, could you please "dumb it down" a bit for me? I am rather new to all this. How do I post them through  mysql_escape_string() ?

 

Thank you!

[Jax2]

Ok.. I read up on the topic a bit and changed my code to include the mysql_escape_string. My code now looks like this:

 

<?php

$host="FOOO"; // Host name 
$username="FOOO"; // Mysql username 
$password="FOOO"; // Mysql password 
$db_name="FOOO"; // Database name 
$tbl_name="games"; // Table name 

// Connect to server and select database.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

// Get values from form 
$name = mysql_escape_string($_POST['name']);
$img = mysql_escape_string($_POST['img']);
$link = mysql_escape_string($_POST['link']);
$category = mysql_escape_string($_POST['category']);
$desc = mysql_escape_string($_POST['desc']);


// Insert data into mysql 
$sql="INSERT INTO $tbl_name(name, img, link, category, desc)VALUES( '$name', '$img', '$link', '$category', '$desc')";
$result=mysql_query($sql);

// if successfully insert data into database, displays message "Successful". 
if($result){
echo "Successful";
echo "<BR>";
echo "<a href='addgame.php'>Back to main page</a>";
}

else {
echo "ERROR";
}

// close connection 
mysql_close();
?>

 

and it is still giving me an error.

 

I even tried simply inserting data like TEST for all the fields, to make sure there were no invalid chars, and it still won't even take that.

 

[trq]

Replace...

 

$result=mysql_query($sql);

 

with

 

$result=mysql_query($sql) || die(mysql_error() . "<br />$sql);

 

What do you get?

[Illusion]

it seems $tbl_name is not interpreted in INSERT query.

[Jax2]

Thorpe, when I run it after putting that code in, I get the following:

 

You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 'desc)VALUES( 'Test', 'Test', 'Test', 'action', 'Test')' at lineINSERT INTO games(name, img, link, category, desc)VALUES( 'Test', 'Test', 'Test', 'action', 'Test')

 

(test's are just because I used those in the form)

 

 

Illusion:

 

$tbl_name is set right at the top there...

 

$host="FOOO"; // Host name 
$username="FOOO"; // Mysql username 
$password="FOOO"; // Mysql password 
$db_name="FOOO"; // Database name 
$tbl_name="games"; // Table name <-------

 

Shouldn't that be ok?

 

[revraz]

DESC is a MySQL reserved word, you should change it.  It means decending for a ORDER BY sort.

[Illusion]

even you declare it doesn't matter, you need to explicitly tell in INSERT query that $tbl_name is a variable otherwise parser doesn't interpret it.

[Jax2]

Illusion, ok, I understand what you mean, and I have replaced $tbl_name with the name of the table (games) and tried running it, but I am still getting the following error:

 

You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 'desc)VALUES( 'TEST', 'TEST', 'TEST', 'action', 'TEST')' at lineINSERT INTO games (name, img, link, category, desc)VALUES( 'TEST', 'TEST', 'TEST', 'action', 'TEST')

 

Which I REALLY don't understand, because I have looked up even more tutorials and examples of this and it is written the exact same way every one of them suggested.

 

This seems to be the line it is having trouble with, and it's not the desc, because it is handling that just fine and returning the result I type in for desc (Test)

 

$sql="INSERT INTO games (name, img, link, category, desc)VALUES( '$name', '$img', '$link', '$category', '$desc')";
$result=mysql_query($sql) || die(mysql_error() . $sql);

 

 

This is really getting frustrating...

 

[Jax2]

You know what, I got it to work, and it's all thanks to revraz. The problem, indeed, was that I was using desc, I tried taking it out, and boom, worked fine, so now I just need to change all my pages to descript instead of desc. (OH JOY!) Thanks all for the help!

 

[revraz]

`backticks` would work too, but since it's something used often, it would be less confusing if you just changed it.