Member Avatar for spyros.lois

hello
i try this form and script
_____________________________________________________

<form action="insert.php" method="REQUEST">backend - insert new record<br>
id: <input type="number" name="id"><br>
manufacturer: <input type="text" name="manufacturer"><br>
transferrate: <input type="text" name="transferrate"><br>
cache: <input type="text" name="cache"><br>
size: <input type="text" name="size"><br>
RPM: <input type="text" name="RPM"><br>
use: <input type="text" name="use"><br>
price: <input type="text" name="price"><br>
seller: <input type="text" name="seller"><br>
detail: <input type="text" name="detail"><br>
<input type="submit">
</form>

insert.php:
_______________________________________

$sql="INSERT INTO hdd(id, manufacturer,transferrate,cache,size,RPM,use,price,seller,detail)
VALUES
($_REQUEST[id],'$_REQUEST[manufacturer]','$_REQUEST[transferrate]','$_REQUEST[cache]','$_REQUEST[size]','$_REQUEST[RPM]','$_REQUEST[use]','$_REQUEST[price]','$_REQUEST[seller]','$_REQUEST[detail]')";

if (!mysqli_query($con,$sql))
  {
  die('Error: ' . mysqli_error($con));
  }
echo "1 record added";

mysqli_close($con);
?>

To pass values in the database but i get errors like:

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'use,price,seller,detail) VALUES (7,'SamsungSpinpoint','7MB','8 MB','160GB','5400' at line 1................what can be goin wrong?

id is int ,all others are varchar.

  • 5 Contributors
  • 5 Replies
  • 267 Views
  • 3 Hours Discussion Span
  • Latest Post Latest Post by diafol

Recommended Answers

All 5 Replies

Member Avatar for cereal

use is a reserved word so, or you use backticks around the word or you alter the table.

In addition: the methods available for the form are POST, GET, PUT and other methods. REQUEST is a generic method used to retrieve data in PHP, don't use it in the method attribute, and avoid $_REQUEST if you can, because it allows a client to submit data also through a cookie.

Edited by cereal
Member Avatar for KingGold171

Hiya spyros.lois, Try ....

insert.php
_______________________________________

    <?php
    $id = $_POST['id'];
    $manufacturer = $_POST['manufacturer'];
    $transferrate = $_POST['transferrate'];
    $cache = $_POST['cache'];
    $size = $_POST['size'];
    $RPM = $_POST['RPM'];
    $use = $_POST['use'];
    $price = $_POST['price'];
    $seller = $_POST['seller'];
    $detail = $_POST['detail'];




$sql="INSERT INTO hdd(id, manufacturer,transferrate,cache,size,RPM,use,price,seller,detail)
VALUES
($id,'$manufacturer','$transferrate','$cache','$size','$RPM','$use','$price','$seller','$detail')";

    if (!mysqli_query($con,$sql))
    {
    die('Error: ' . mysqli_error($con));
    }
    echo $sql; /*DEBUG the insert string */
    echo "1 record added";
    mysqli_close($con);
?>
Member Avatar for mmcdonald

@KingGold

You've ignored the two posts above yours - the reserved keyword use was entered into his SQL query; you've also done the same thing in your response therefore it still wouldn't work..?

commented: The 2 above comments weren't there when I orignally posted. +0
Member Avatar for diafol

@KIngGold - you should never do this. All the input data is unsanitized, leaving the OP open to sql injection. As you're using mysqli, you should use parameterized queries. Check out the php.net manual on this.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.