0

hello
i try this form and script
_____________________________________________________

<form action="insert.php" method="REQUEST">backend - insert new record<br>
id: <input type="number" name="id"><br>
manufacturer: <input type="text" name="manufacturer"><br>
transferrate: <input type="text" name="transferrate"><br>
cache: <input type="text" name="cache"><br>
size: <input type="text" name="size"><br>
RPM: <input type="text" name="RPM"><br>
use: <input type="text" name="use"><br>
price: <input type="text" name="price"><br>
seller: <input type="text" name="seller"><br>
detail: <input type="text" name="detail"><br>
<input type="submit">
</form>

insert.php:
_______________________________________

$sql="INSERT INTO hdd(id, manufacturer,transferrate,cache,size,RPM,use,price,seller,detail)
VALUES
($_REQUEST[id],'$_REQUEST[manufacturer]','$_REQUEST[transferrate]','$_REQUEST[cache]','$_REQUEST[size]','$_REQUEST[RPM]','$_REQUEST[use]','$_REQUEST[price]','$_REQUEST[seller]','$_REQUEST[detail]')";

if (!mysqli_query($con,$sql))
  {
  die('Error: ' . mysqli_error($con));
  }
echo "1 record added";

mysqli_close($con);
?>

To pass values in the database but i get errors like:

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'use,price,seller,detail) VALUES (7,'SamsungSpinpoint','7MB','8 MB','160GB','5400' at line 1................what can be goin wrong?

id is int ,all others are varchar.

5
Contributors
5
Replies
50
Views
4 Years
Discussion Span
Last Post by diafol
1

use is a reserved word so, or you use backticks around the word or you alter the table.

In addition: the methods available for the form are POST, GET, PUT and other methods. REQUEST is a generic method used to retrieve data in PHP, don't use it in the method attribute, and avoid $_REQUEST if you can, because it allows a client to submit data also through a cookie.

Edited by cereal

-1

Hiya spyros.lois, Try ....

insert.php
_______________________________________

    <?php
    $id = $_POST['id'];
    $manufacturer = $_POST['manufacturer'];
    $transferrate = $_POST['transferrate'];
    $cache = $_POST['cache'];
    $size = $_POST['size'];
    $RPM = $_POST['RPM'];
    $use = $_POST['use'];
    $price = $_POST['price'];
    $seller = $_POST['seller'];
    $detail = $_POST['detail'];




$sql="INSERT INTO hdd(id, manufacturer,transferrate,cache,size,RPM,use,price,seller,detail)
VALUES
($id,'$manufacturer','$transferrate','$cache','$size','$RPM','$use','$price','$seller','$detail')";

    if (!mysqli_query($con,$sql))
    {
    die('Error: ' . mysqli_error($con));
    }
    echo $sql; /*DEBUG the insert string */
    echo "1 record added";
    mysqli_close($con);
?>
1

@KingGold

You've ignored the two posts above yours - the reserved keyword use was entered into his SQL query; you've also done the same thing in your response therefore it still wouldn't work..?

Votes + Comments
The 2 above comments weren't there when I orignally posted.
0

@KIngGold - you should never do this. All the input data is unsanitized, leaving the OP open to sql injection. As you're using mysqli, you should use parameterized queries. Check out the php.net manual on this.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.