MYSQL execution in PHP

Question

The PHP script does not execute the MYSQL orders. Why is that? When testing the MYSQL script on the backend it works.

Thanks for any advice! I considered the integer fact. Anyhow.. my query looks like the following and does not work or create any error. INSERT INTO tags (id, tags, giveTake, onOff, tagNumber) VALUES ('1234','jjjjjjjj','0','0','1')

When copying it to the DB backend it works perfectly...

<?php

    require_once('XXXX.php');
    //Variables for Authentication.
    $server_key = md5("XXXXX");
    $server_auth = $_POST["XXXXX"];

    if($server_auth == $server_key)
    {

        //Established the connection to the mySQL server.
        $connection = new mysqli($server_name, $database_user, $database_password, $database_name);

        if($connection) 
        {
            //Variables for userdatabase.
            //$firstName = $_POST["userFirstName"];
            //$lastName = $_POST["userLastName"];
            //$email = $_POST["userEmail"];
            //$password = $_POST["userPassword"];

            $id = $_POST["id"];
            $tags = $_POST["tags"];
            $giveTake= $_POST["giveTake"];
            $onOff = $_POST["onOff"];
            $tagNumber = $_POST["tagNumber"];

            // echo $firstName . ' ' . $lastName;
            //Getting data from the database.

            echo("vor SQL insert");
            $sql = "INSERT INTO tags (id, tags, giveTake, onOff, tagNumber) VALUES ('".$id."','".$tags."','".$giveTake."','".$onOff."','".$tagNumber."')";
            echo $sql;
            $result = mysqli_query($connection, $sql);
            echo $result;

            if($result)
            {
                echo ("Success.");
            }
            else
            {
                die("Coo0nection Failed.".mysql_connect_error());
                echo("Cooonnection Failed.");
            }
        }
    }
    else
    {
        echo("Error.");
    }   
?>

Learn to use prepared statements in PHP to prevent SQL injections. ( https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1 ) You are mixing mysqli procedural api ( mysqli_query ) with OOP api ( `new mysqli(...)` ) it should work according to the mysqli PHP documentation but its a sloppy programming style... You need to debug with `mysqli_error()` function to see why it's not working. — Raymond Nijland, May 24 '18 at 15:43
Possible duplicate of [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) — Progman, May 24 '18 at 18:18
I took a look but with the existing content ensuring by echo right before sending the query.. it all looks fine. — Lutzel, May 28 '18 at 18:35
Please check for errors - https://stackoverflow.com/a/17053489/296555 — waterloomatt, May 28 '18 at 19:16
No errors :( It seems to be executing without problems. But result stays false — Lutzel, May 29 '18 at 05:26

score 0 · Answer 1 · answered May 24 '18 at 15:46

0

Remove the quote from id if it is an int in the db. Ints dont need quotes this will cause query fail, and if $tagNumber is a int remove the single quotes as well. Hope it helps.

$sql = "INSERT INTO tags (id, tags, giveTake, onOff, tagNumber) VALUES (".$id.",'".$tags."','".$giveTake."','".$onOff."','".$tagNumber."')";

answered May 24 '18 at 15:46

Jonny

1,311
1
13
25

"Ints dont need quotes this will cause query fail," wrong MySQL autocasts and the query will not fail.. SQL injection still exists it this answer.. – Raymond Nijland May 24 '18 at 15:48
Check this https://www.db-fiddle.com/f/3udvnfti7GHhmAUuGUB1W3/0 i don't see MySQL failing right there. – Raymond Nijland May 24 '18 at 15:52
You should never put quotes around numbers. There is a valid reason for this. inconsistent results. Learn more about type casting here. MySQL explains this https://stackoverflow.com/questions/6781976/mysql-quote-numbers-or-not. – Jonny May 24 '18 at 15:55
i do support your "ints dont need quotes" (if the column datatype also is a int) part so you don't have to defend that statement... That's why you should use prepared statements and let the driver do the quotes for you. – Raymond Nijland May 24 '18 at 15:58
The query without quotes did not get the query to work. I agree that it is correct to remove the brackets from all the it`s. But when I did so I got the same result. Still a good avdvice! As it was defenitely a mistake. – Lutzel May 25 '18 at 04:22
This answer promotes SQL injection. – waterloomatt May 28 '18 at 19:12

MYSQL execution in PHP

1 Answers1