Problem with MYSQL database, values are not inserted

Question

Hi,

I am trying to insert values in database and values are not being inserted, here is the code i have:

    $user_name = "username";
    $password = "password";
    $database = "database";
    $server = "localhost";
    $db_handle = mysql_connect($server, $user_name, $password);
    $db_found = mysql_select_db($database, $db_handle);

    if ($db_found) {

    $SQL = 'INSERT INTO table (anInt, DomainName, URL, Rank, PageRank, Google, Bing, Boss, IndexedPage, Backlinks) VALUES ($anInt, $Domain, $URL, $Rank, $Pagerank, $Google, $Bing, $Yahoo, $Pages, $backlinks)';
    $result = mysql_query($SQL);
    mysql_close($db_handle);

    print "Records added to the database";

it is printing that records added to the database but when looking at the database nothing is being added. some of the values are doubles, text, and ints. Is there anyway to debug this? I will be adding more information to the post if someone asks me to.

and of course I have an else statement i just thought it is not relevant since it is telling me that records are added.

Answer 1

Well there are security issues with the code but to address one problem

you are not enclosing your string values in quotes in the SQL statement.

Answer 2

I am no PHP expert, but I have 2 remarks.

1. You don't check the error (perhaps with mysql_errno()) so you don't know whether the records were added

2. I think the values, if they are strings, should be given like

   '$Domain'

that is, escaped with ' characters.

better would be, of course, using something like

$sql = sprintf("INSERT ... VALUES(%d, '%s', '%s',...)", 
               $anInt, mysql_real_escape_string($Domain), ...);

if you insert user-supplied input.

Answer 3

First of all, you should escape the string values you are passing into the SQL query, using mysql_real_escape_string.

Then, you should add quotes, in your SQL query, arround the fields that are meant to contain strings.

I don't really know which fields are integers and which fields are strings, but you should be using something like this to build your SQL query :

// Escape the string data, and make sure integer really contain integers
$anInt = intval($anInt);
$Domain = mysql_real_escape_string($Domain);
$URL = mysql_real_escape_string($URL);
$Rank = intval($Rank);
$Pagerank =  = intval($Pagerank);
$Google = intval($Google);
$Bing = intval($Bing);
$Yahoo = intval($Yahoo);
$Pages = intval($Pages);
$backlinks = intval($backlinks );

// Build the SQL query, using the "safe" variables
$SQL = 'INSERT INTO table (anInt, DomainName, URL, Rank, PageRank, Google, Bing, Boss, IndexedPage, Backlinks) 
        VALUES ($anInt, '$Domain', '$URL', $Rank, $Pagerank, $Google, $Bing, $Yahoo, $Pages, $backlinks)';

This is supposing that only DomainName and URL are meant to contain strings -- you might have to use mysql_real_escape_string and add quotes arround the values for some other fields too, if needed.

Then, you should take a look at the return value of mysql_query : for an insert query, in case of an error, it'll return false.

Here, if your $result variable is false, you should use mysql_error and mysql_errno : they'll allow you to know what error happened -- it will help detecting errors in your SQL query, for instance.

If this doesn't solve the problem, you should try outputting the SQL query, and run it using something like phpMyAdmin, to make sure it's OK.

Answer 4

You could examine the $result:

$result = mysql_query($query);
if (!$result) {
    print "An error occured: " . mysql_error() . "\n";
}

My guess is that you're passing a string without quotes, like:

VALUES (Hello)

where you should pass it like:

VALUES ('Hello')

Like the commenter said, if the user can control these strings, you are open to an SQL Injection attack. You can prevent that attack by escaping the strings, for example:

$query = sprintf("INSERT INTO table (DomainName) VALUES ('%s')",
        mysql_real_escape_string($domain_name));

Answer 5

In SQL queries, you need to enquote strings correctly, or it will produce an error. So all your variables that are used to store non-int or non-boolean values in the database need quotes around the values.

Additionally you should make sure that SQL injections are not a problem by escaping all values with mysql_real_escape_string first.

Answer 6

Apart from sql injections your error handling is not complete...

if (!$db_found) {
  echo "datbase not found.";
}
else {
  $SQL = 'INSERT INTO
      table
      (...)
    VALUES
      (...)
  ';
  $result = mysql_query($SQL, $db_handle);
  if ( !$result ) {
    echo "error: ", mysql_error($db_handle);
  }
  else {
    print "Records added to the database";
  }
}
mysql_close($db_handle);

In case a query causes an error mysql_query() return FALSE and mysql_error() will tell you more about the error.

Answer 7

First of all, please regard everybody else's advice on safe database handling and avoiding injection.

The reason your query isn't doing anything is probably that you enclosed the string in single quotes. In PHP single quotes enforce the string to be literal. Unlike when using double quotes, variables will NOT be substituted. So '$foo' represents the sequence of characters '$'.'f'.'o'.'o'. "$foo" on the other hand represents the sequence of characters of whatever the variable $foo contains at the time of the string's definition.

You can use mysql_error() to catch most problems with MySQL. Even if the message isn't helping you, you at least know whether the query was parsed properly, i.e. on which end of the connection the problem lies.