SQL Query Not Functioning - No Error Message

Question

ORIGINAL TEXT REMOVED

OK, so I found the original problem thanks to a helpful answer. It lists "Invalid query: No database selected" as the error.

require_once ('../dir_connect.php');            

$dbc = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);
        if (!$dbc) {
            die('Could not connect: ' . mysql_error());
        }

If I have this, and I have this in the dir_connect.php file:

/** The name of the database */
define('DB_NAME', 'unlisted_employees');

/** MySQL database username */
define('DB_USER', 'unlisted_qpass');

/** MySQL database password */
define('DB_PASSWORD', 'testpass');

/** MySQL hostname */
define('DB_HOST', 'localhost');

Is there something I need to add to make an actual database connection?

Answer 1

You should be using something like mysql_real_escape_string (or whatever is appropriate for your DB engine) to escape the parameters in your query. Check out the documentation that I linked to. It's been a while since I've used PHP, but someone may chime-in with a better parametrized escaping method.

But, your main problem seems to be that you're inserting strings into integer fields. Check the values of your zip, birthmonth, birthday, birthyear, etc fields... they probably don't need to be escaped with single quotes.

Good luck!

Answer 2

You need to check the return value of the mysql_query() call.

http://php.net/manual/en/function.mysql-query.php

$result = mysql_query($query);
if (!$result) {
    die('Invalid query: ' . mysql_error());
}

Right now, you'll never actually hit the error condition and won't actually see what (if any) error that MySQL is sending back to you.

Also, you probably want to escape the values you are plugging into the query instead of just doing normal string concatentation. If you don't, your app could be vulnerable to a SQL injection attack. Here is how to generate the query safely:

$query = sprintf("INSERT INTO staff (name, lastname, username, password, position, department, birthmonth, birthday, birthyear, location, phone, email, street, city, state, country, zip, tags, photo) VALUES ('%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s')",
                mysql_real_escape_string($name),
                mysql_real_escape_string($lastname),
                mysql_real_escape_string($username),
                mysql_real_escape_string($password),
                mysql_real_escape_string($position),
                mysql_real_escape_string($department),
                mysql_real_escape_string($birthmonth),
                mysql_real_escape_string($birthday),
                mysql_real_escape_string($birthyear),
                mysql_real_escape_string($location),
                mysql_real_escape_string($phone),
                mysql_real_escape_string($email),
                mysql_real_escape_string($street),
                mysql_real_escape_string($city),
                mysql_real_escape_string($state),
                mysql_real_escape_string($country),
                mysql_real_escape_string($zip),
                mysql_real_escape_string($tags),
                mysql_real_escape_string($photo));

EDIT: Just saw your comment to another answer. If you are already doing the escaping like:

$birthday = mysql_real_escape_string(trim($_POST['birthday']));

then you don't need to escape it when generating the query. It's probably better practice to do the escaping at the time you generate the query so it is clear that you aren't missing anything.

EDIT2: According to the docs, mysql_connect() should take the host, user, and password and then you need to do a mysql_select_db() call afterwards to pick the correct database.

http://www.php.net/manual/en/function.mysql-select-db.php

$dbc = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD);
if (!$dbc) {
    die('Could not connect: ' . mysql_error());
}

// make foo the current db
$db_selected = mysql_select_db(DB_NAME, $dbc);
if (!$db_selected) {
    die ('Could not select database: ' . mysql_error());
}

(BTW, you should edit your question and put back the original text so it might be useful to others finding this topic later!)

Answer 3

No connection to the database?

mysql_query() returns false on failure and generates a warning, not an error.

By the way, !$query does not tell you anything as far as mysql is concerned as it is just a text string.

Answer 4

The problem is here:

if (!$query) {
    die('Invalid query: ' . mysql_error());
}

You are checking the $query variable to decide if the query ran or not, which makes no sense. Instead you need to collect the return value of the mysql_query and then make use of it instead.

$res = mysql_query($query);
if (!$res) {
    die('Invalid query: ' . mysql_error());
}