mysql php problem: no error message despite error_reporting(E_ALL) line

Question

index.php

<html>
  <head>
    <title>Josh's Online Playground</title>
  </head>
  <body>

    <form method="POST" action="action.php">
      <table>
        <tr>
      <td>"data for stuff"</td>
      <td><input type="text" ?></td>
    </tr>

        <tr>
          <td><input type="submit"></td>
        </tr>
      </table>
    </form>

  </body>
</html>

action.php

<?php
  error_reporting(E_ALL);
  ini_sit("display_errors", 1);

  $mysqli = new mysqli('localhost', 'root', 'password', 'website');

  $result = $mysqli->query("insert into stuff (data) values ('
        .$_POST['data']
        ."');

  echo $mysqli->error();

  if($result = $mysqli->query("select data from stuff")){
    echo 'There are '.$result->num_rows.' results.';
  }

  while ($row = $result->fetch_object()){
    echo 'stuff' . $row->data;
  }
?>

Despite the first two lines in action.php, I get no error or warning messages. Instead I get a blank page after clicking the submit button.

Do I have to do something differently to insert data?

Answer 1

You have inverted single quotes and double quotes somewhere in your code (at the end of your request). Make sure the display_error php setting is on

Answer 2

You have a fatal error, so the script simply cannot run, and therefore cannot report any errors. Look at this line:

$result = $mysqli->query("insert into stuff (data) values ('
        .$_POST['data']
        ."');

Should read:

$result = $mysqli->query("insert into stuff (data) values ('".$_POST['data']."')");

And escape your $_POST['data'] value before using it in the SQL statement

Answer 3

you have a syntax error in action.php :

ini_set not ini_sit in line 2 !

Answer 4

ini_sit

has to be

ini_set

;)

Answer 5

Ok, first off, you have a massive SQL Injection vulnerability in there. Second, you have no error checking. Third, your quotes are incorrectly nested (which will cause a fatal error, which is why you're not seeing anything)

Modify it to something like this:

$mysqli = new mysqli('localhost', 'root', 'password', 'website');
if ($mysqli->connecterror) {
    //There was an error connecting, handle it
}

$result = $mysqli->query("insert into stuff (data) values ".
    " ('".$mysqli->real_escape_string($_POST['data'])."')";

if ($result === false) {
    //Query error, handle it
}

Also, you're looping through the data without checking if the result is valid:

if($result = $mysqli->query("select data from stuff")){
    echo 'There are '.$result->num_rows.' results.';
    while ($row = $result->fetch_object()){
        echo 'stuff' . $row->data;
    }
}