tags:

views:

82

answers:

3
+1  Q: 

Why can't I INSERT INTO?

So this might be dumb, but I can't get anything to insert into a MySQL on a certain account, and I've been staring at this for two hours. I'm a newbie to PHP, so I could very well be doing something dumb. I attached a screen shot of the DB I am trying to INSERT INTO.

Find an image of what I'm talking about at http://dillondoyle.com/files/dbsetup.jpg (imgur seems to be down for me)

Here's the code I have, and PhpMyAdmin told me GRANT ALL PRIVILEGES ON . TO ...

$fbFirstName = $me['first_name'];
$fbLastName = $me['last_name'];
$fbEmail = $me['email'];
mysql_real_escape_string($fbFirstName,$fbLastName,$fbEmail);

$getuserresult = mysql_query("SELECT * FROM newusers WHERE fbUID=$uid");
$userrowsreturned=mysql_num_rows($getuserresult);
if ($userrowsreturned=0)
  { 
        echo '<br />user already exists, will update something here eventually<br />';
  }
else {
        $sql = mysql_query("INSERT INTO newusers (fbUID,callsAttempted,callsMade,fbEmail,fbFirstName,fbLastName) VALUES ($uid,'1','0',$fbEmail,$fbFirstName,$fbLastName)"); 
        if(!$sql) {
            die("Nope");
        } else {
            echo "1 record added";
        }
        echo '<br />created user<br />';
}
+3  A: 

Two things go wrong here. Escaping goes like:

$fbFirstName = mysql_real_escape_string($fbFirstName);
// for all variables

// or, just in one go:
$fbFirstName = mysql_real_escape_string($me['first_name']);

// and for integers, make sure they are actually integers (and prevent mayhem)
$some_id = (int)$me['some_id'];
$uid = (int)$uid;

And when inserting you must quote non-integer values:

$sql = mysql_query("INSERT INTO `newusers`
     (`fbUID`,`callsAttempted`,`callsMade`,`fbEmail`,`fbFirstName`,`fbLastName`)
     VALUES
     ('$uid',1,0,'$fbEmail','$fbFirstName',$fbLastName')");

(but you may quote integers as well - you never know if some external id is, or may become, alphanumeric.)

mvds  2010-08-24 00:57:35
It is amazing that feeding `mysql_real_escape_string` incorrect parameter data types as well as one more parameter than it's documented as accepting isn't fatal.
BipedalShark  2010-08-24 00:59:29
Brilliant! Thanks for the help. Gradually learning. I will mark this as correct when it allows me to in 3 minutes! THANKS!
Dillon Doyle  2010-08-24 01:05:00
great. I gave some more background you should know about, such as casting of integer values (forcing them to be numbers only) and quoting field/table names in mysql. (for if you have a field named `order`, or `table` you will not run into hard to find bugs)
mvds  2010-08-24 01:10:24
this function simplifies things: http://programanddesign.com/php/sql-injection-safe-queries-redux/
Mark  2010-08-24 01:23:45
A: 

first of all you must change

$getuserresult = mysql_query("SELECT * FROM newusers WHERE fbUID=$uid");

to

$getuserresult = mysql_query("SELECT * FROM newusers WHERE fbUID='$uid'");

after that change your insert to:

$sql = mysql_query("INSERT INTO newusers (fbUID,callsAttempted,callsMade,fbEmail,fbFirstName,fbLastName) VALUES
     ('$uid','1','0','$fbEmail','$fbFirstName',$fbLastName')");
Am1rr3zA  2010-08-24 01:01:16
+2  A: 

You have an error

if ($userrowsreturned=0)

should be (use double equals to test equivalence, single equals for assignment)

if ($userrowsreturned==0)

I also think you actually mean the following since you're checking if a user already exists

if ($userrowsreturned==1)
acqu13sce  2010-08-24 01:20:07

related questions

Remove Quotes and Commas from a String in MySQL
What's the best way of converting a mysql database to a sqlite one?
How do you manage databases in development, test, and production?
Multiple foreign keys?
Add 1 to a field (MySQL)
Issues using MS Access as a front-end to a MySQL database back-end?
Bigger than a char but smaller than a blob
How do I retrieve my MySQL username and password?
Long-time LAMP Developer moving to VB.NET
How do I Concatenate entire result sets in MySQL?
Full complete MySQL database replication? Ideas? What do people do?
SQL: Distribution of table in time
SQLite vs MySQL
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Multiple Updates in MySQL
MySQL/Apache Error in PHP MySQL query
What all do I need to escape when sending a (My)SQL query?
Auto Generate Database Diagram MySQL
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
Python and MySQL
SQL Server 2005 implementation of MySQL REPLACE INTO?
How to export data from SQL Server 2005 to MySQL
Throw Error In MySQL Trigger
Binary Data in MySQL