Simple mysql insert gone wrong...

[hespy]

Basically trying to get my script to insert into a database table, it might have to insert either a topic or an article depending on the options the user chose.. been staring at it for ages and just can't figure out why it won't work, ends up with the die message couldn't execute query.. have the same trouble inserting userse into a users table. Is it something stupid im doing? tried different ways of having the variable statements in the insert query and still nothing. Cheers

<?php
$conn = mysql_connect("localhost", "root", "")
or die("Could Not Connect to the database, please try again later");

mysql_select_db("blog", $conn)
or die("Could select the database, please try again later");

if(@$_GET['topictitle'] != null)
{
$query = "INSERT INTO blg_topics VALUES (, {$_POST['topictitle']},{$_POST['topicdesc']})";
}

if(@$_GET['articletitle'] != null)
{
$topicid = $_POST['topicid'];
$articletitle = $_POST['articletitle'];
$article = $_POST['article'];
$username = $_SESSION['username'];

$query = "INSERT INTO blg_article VALUES (,{$topicid},{$articletitle},{$article},NOW(),{$username})";
}

$result = mysql_query($query)
or die("Couldn't execute query");

echo "<span class=text>Your additions have been made succsesfully<br>";
echo "<a href='index.php'>Home</a></span>";
mysql_close($conn);
?>


<?php
$conn = mysql_connect("localhost", "root", "")
or die("Could Not Connect to the database, please try again later");

mysql_select_db("blog", $conn)
or die("Could select the database, please try again later");

/*The order that the POST variables are in depends on the table
in the database and must correspond*/
$username = $_POST['username'];
$surname = $_POST['surname'];
$firtname = $_POST['firstName'];
$password = $_POST['password'];
$email = $_POST['email'];

$sql = "INSERT INTO `blg_users` (`username`, `surname`, `firstName`, `password`, `email`, `status`) VALUES (\'$username\', \'$surname\', \'$firstname\', \'$password\', \'$email\', \'user\')";

$result=mysql_query($sql)
or die("Error in sql");

$email = $_POST['email'];
$emess="Thank you for registering with us, your username is: {$_POST['username']} and you password is: {$_POST['password']}";
$ehead="From: email@email.com";
$subj ="Your new blog Member Account";
$mailsend=mail('$email','$subj','$emess','$ehead');

echo "Your account has been created successfully";
echo "You will need to use your username, which you supplied when registering, and your password to log in";
echo "You have been emailed a copy of your details for reference";
echo "You can <a href=login.php>Log in</a> here";
echo "Or return <a href=index.html>home</a> here";

mysql_close($conn);
?>

 

[cLFlaVA]

1) try supplying '' as the first field, instead of nothing at all.

2) do this: or die( mysql_error() ); for debugging purposes.

*cLFlaVA
----------------------------
[tt]your mom goes to college[/tt]
[URL unfurl="true"]http://www.coryarthus.com/[/url]

 

[hespy]

Right that works better, now the error message is that my query is empty, is this an issue with the post variables?

 

[kenrbnsn]

On first glance, I see a few things wrong with your queries:
Here's your code:

 $query = "INSERT INTO blg_topics VALUES ([COLOR=red],[/color] {$_POST['topictitle']},{$_POST['topicdesc']})";

Notice you have a comma "," before the first value. Here's my version...

 $query = "INSERT INTO blg_topics VALUES ('" .$_POST['topictitle']."','" .$_POST['topicdesc']. "')";

You have the same problem on the other query in the first segment.

In the second segment, why do you escape the single quotes in your query? Remove the backslashes.

Another problem that I noticed, Your use of the mail() function is incorrect. You have:

$mailsend=mail('$email','$subj','$emess','$ehead');

You should get rid of the single quotes here also.

Also, I see no validation of values in your code. Before executing any MySQL queries, make sure that the input is not something unexpected. Also, what happens to your code if someone includes a quote in their input?

When you use the die() function, include the current contents of your query. That makes debugging much easier.

Note: when you post code, please surround the code with the tags [ignore]

[/ignore].

 

[hespy]

ah right sorry, the reason the first comma was there was too insert no value into the topic id which would is an auto number, i assummed not having it would try put the next value into this. The escapes were generated by phpmyadmin, i tried using that code to see if it made a difference, I will alter those now though, remove the slashes and quotes, ta

 

[hespy]

Right sorted it. I used this below to get it working

$query = "INSERT INTO blg_topics (topic_title,topic_desc) VALUES ('".$_POST['topictitle']."','" . $_POST['topicdesc'] ."')";

If i had just specified not to insert into the first column it works fine

Thanks for the expert advice on all fronts!