用PHP / MySQL INSERT INTO清空值

Question

I need to do an school assigment and I have run into quite few problems, but I don't understand why the code below gives empty values to the table. Only NOW() gets inserted into the table, otherwise it says Query Empty or something like that. I had the same code on different page and with different table and it worked like a charm.

Regards, Werner.

<?php
$dbhost = 'localhost';
$dbuser = '';
$dbpass = '';
$pnimi =$_REQUEST['pitsa_nimi'];
$id =$_REQUEST['pitsatyybinimi'];
$conn = mysql_connect($dbhost, $dbuser, $dbpass);
if(! $conn )
{
   die('Could not connect: ' . mysql_error());
}
$sql = 'INSERT INTO tellimused_pitsad '.
       '(pitsa_nimi,aeg,toidutyybi_id)'.
        "VALUES ( '$pnimi', NOW(), '$id' )";

mysql_select_db('carl.reinomagi');
$retval = mysql_query( $sql, $conn );
if(! $retval )
{
   die('Could not enter data: ' . mysql_error());
}
echo mysql_error();
echo "Entered data successfully\n";
mysql_close($conn);
header("location:tellimine.php");

?>

This is the previous page ( ordering ) code :

<?php
$tulemus = mysql_query("SELECT * FROM pitsad, pitsatyybid WHERE pitsad.toidutyybi_id =           pitsatyybid.id", $dbhandle);
while ($row = mysql_fetch_assoc($tulemus))
{
?>
<tr><form action="telli.php">
    <td><? echo $row['pitsa_nimi']; ?></td>
    <td><? echo $row['hind']; ?></td>
    <td><? echo $row['valmimisaeg']; ?> Minutit</td>
    <td><? echo $row['pitsatyybinimi']; ?></td>
    <td>
    <input type="submit" value="TELLI"/>
    </form></td>
</tr>
<?php
}
?>
</table>

Answer 1

Please, don't use mysql_* functions in new code . They are no longer maintained and are officially deprecated . See the red box ? Learn about prepared statements instead, and use PDO or MySQLi - this article will help you decide which. If you choose PDO, here is a good tutorial .

Here's a better example using PDO. This code is completely safe against SQL Injection, and is better than using mysql_* functions.

Make sure to read the comments and understand the code.

This is not copy/paste ready code!!

<?php

# Database Connection #
try {
    $conn = new PDO("mysql:host=localhost;dbname=carl.reinomagi", "root", ""); //Please consider having different credentials.
    $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); //Throw Exceptions on errors - This disables the need to check for errors, see the catch block below.
    $conn->setAttribute(PDO::ATTR_EMULATE_PREPARES, false); //True prepared statements.

    ## Prepreations ##

    $pnimi = $_POST["pitsa_nimi"];
    $id = $_POST["pitsatyybinimi"]; //Please use $_POST or $_GET rather than $_REQUEST

    ## Data validation ##
    if (empty($pnimi) || empty($id)) {
        //One of the variables is empty, return an error to the user.
    }

    //Few things about this:
      //Note the `backticks` around table and column names. This helps readability.
      //Also note the placeholders :pnimi and :id, those placeholders for the prepared statement.
    $query = "INSERT INTO `tellimused_pitsad` (`pitsa_nimi`, `aeg`, `toibutyybi_id`) VALUES (:pnimi, NOW(), :id);";

    $statement = $stmt->prepare($query);

    $statement->bindValue(":pnimi", $pnimi); //Bind the values to the placeholders
    $statement->bindValue("id", $id);

    $statement->execute();
    header("Location: tellimine.php");
}
catch (PDOException $e) {
    echo "An error has occured! " . $e->getMessage(); //Echo a generic error to all mysql error messages.
}