问题使mysqli_query执行

Question

I have written the following function in PHP that has a mysqli_query in it that runs without any errors or exceptions. However, the INSERT INTO statement or $insert variable doesn't seem to be working as expected and I can't figure it out. I realize that posting only a portion of the code might make it difficult to ascertain why it is not working, but I am really looking for confirmation that there are no errors in this function.

Do I need to utilize mysqli_real_escape_string for every url provided? I tried altering $website to $_website to account for this, but it returned nothing.

Just really trying to figure out if there's anything I'm doing wrong here that's prevent the SQL query to work. It returns no error which is making it hard to debug. Thanks in advance!

$jp = mysqli_connect("localhost", "myuser", "password", "mydatabase");

if (!$jp) {
    echo "Error: Unable to connect to MySQL." . PHP_EOL;
    echo "Debugging errno: " . mysqli_connect_errno() . PHP_EOL;
    echo "Debugging error: " . mysqli_connect_error() . PHP_EOL;
    exit;
}



function create_distributor( $new_user_id ) {
  $errors = new WP_Error();
  $error=false;
  $errorMsg='';
  $logo=true;
  $name=addslashes(htmlentities($_REQUEST['name']));
  $contact=addslashes(htmlentities($_REQUEST['contact_info']));
  $user_info = get_userdata( $new_user_id );

  $website = $_POST['website'];
  if (stripos($website, "http://") !== 0)   //doesn't start with http:// ? , then add it
      $website = "http://" . $website; 
  // $_website = mysqli_real_escape_string($jp, $website); // THIS DOESNT RETURN ANYTHING
  $subdir = $user_info->user_nicename; // use nicename because user_login is obfuscated as unverified
  $distribpath = 'http://ghq.com/dhdq/'.$subdir;
  $ga_code = 'UA-15331916-1'; //default GA code
  $logo = 'http://ghq.com/wp-content/themes/CAG/img/ghlogo.jpg'; //default png logo

  if(!isset($_REQUEST['name']) || $_REQUEST['name']=='')
  {
    $error=true;
    $errors->add('Distributor Name is required', __('<strong>ERROR</strong>:Distrubutor\'s name was not provided.'));
  }
  if($error)
  {
    return($errorMsg);
  }


  $insert="INSERT INTO distributor (id, name, contact, logo, path, subdir, website, ga_code) VALUES ('".$new_user_id."','".$name."','".$contact."','".$logo."','".$distribpath."','".$subdir."','".$website."','".$ga_code."')";
//   var_dump($insert); 

        // The var_dump print out above is the following SQL Command which if copied and pasted 
    in phpmyadmin works fine: string(252) "INSERT INTO distributor (id, name, contact, 
logo, path, subdir, website, ga_code) VALUES ('1748','test24','','http://ghq.com/wp-content/themes/CAG/img/ghlogo.jpg',
                'http://ghq.com/dhdq/test24','test24','','UA-15331916-1')"




  mysqli_query($jp, $insert);
  if ( false===$insert ) {
  printf("error: %s\n", mysqli_error($jp));
}
  else {
    echo 'done.';
  }
  if($error)
  {
    return $errors;
  }
  else
  {
    return($id);
  }
}

Answer 1

The problem I can see straight off is you are checking your sql variable instead of the query result.

mysqli_query($jp, $insert);
if ( false===$insert ) {
  printf("error: %s\n", mysqli_error($jp));
}
  else {
    echo 'done.';
}

Try changing it to:

$result = mysqli_query($jp, $insert);
if (!$result) {
  printf("error: %s\n", mysqli_error($jp));
}else {
    echo 'done.';
}

Also whats $jp? it doesn't look like you have assigned it anything. Make sure this is the variable that has your mysqli_connect on it. With your question regarding mysqli_real_escape_string, you should really be utilizing mysqli prepared statements as well. All user input should be sanitized.