Insert MYSQL PHP into database

Question

I'm trying to insert some data to my database, but it will only insert an unique id and userid. Rest of the attributes wont follow. Any suggestions?

Image of insert:

<?php

if(isset($_POST['project']))
{
    // Escape user inputs for security
    $stripped = mysql_real_escape_string($_GET['id']);
    $title = mysqli_real_escape_string($_POST['title']);
    $about = mysqli_real_escape_string($_POST['about']);
    $code = mysqli_real_escape_string($_POST['code']);

    mysql_query("INSERT INTO cms_prosjekt (userid, title, about, code) VALUES 
        ('".$_SESSION['user']['id']."', '".$title."', '".$about."', '".$code."')") or die(mysql_error());

}
?>

HTML

<form action="" method="post">

    <input type="text" class="form-control" type="text" name="title" id="title" placeholder="Fullt navn" style="margin-bottom:10px">
    <input type="text" class="form-control" type="text" name="about" id="about" placeholder="Kode bedrift" style="margin-bottom:10px">
    <input type="text" class="form-control" type="text" name="code" id="code" placeholder="Passord" style="margin-bottom:10px">

    <button type="submit" name="project" class="button" class="btn btn-success" style="margin-bottom:10px;">Register prosjekt nå</button>

</form>

Answer 1

您需要提供 $link 参数，这是您正确转义您的值的连接。

mysqli_real_escape_string ( mysqli $link , string $escapestr )

Answer 2

Seeing your code and that it only enters one value, this tells me you are using the mysql_ API to connect with , and you're mixing those with mysqli_real_escape_string() , and requires a db connection for it and as the first argument.

Since $stripped = mysql_real_escape_string($_GET['id']); is all that is getting entered in db, after seeing your screenshot.

Those different APIs do not intermix. You need to use the same one from connecting to querying.

• In your case, that would be mysql_* - mysql_real_escape_string() .

I suggest you start using a prepared statement right away.

• https://en.wikipedia.org/wiki/Prepared_statement

Note: Using mysql_real_escape_string() doesn't fully protect against an SQL injection. Read the following Q&A on the subject;

• SQL injection that gets around mysql_real_escape_string()

---

Footnotes:

The MySQL_ API has been removed as of PHP 7.0. Should your server eventually get upgraded to it, you will no longer be able to use your present code.

It's time to switch over to either using the MySQLi_ or PDO API and with a prepared statement.

References:

• http://php.net/manual/en/book.mysqli.php

• http://php.net/manual/en/mysqli.prepare.php

• http://php.net/manual/en/book.pdo.php

• http://php.net/manual/en/pdo.prepared-statements.php

You should also check for any empty fields. Just an isset() against your submit button isn't enough.

If your site is live or will be live soon, someone may enter empty values and could trigger errors or insert empty values in your database, which I'm sure you're not going to appreciate.

Reference:

• http://php.net/manual/en/function.empty.php

Answer 3

You have used both mysqli and mysql it should be anyone of them.

if (isset($_POST['project'])) {
        $stripped = mysql_real_escape_string($_GET['id']);
        $title = mysql_real_escape_string($_POST['title']);
        $about = mysql_real_escape_string($_POST['about']);
        $code = mysql_real_escape_string($_POST['code']);

        mysql_query("INSERT INTO cms_prosjekt (userid, title, about, code) VALUES ('" . $_SESSION['user']['id'] . "', '" . $title . "', '" . $about . "', '" . $code . "')") or die(mysql_error());
    }