mysql query works sometimes but not always

Question

I'm building a simple "little" movie cataloging database system for my own use. The problem right now is that I've got a mySQL query that works MOST of the time but not all. Basically it works by using a 3rd party IMDB API. I use that to search and pull the values I need which works just fine. It displays on my preview screen and everything. The problem I'm running into that that while most movies work, a few do not and I can't figure out the reason.

For example, The Fellowship of the Ring stores just fine while The Return of the King simply won't pass the query. I can't find any differences.

Here's my query:

    $query = "INSERT INTO movies
(title, year, releaseDate, actors, image, runtime, genre, director, rating, watchedDate, category, series, comments, owned, ownedFormat, seen, plot, favorite, uploadDate)
VALUES ('$title', '$year', '$releaseDate', '$actors', '$newImg', '$runtime', '$genre', '$director', '$rating', '$watchedDate', '$category', '$series', '$comments', '$owned', '$ownedFormat', '$seen', '$plot', '$favorite', '$curDate')";

    mysql_query($query) or die ('Error');

I'm not sure what else I need to provide. It seems like some kind of difference in the movies is causing the error but I don't know.

Thanks!

** EDIT ** *

So I tried switching over to mysqli. Here's my new code:

    /* Create the prepared statement */
if ($stmt = $mysqli->prepare("INSERT INTO movies (title, year, releaseDate, actors, image, runtime, genre, director, rating, watchedDate, category, series, comments, owned, ownedFormat, seen, plot, favorite, uploadDate) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)")) {

    /* Bind our params */
    $stmt->bind_param('sssssssssssssssssis', $title, $year, $releaseDate, $actors, $newImg, $runtime, $genre, $director, $rating, $watchedDate, $category, $series, $comments, $owned, $ownedFormat, $seen, $plot, $favorite, $curDate);

    /* Execute the prepared Statement */
    $stmt->execute();

    /* Echo results */
    echo "Inserted {$title} into database\n";
}

However, now i'm getting an error that reads: Fatal error: Call to a member function prepare() on a non-object on the line where the if statement starts.

I'm assuming this is because something my query isn't an object?

Thanks

Answer 1

The most likely reason for this is that you are putting the raw values between single quotes. If one of the values has a single quote in it, then you will get a syntax error.

A better way to do what you want is by binding parameters. You can read more about that here .

Answer 2

Without more information about the actually returned value it is hard to say. It is possible that the returned value contains a character that breaks your code such as a semicolon or quote. Try stripping all non alphanumeric characters away using regex.

$result = preg_replace("/[^a-zA-Z0-9]+/", "", $s);

And you have a sql injection vulnerablility. Consider using PDO instead of the depreciacted mysql functions.

http://php.net/manual/en/book.pdo.php