Insert into MySQL Table PHP

2019-02-18 07:42发布

站内问答 / PHP
681 5 6

I am having some trouble making a simple form to insert data into a MySQL table. I keep getting this SQL error:

"Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'stock ('ItemNumber', 'Stock') VALUES ('#4','3'')' at line 1"

My HTML for the form is:

    <form action="database.php" method="post">
    Item Number: <input type="text" name="ItemNumber">
    Stock: <input type="text" name="Stock">
    <input type="submit">
    </form>

And the PHP is:

    <?php
    $con=mysqli_connect("localhost","root","root","inventory");
    if (mysqli_connect_errno($con))
      {
      echo "Failed to connect to MySQL: " . mysqli_connect_error();
      }
     $sql = "INSERT INTO current stock ('ItemNumber', 'Stock')
    VALUES
    ('$_POST[ItemNumber]','$_POST[Stock]'')";
    if (!mysqli_query($con,$sql))
      {
      die('Error: ' . mysqli_error($con));
      }
    echo "1 record added";
    mysqli_close($con);
    ?>

5条回答
贪生不怕死
2楼-- · 2019-02-18 08:12

try this

you should not use quotes of parameter around POST . and you should use them inside POST

       $sql = "INSERT INTO `current stock` (ItemNumber, Stock)
           VALUES
         ('".$_POST['ItemNumber']."', '".$_POST['Stock']."' )";

you should escape your variables before you insert them to mysql like that

  • Note that the example does not call mysqli_real_escape_string. You would only need to use mysqli_real_escape_string if you were embedding the string directly in the query, but I would advise you to never do this. Always use parameters whenever possible.
查看更多
0人赞 添加讨论(0) 举报
甜甜的少女心
3楼-- · 2019-02-18 08:16

You have an extra quote and you need ticks around your table name as it contains a space.

INSERT INTO current stock ('ItemNumber', 'Stock')
VALUES
('$_POST[ItemNumber]','$_POST[Stock]'')";

should be:

INSERT INTO `current stock` (`ItemNumber`, `Stock`)
VALUES
('$_POST[ItemNumber]','$_POST[Stock]')";

FYI, you also wide open to SQL injections

查看更多
0人赞 添加讨论(0) 举报
Ridiculous、
4楼-- · 2019-02-18 08:16

Please learn to use parameter binding. You are creating code with security vulnerabilities.

Here's how to do your code in mysqli:

$sql = "INSERT INTO current stock (ItemNumber, Stock) VALUES (?, ?)";

if (!($stmt = mysqli_prepare($con, $sql))) {
    die('Error: ' . mysqli_error($con));
}

if (!mysqli_stmt_bind_param($stmt, "ii", $_POST[ItemNumber], $_POST[Stock])) {
    die('Error: ' . mysqli_stmt_error($stmt));
}

if (!mysqli_stmt_execute($stmt)) {
    die('Error: ' . mysqli_stmt_error($stmt));
}

It's easier to use bound parameters than to get all confused with quotes-within-quotes.

查看更多
0人赞 添加讨论(0) 举报
够拽才男人
5楼-- · 2019-02-18 08:18 
?php
  $conn=new mysqli("localhost","root","","inventory")
  or die("not connected".mysqli_connect_error());
  if(isset($_POST['submit']{
    $ItemNumber=$_POST['ItemNumber'];
    $Stock=$_POST['Stock'];
    $sql="insert into current stock(ItemNumber,Stock) values('$ItemNumber','$Stock')";
    $query=mysqli_query($conn,$sql);
    if($query){
      echo"1 row inserted";
    }else{
      echo mysqli_error($conn);
    }
  }
?>
查看更多
0人赞 添加讨论(0) 举报
对你真心纯属浪费
6楼-- · 2019-02-18 08:26 
<form action="database.php" method="post">
   Item Number: <input type="text" name="ItemNumber">
   Stock: <input type="text" name="Stock">
   <input type="submit" name="submit">
</form>`
查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(6)