Click here to Skip to main content
16,022,222 members
Search within:


Mysqli_query ($conndb, $SQL); error report
Please Sign up or sign in to vote.
1.00/5 (1 vote)
See more:
PHP
 
I have the following codes. But it reports error for mysqli_query ($conndb, $sql); statement 

 
<?php

//function conndb()
//{
$conndb = mysqli_connect('localhost', 'root', '','mydatabase');
//}

if($conndb = true){
 echo "Connection Succesful!";
} else{
    die(mysqli_error);
}

// line 14================================
$author = "Temtim" ; //$_Post["name"];
$title = "kjkdfdf";   //$_Post["title"];
$year = 2343 ;   //$_Post["year"];
$abstract = "This is a data scine ";   //$_Post["abstract"];

$sql = "insert 'article' ('author', 'title', 'year', 'abstract') values('$author','$title','$year','$abstract');"
//$sql = "INSERT INTO `tbl_contact` (`Id`, `fldName`, `fldEmail`, `fldPhone`, `fldMessage`) VALUES ('0', '$txtName', '$txtEmail', '$txtPhone', '$txtMessage')";

mysqli_query ($conndb, $sql);


mysqli_close($conndb);

?>


What I have tried:

I tried different options but this statement mysqli_query ($conndb, $sql);  cannot be executed
Posted
Add a Solution

2 solutions

Firstly, The SQL INSERT statement doesn't look like that - it requires the INTO keyword as well: SQL INSERT INTO Statement[^]
SQL
INSERT INTO MyTable (Column1, Column2) VALUES (...)


Secondly, and much more important - never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Always use Parameterized queries instead.

When you concatenate strings, you cause problems because SQL receives commands like:
SQL
SELECT * FROM MyTable WHERE StreetAddress = 'Baker's Wood'
The quote the user added terminates the string as far as SQL is concerned and you get problems. But it could be worse. If I come along and type this instead: "x';DROP TABLE MyTable;--" Then SQL receives a very different command:
SQL
SELECT * FROM MyTable WHERE StreetAddress = 'x';DROP TABLE MyTable;--'
Which SQL sees as three separate commands:
SQL
SELECT * FROM MyTable WHERE StreetAddress = 'x';
A perfectly valid SELECT
SQL
DROP TABLE MyTable;
A perfectly valid "delete the table" command
SQL
--'
And everything else is a comment.
So it does: selects any matching rows, deletes the table from the DB, and ignores anything else.

So ALWAYS use parameterized queries! Or be prepared to restore your DB from backup frequently. You do take backups regularly, don't you?

PHP has built in parameterised query passing: PHP: Prepared Statements - Manual[^]
 
Share this answer
 
Posted
Comments
Temtim Assefa 1-Sep-24 6:16am    
Thank you for your immediate feedback, I have corrected the missing word INTO to the insert statement. However, the error for mysqli_query($conn, $sql) is not solved. It reports the same error.
OriginalGriff 1-Sep-24 6:59am    
Did you convert it to a parameterised query?
Temtim Assefa 1-Sep-24 6:17am    
I am working in word press environment, does it have any effect?
Dave Kreskowiak 1-Sep-24 13:20pm    
No, that has nothing to do with this.
insert 'article' ('author', 'title', 'year', 'abstract')
You have used single quotes around your table and column names. That is not valid. You need to use back-ticks around object identifiers, as shown in your commented-out code:
insert into `article` (`author`, `title`, `year`, `abstract`)
But as Griff said, fix the critical SQL Injection[^] vulnerability before you do anything else!
 
Share this answer
 
Posted
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month
Related Questions
I am facing the type error mysqli_query() argument#1
Mysqli_query() expects at least 2 arguments, 1 given in
Crystal report shows database error on client pc in VB.NET and SQL server
Parse error: syntax error, unexpected 'mysqli_query' (T_STRING)
getting error " mysqli_query() expects parameter 1 to be mysqli, resource given in "
Error: mysqli_query() expects parameter 1 to be mysqli, resource given
I am biggner please help me to fix this error notice: undefined warning: mysqli_query(): empty query I
SSRS reporting - return a list of reports
Error "invalid file path" in crystal report in VB.NET
Error in Crystal reports with Linq to SQL

Advertise
Privacy
Cookies
Terms of Use
Last Updated 2 Sep 2024
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web03 2.8:2024-07-22:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900