By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
440,939 Members | 1,638 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 440,939 IT Pros & Developers. It's quick & easy.

Why isn't my script inserting info into my mysql database?

P: 161
Ok, when I was new to this I had this problem and I bet a lot of other people did when they where new to PHP and Mysql. So this mite be your question;
"Ok, no errors or warnings in mysql and php so why isn't the script entering info into my row?".

Well to awnser your question most servers that you pay for monthly or own will have a anti mysql injection attack. So it will not allow the injection to enter in your database for your protection and theirs.

"Whats a mysql injection attack and how does it happen?"

Lets say you made a emailer for your first project or a comments area and you wanted the user to enter anything he or she wants on your comments area. But if they enter in single qoutes into your textarea/input field that means they can do anything they want to your database! Using simple mysql commands if they wanted. So that means big trouble to you when you do this kind of stuff so befor you jump off your seat and start publishing stuff like a comments system it is best to protect it.

"Ok, so whats best to protect this ordeal?"

Well their are two ways that will work or not. One way is the mysql_escape_string function. Which works perfect for me that is...

"This function will escape the unescaped_string, so that it is safe to place it in a mysql_query(). This function is deprecated.

This function is identical to mysql_real_escape_string() except that mysql_real_escape_string() takes a connection handler and escapes the string according to the current character set. mysql_escape_string() does not take a connection argument and does not respect the current charset setting."

As you can see it is simmulare to the real_escape function.

The real_escape string works great, but sometimes servers arn't configured to this function so if you get errors that you think are unfixable that envolve this function then go with the mysql_escape_string. It will usauly something like "Cannot connect to nobody@localhost on mysql-real-escape-string." Something like that I forgot how it said it, but it is something like that.

It is also best and wise since html can sometime convert spaces or single quotes into slashes or browser friendly text like a url you mite want to use the stripslashes

Example of inserting data into a database the good way:


require('connect.php'); //use the mysql_connect function in this file

$text = htmlentities(stripslashes(mysql_escape_string($_PO ST['text'])));

mysql_query("INSERT INTO table (stories) VALUES ('$text')");


Sorry if I forgot something, but this is what I know and do with all my scripts.
Jun 7 '07 #1
Share this Question
Share on Google+
1 Reply

P: 79
Wrong session to post,:)
Jun 7 '07 #2

Post your reply

Sign in to post your reply or Sign up for a free account.