Jump to content

my php script wont insert data insto sql database


RedAndBlack
 Share

Recommended Posts

Hi I seem to have encountered an issue inserting data into data base. I have done this so many times before and for some reason I cant work out why it isnt working this time around. My assumption is that I'm using words I cant use as row names perhaps , I'm not sure that's why I'm here.

 

EDIT: here is the full list of row names for this table as not all are included in the insert command

timestamp watchid username symbol timeframe orderid price qty maxbid stoploss buyamount  
<?php session_start();


include('con.php');

$conn = mysqli_connect("localhost", "root", "", "tradl");


$amount= $_POST['amount']; // amount to buy in currency buying with.. if btcusdt the amount is of usdt spent on position

$maxbid= $_POST['maxbid'];

$stoploss= $_POST['stoploss'];

$user= $_SESSION['username'];

$watchid= $_SESSION['id'];

$timeframe= $_SESSION['timeframe'];

$symbol= $_POST['symbol'];


//insert details into database ........ this isnt inserting for some reason

$insert = "INSERT INTO orderbook (watchid, username, symbol, timeframe, maxbid, stoploss, buyamount) VALUES ('$watchid', '$user', '$symbol', '$timeframe', '$maxbid', '$stoploss', '$amount')";

mysqli_query($conn, $insert);



//echo "$user <br /> $symbol <br /> timeframe $timeframe <br /> amount $amount <br /> max bid $maxbid <br />stop loss $stoploss <br /> id $watchid";

?>

 

Edited by RedAndBlack
Link to comment
Share on other sites

The first step is to check for errors:

//insert details into database ........ this isnt inserting for some reason

$insert = "INSERT INTO orderbook (watchid, username, symbol, timeframe, maxbid, stoploss, buyamount) VALUES ('$watchid', '$username', '$symbol', '$timeframe', '$maxbid', '$stoploss', '$amount')";

$result = mysqli_query($conn, $insert);

// CHECK FOR ERRORS
if (!$result) {
  echo "Error: " . $insert . "<br>" . mysqli_error($conn);
}

 

Aside from that, you need to read about and use prepared statements: https://www.w3schools.com/php/php_mysql_prepared_statements.asp

Your PHP code is vulnerable to SQL injection. If you put this on a live site it's only a matter of time before a malicious crawler arrives and starts testing your forms for vulnerabilities.They're very common, I get them on my websites all the time.

Link to comment
Share on other sites

thank you, I managed to get it working. its been almost a decade since I wrote any php and boy am I rusty hehe. thanks for the tips, at the moment its just something im running at home but if i do choose to go live with it ill definitely be protecting all of the forms from sql injection. thanks again

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...