Values not going to db

[krishnakhanna]

I have made a simple form with validation. when i press the submit button then if validation is ok the content of $sql; becomes

INSERT INTO phpnews_news (mood,tags,time,month,year,subject,titletext,maintext,views,break,catid,trusted) VALUES ('1','tags','1187884757','8','2007','krishna','khanna','erts','0','0','1','0')

But NO values are not available in the db

PHP Code:

<?php
session_start();

if (!isset($_SESSION['token']))
  {
    session_regenerate_id();
    $_SESSION['token'] = true;
  }//check for token

if (isset($_POST['token']) && isset($_SESSION['token']) && $_POST['token'] == $_SESSION['token'])
  {//token is correct
    $token_age = time() - $_SESSION['token_time'];
    if ($token_age >= 600)
       {//token correct but timeout
    echo "Timeout!";
    exit;
        }
            if(isset($_POST['secCode']) && isset($_SESSION['secCode']) && $_POST['secCode'] == $_SESSION['secCode'] ) 
              {
              // correct security code, now validate name and other field


// Strip slashes from all GPC data
include("$_SERVER[DOCUMENT_ROOT]/includes/stripgpcslash.inc.php");
//gpc slashes stripped

//connect to db
    // Do includes
include("$_SERVER[DOCUMENT_ROOT]/includes/connect.inc.php");
    // end includes
//connect to db
            $fault=0;
              if(strlen($_POST["subject"]) > 0)//name field is set
              {
               $n = $_POST['subject'];
               if (strlen($n) > 0 && strlen($n) < 31) //valid and sql friendly name now in $name
                 {
                 $subject = trim(mysql_real_escape_string($_POST['subject']));
                 }
               else {
                 // $n is not valid
                     echo "you to fill your subject properly.";
               $fault++;
               exit;
                    }
                   }     
            else {
                //name not set
               echo "you left the subject blank.";
               $fault++;
               exit;
                 }     

//validation for next field
          if(strlen($_POST["titletext"]) > 0)//titletext field is set
              {
               $titletext = trim(mysql_real_escape_string($_POST['titletext']));
                    }     
            else {
            echo "you left the titletext blank.";
            $fault++;
            exit;
                 }     

//validation for next field
          if(strlen($_POST["maintext"]) > 0)//content  field is set
              {
               $maintext = trim(mysql_real_escape_string($_POST['maintext']));
                    }     
            else {
            echo "you left the content field blank.";
            $fault++;
            exit;
                 }     

//validating next field

          if(strlen($_POST["mood"]) > 0)
              {
               $n = $_POST['mood'];
               if ($n > 0 && $n < 10) 
                 {
                  $mood = trim(mysql_real_escape_string($_POST['mood']));
                       }
               else {
               echo "you to select the mood properly.";
               $fault++;
               exit;
                    }
                   }     
            else {
            echo "you left the mood field blank.";
            $fault++;    
            exit;
                 }     

//validating next field

          if(strlen($_POST["catid"]) > 0)
              {
               $n = $_POST['catid'];
               if ($n > 0 && $n < 9) 
                 {
                  $catid = trim(mysql_real_escape_string($_POST['catid']));
                       }
               else {
               echo "you to select the category properly.";
               $fault++;
               exit;
                    }
                   }     
            else {
            echo "you left the category blank.";
            $fault++;    
            exit;
                 }     

//validating next field

          if(strlen($_POST["tags"]) > 0)
              {
               $tags = trim(mysql_real_escape_string($_POST['tags']));
                    }     
            else {
                  echo "you left the tags field blank.";
            $fault++;    
            exit;
                 }     
//validating next field

$date = mktime(date("G"), date("i"), date("s"), date("n"), date("d"), date("Y"));

$month=date("n", $date);
$year=date("Y", $date);
$time = strtotime("now");
$ip = $_SERVER['REMOTE_ADDR'];

$sql="INSERT INTO phpnews_news (mood,tags,time,month,year,subject,titletext,maintext,views,break,catid,trusted)
VALUES ('$mood','tags','$time','$month','$year','$subject','$titletext','$maintext','0','0','$catid','0')";
mysql_close($con);

if(! $fault)
{
echo $sql;
exit;
}
              }
                else {
              // security code is invalid
            echo " invalid code.";
            exit;    }
  }
else    
    {
echo "invalid referrer!";
exit;
    }
?>

[chris_fuel]

It could be that nowhere in your code are you running mysql_query?

[mysql_beginner]

Use mysql_query($sql); instead of mysql_close($con);

[filth]

As has already been pointed out you are not using mysql_query() so the sql is never being executed.

As well as this you should also enclose table names and gield names in backticks so your sql would be:-

INSERT INTO `phpnews_news` (`mood`,`tags`,`time`,`month`,`year`,`subject`,`titletext`,`maintext`,`views`,`break`,`catid`,`trusted`) VALUES ('$mood','tags','$time','$month','$year','$subject','$titletext','$maintext','0','0','$catid','0')

[r937]

As well as this you should also enclose table names and field names in backticks...

actually, no, you shouldn't

you should never name a table or column with a name that requires backticks

also, you shouldn't use quotes around numeric literals

change this --

INSERT INTO `tablename` ( ... `catid` ... ) VALUES ( ... '0' ... )

to this --

INSERT INTO tablename ( ... catid ... ) VALUES ( ... 0 ... )

[Kailash Badu]

I think backticks are necessary only when you are using reserved keywords as table or column name.

For example, this won't work:
create database CURRENT_TIME

but this would work:
create database `CURRENT_TIME`.

[Jake Arkinstall]

Not really...

I have come across some mysql versions which completely mess up when you don't enclose the names in backticks when using a certain non-alphanumeric character.

[r937]

don't do that then

never name a table or column with a name that requires backticks

[Hammer65]

Yes like when using "password" for a field name (which I usually avoid by calling the field pass instead).

Also you have some error handling in most of your script but then you don't for the database part. You shouldn't echo the results of mysql_error in production, but having it there for debugging is pretty useful.