Code for Book record management

<?php

$con=mysqli_connect('localhost','root') ;
if($con=== false)
{
	die ("error : could not conect ." . 
mysqli_connect_error());
}
mysqli_select_db($con,'BRM_DB');
$Title=mysqli_real_escape_string($con, $_REQUEST ['title']);
$Price=mysqli_real_escape_string($con, $_REQUEST ['price']);
$Author=mysqli_real_escape_string($con, $_REQUEST ['author']);

$query="INSERT INTO book(title,Price,Author)VALUES('$Title',$Price,'$Author')";
if(mysqli_query($con,$query))
{
	echo ("Record inserted");
	}
	else 
	{ 
	echo ("insertion failed");	
	}
mysqli_close($con);
	?>
<!DOCTYPE html>
<html>
<head>
<title>Insertion</title>
</head>
<body>
<h1>Book Record Management</h1>
<a href="insertform.php">click here</a>
</body>
</html>

What am I doing wrong here? I don’t know why it’s give “insertion failed”. Please some solve this problem I’m naive in it.

'Tis probably this, but you should really be using prepared statements rather than inserting variables into your SQL.

Can you show the form code? All we can see here is a link to (presumbly) your form, not the form itself.

Your query is failing with an error for some reason, but you don’t have useful error handling for all the database statements that can fail. Add the following line of code before the point where you make the database connection, then insure that php’s error_reporting is set to E_ALL and display_errors is set to ON -

// set the mysqli error mode to exceptions, then let php catch the exception, where it will use its error related settings to control what happens with the actual error information (database statement errors will 'automatically' get displayed/logged the same as php errors.)
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);

Why are we escape-stringing a numeric value?

If it works locally and not online I would check caSeSenSitivity.

First of all check yours database name columns for capital letters to be sure they are same in query and in database also.

Second you should run all those checking and insert into database only if form is submitted.

Here is code i tested on my pc and online and all works

<?php
error_reporting(E_ALL);

if (isset($_POST['submit'])) { // when form is submited

    $con = mysqli_connect('localhost', 'root', '', 'BRM_DB');

    if (!$con) die ("error : could not conect ." . mysqli_connect_error());

	$Title = mysqli_real_escape_string($con, $_POST['title']);
	$Price = mysqli_real_escape_string($con, $_POST['price']);
	$Author = mysqli_real_escape_string($con, $_POST['author']);

    // title, Price, Author check for those in database to be same as here
	$query = "INSERT INTO book(title, Price, Author) VALUES ('$Title', $Price, '$Author')";

	if(mysqli_query($con, $query)) {
		echo ("Record inserted");
	} else { 
		echo ("insertion failed");	
	}
	mysqli_close($con);
}
?>


<!DOCTYPE html>
<html>
	<head>
		<title>Insertion</title>
	</head>
<body>
	<form method="post" action="">
		<input type="text" name="title"><br>
		<input type="text" name="price"><br>
		<input type="text" name="author"><br>
		<input type="submit" name="submit" value="Add">
	</form>
</body>
</html>

Does it work if i put the price of my book to be “banana”?

Well that is something that he must make in database and in form validation itself, on form submit he should check if input is double.

price should be double in database, so that will accept only numbers and not strings like “banana” or something else.

In that case you don’t need to escape price since it is double, you can remove mysqli_real_escape_string from $Price.

wooooah there skippy. Not the correct answer.

Never, ever, trust user input. Ever.

$Price should be a float you say? There’s a function for that. $Price = floatval($_POST['price']);

Now we KNOW $Price is a double, and not some cleverly crafted string to break our database, and also not the word “banana”.

Use the right tool for the job, and it’ll get you a lot further.

Would it not be better as a decimal?

He can use any type that accept number with decimal, i am sure he won’t have price with more that 2 decimal places like 18.87654

As i said he must check for input before he insert data into database or he will have error on insert

$Price = floatval($_POST['price']); // convert price input to float

// check if $Price is valid float type
if (is_float($Price) === false) {
      // price is not valid type, return error
}

Would casting be quicker and less code?

$Price = (float) $_POST['price'];

https://www.php.net/manual/en/language.types.type-juggling.php

1 Like

thanks!!but i tried your code also but it will give same result

Here is database and insertform coding please tell what am I doing wrong?

Try this:

echo $query;
die; // display value and halt browser script

Compare the case sensitivity values with the field names from your image.

Could you post that as text please, it’s almost unreadable in that image format.

Also, what happens when you

var_dump($_REQUEST);

Can you show us the html form that you are calling the PHP from, and the current version of the code?

Eh, readable enough for me.

Table book contains 4 fields:
Bookid int(5) NOT NULL PRIMARY KEY AUTO INCREMENT
title varchar(20) NOT NULL
price float(7,2) NOT NULL
Author varchar(20)

(oddly, the database reports that the default for title and price are NULL, which would violate their NOT NULL designators. Presumably the database is coercing NULL to “” and 0.00 respectively.

<!DOCTYPE html>
<html>
<head>
<title>Insertion Form</title>
</head>
<body>
<h1>Book Record Management</h1>
<form action="insertion.php" method="post">
<table>
<tr>
<th>Title</th>
<td><input type="text" name="title" required/></td>
</tr>
<tr>
<th>Price</th>
<td><input type="text" name="price" required/></td>
</tr>
<tr>
<th>Author</th>
<td><input type="text" name="Author" /></td>
</tr>
<tr>
<th></th>
<td><input type="submit" Value="Insert" /></td>
</tr>
</body>
</html>

this is insertform. 

Table book contains 4 fields:
Bookid int(5) NOT NULL PRIMARY KEY AUTO INCREMENT
title varchar(20) NOT NULL
price float(7,2) NOT NULL
Author varchar(20)

This one is Database report. I have no idea where to use var_dump I’m naive in it.
please check it and tell what Am I doing wrong.

[off-topic]
@nidhisingh4115 when you post code in the forum, you need to format it. To do so you can either select all the code and click the </> button, or type 3 backticks ``` on a separate line both before and after the code block.

I have done it for you this time.
[/off-topic]

thank you…