Is this valid code?

I am trying to trouble shoot a(n) issue. I am trying to pull 5 variables from a form, Number, Name, Title, Date & Id. To this point only the Id seems to working, the date is being set to 0000-00-00, and name, number, and title are not passing into the db. Here is the code that I am passing(?) to my form

if (isset($_POST['ComicNumber']))
{
	$ComicNumber = mysqli_real_escape_string($link, $_POST['ComicNumber']);
	$sql = 'INSERT INTO Comics SET
			ComicNumber="' .$ComicNumber. '"';
	$ComicName = mysqli_real_escape_string($link, $_POST['ComicName']);
	$sql = 'INSERT INTO Comics SET
			ComicName="' .$ComicName. '"';
	$ComicTitle = mysqli_real_escape_string($link, $_POST['ComicTitle']);
	$sql = 'INSERT INTO Comics SET
			ComicTitle="' .$ComicTitle. '"';
	$ComicDate = mysqli_real_escape_string($link, $_POST['ComicDate']);
	$sql = 'INSERT INTO Comics SET
			ComicDate="' .$ComicDate. '"';
	$AuthorId = mysqli_real_escape_string($link, $_POST['AuthorId']);
	$sql = 'INSERT INTO Comics SET
			AuthorId="' .$AuthorId. '"';
	if (!mysqli_query($link, $sql))
	{
		$error = 'Error adding submitted Comic: ' . mysqli_error($link);
		include 'error.html.php';
		exit();
	}

	header('Location: .');
	exit();
}

My form

<form action="?" method="post">
<div>
<label for="ComicNumber">Comic Number:</label>
<textarea id="ComicNumber" name="ComicNumber" rows="1" cols="10"></textarea>
<label for="ComicName">Comic Name:</label>
<textarea id="ComicName" name="ComicName" rows="1" cols="10"></textarea>
<label for="ComicTitle">Comic Title:</label>
<textarea id="ComicTitle" name="ComicTitle" rows="1" cols="10"></textarea>
<label for="ComicDate">Comic Date:</label>
<textarea id="ComicDate" name="ComicDate" rows="1" cols="10"></textarea>
<label for="AuthorId">Author Id:</label>
<textarea id="AuthorId" name="AuthorId" rows="1" cols="10"></textarea>
</div>
<div><input type="submit" value="Add"/></div>
</form>

and my result:

0000-00-00 (by David Hine)

0000-00-00 (by David Hine)

Run the inserts in one query man!



$sql = "INSERT INTO `comics` (`ComicNumber`, `ComicName`, `ComicTitle`,
`ComicDate`, `AuthorId`) VALUES ($ComicNumber, $ComicName, $ComicTitle,
$ComicDate, $AuthorId)";


So this for PHP should work also…


&lt;?php

if (isset($_POST['ComicNumber'])) 
{ 
	$_POST = array_map("mysqli_real_escape_string", $_POST);
	
    $ComicNumber = $_POST['ComicNumber']; 
    $ComicName   = $_POST['ComicName']; 
    $ComicTitle  = $_POST['ComicTitle']; 
    $ComicDate   = $_POST['ComicDate']; 
    $AuthorId    = $_POST['AuthorId']; 
			
	$sql = "INSERT INTO `comics` (`ComicNumber`, `ComicName`, `ComicTitle`, `ComicDate`, `AuthorId`) VALUES ($ComicNumber, $ComicName, $ComicTitle, $ComicDate, $AuthorId)";  
	
    if (!mysqli_query($link, $sql)) 
    { 
        $error = 'Error adding submitted Comic: ' . mysqli_error($link); 
        include 'error.html.php'; 
        exit(); 
    } 

    header('Location: .'); 
    exit(); 
}  

?&gt;

The 1st one gets me this:

Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in /Library/WebServer/Documents/comics/index.php on line 49

Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in /Library/WebServer/Documents/comics/index.php on line 49

Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in /Library/WebServer/Documents/comics/index.php on line 49

Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in /Library/WebServer/Documents/comics/index.php on line 49

Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in /Library/WebServer/Documents/comics/index.php on line 49

Notice: Undefined variable: ComicNumber in /Library/WebServer/Documents/comics/index.php on line 52

Notice: Undefined variable: ComicName in /Library/WebServer/Documents/comics/index.php on line 52

Notice: Undefined variable: ComicTitle in /Library/WebServer/Documents/comics/index.php on line 53

Notice: Undefined variable: ComicDate in /Library/WebServer/Documents/comics/index.php on line 53

Notice: Undefined variable: AuthorId in /Library/WebServer/Documents/comics/index.php on line 53
Error adding submitted Comic: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ’ , , , )’ at line 2

The second one gets me this:


&lt;?php

if (isset($_POST['ComicNumber'])) 
{ 
	$_POST = array_map("mysqli_real_escape_string", $_POST); &lt;===Line 49
	
    $ComicNumber = $_POST['ComicNumber']; 
    $ComicName   = $_POST['ComicName']; 
    $ComicTitle  = $_POST['ComicTitle']; 
    $ComicDate   = $_POST['ComicDate']; 
    $AuthorId    = $_POST['AuthorId']; 
			
	$sql = "INSERT INTO 'comics' ('ComicNumber', 'ComicName', 'ComicTitle', 'ComicDate', 'AuthorId') 
                   VALUES ($ComicNumber, $ComicName, $ComicTitle, $ComicDate, $AuthorId)";  
	
    if (!mysqli_query($link, $sql)) 
    { 
        $error = 'Error adding submitted Comic: ' . mysqli_error($link); 
        include 'error.html.php'; 
        exit(); 
    } 

    header('Location: .'); 
    exit(); 
}  

?&gt;

Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in /Library/WebServer/Documents/comics/index.php on line 49

Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in /Library/WebServer/Documents/comics/index.php on line 49

Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in /Library/WebServer/Documents/comics/index.php on line 49

Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in /Library/WebServer/Documents/comics/index.php on line 49

Error adding submitted Comic: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '‘comics’ (‘ComicNumber’, ‘ComicName’, ‘ComicTitle’, ‘ComicDate’, ‘AuthorId’) ’ at line 1

I am actually trying to run a modded version of this

if (isset($_POST['joketext']))
{
	$joketext = mysqli_real_escape_string($link, $_POST['joketext']);
	$sql = 'INSERT INTO joke SET
			joketext="' . $joketext . '",
			jokedate=CURDATE()';
	if (!mysqli_query($link, $sql))
	{
		$error = 'Error adding submitted joke: ' . mysqli_error($link);
		include 'error.html.php';
		exit();
	}

	header('Location: .');
	exit();
}

Well it was meant to all be incorporated like the “second one”. Didn’t know mysqli escape string took two parameters, guess you’ll have to manually set your vars again…

You could do it this way, loops through all of $_POST and runs the escape string:


&lt;?php 

if (isset($_POST['ComicNumber']))  
{  
	foreach ($_POST as $key =&gt; $val)
	{
		$_POST[$key] = mysqli_real_escape_string($link, $_POST[$key]);
	}
     
    $ComicNumber = $_POST['ComicNumber'];  
    $ComicName   = $_POST['ComicName'];  
    $ComicTitle  = $_POST['ComicTitle'];  
    $ComicDate   = $_POST['ComicDate'];  
    $AuthorId    = $_POST['AuthorId'];  
             
    $sql = "INSERT INTO `comics` (`ComicNumber`, `ComicName`, `ComicTitle`, `ComicDate`, `AuthorId`) VALUES ('$ComicNumber', '$ComicName', '$ComicTitle', '$ComicDate', '$AuthorId')";   
     
    if (!mysqli_query($link, $sql))  
    {  
        $error = 'Error adding submitted Comic: ' . mysqli_error($link);  
        include 'error.html.php';  
        exit();  
    }  

    header('Location: .');  
    exit();  
}   

?&gt;

OR you could just them manually:


&lt;?php 

if (isset($_POST['ComicNumber']))  
{    
    $ComicNumber = mysqli_real_escape_string($link, $_POST['ComicNumber']);  
    $ComicName   = mysqli_real_escape_string($link, $_POST['ComicName']);  
    $ComicTitle  = mysqli_real_escape_string($link, $_POST['ComicTitle']);  
    $ComicDate   = mysqli_real_escape_string($link, $_POST['ComicDate']);  
    $AuthorId    = mysqli_real_escape_string($link, $_POST['AuthorId']);  
             
    $sql = "INSERT INTO `comics` (`ComicNumber`, `ComicName`, `ComicTitle`, `ComicDate`, `AuthorId`) VALUES ('$ComicNumber', '$ComicName', '$ComicTitle', '$ComicDate', '$AuthorId')";   
     
    if (!mysqli_query($link, $sql))  
    {  
        $error = 'Error adding submitted Comic: ' . mysqli_error($link);  
        include 'error.html.php';  
        exit();  
    }  

    header('Location: .');  
    exit();  
}   

?&gt;

I actually tried passing multiple variables on the isset function (statement), but that complained it only wanted one… Is it posting the AuthorId b/c it was the last valid parameter passed?

OR you could just them manually:


&lt;?php 

if (isset($_POST['ComicNumber']))  
{    
    $ComicNumber = mysqli_real_escape_string($link, $_POST['ComicNumber']);  
    $ComicName   = mysqli_real_escape_string($link, $_POST['ComicName']);  
    $ComicTitle  = mysqli_real_escape_string($link, $_POST['ComicTitle']);  
    $ComicDate   = mysqli_real_escape_string($link, $_POST['ComicDate']);  
    $AuthorId    = mysqli_real_escape_string($link, $_POST['AuthorId']);  
             
    $sql = "INSERT INTO `comics` (`ComicNumber`, `ComicName`, `ComicTitle`, `ComicDate`, `AuthorId`) VALUES ('$ComicNumber', '$ComicName', '$ComicTitle', '$ComicDate', '$AuthorId')";   
     
    if (!mysqli_query($link, $sql))  
    {  
        $error = 'Error adding submitted Comic: ' . mysqli_error($link);  
        include 'error.html.php';  
        exit();  
    }  

    header('Location: .');  
    exit();  
}   

?&gt;

Gets me:
Error adding submitted Comic: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '‘Comics’ (‘ComicNumber’, ‘ComicName’, ‘ComicTitle’, ‘ComicDate’, ‘AuthorId’) ’ at line 1

Gets me the same:
Error adding submitted Comic: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '‘Comics’ (‘ComicNumber’, ‘ComicName’, ‘ComicTitle’, ‘ComicDate’, ‘AuthorId’) ’ at line 1

Maybe I am not setting them proper in the Form?

So do


var_dump( $_POST );

at the top of your script and read what is being passed from the form.

Prove to yourself that things are being moved from one place to another.

And do an echo of $sql to see the query you’re executing.

Uh…


    foreach ($_POST as $key => $val)
    {
        $_POST[$key] = mysqli_real_escape_string($link, $_POST[$key]);
    }

Surely you meant $val in that query call… but anyway.

The error you’re posting doesnt… match with what you’re showing us (capitaliation, different quote marks) … so… whats going on?

Here is the code I am using:

if (isset($_POST['ComicNumber']))  
{   
    foreach ($_POST as $key => $val) 
    { 
        $_POST[$key] = mysqli_real_escape_string($link, $_POST[$key]); 
    } 
      
    $ComicNumber = $_POST['ComicNumber'];   
    $ComicName   = $_POST['ComicName'];   
    $ComicTitle  = $_POST['ComicTitle'];   
    $ComicDate   = $_POST['ComicDate'];   
    $AuthorId    = $_POST['AuthorId'];   
              
    $sql = "INSERT INTO 'Comics' ('ComicNumber', 'ComicName', 'ComicTitle', 'ComicDate', 'AuthorId') 
    		VALUES ($ComicNumber, $ComicName, $ComicTitle, $ComicDate, $AuthorId)";    
      
    if (!mysqli_query($link, $sql))   
    {   
        $error = 'Error adding submitted Comic: ' . mysqli_error($link);   
        include 'error.html.php';   
        exit();   
    }   

    header('Location: .');   
    exit();   
} 

When passing this:

var_dump( $_POST );

I get, which if I am reading correct shows that my things are passing properly:

array(5) { [“ComicNumber”]=> string(3) “123” [“ComicName”]=> string(3) “abc” [“ComicTitle”]=> string(3) “def” [“ComicDate”]=> string(8) “2011-1-1” [“AuthorId”]=> string(1) “2” }
Error adding submitted Comic: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '‘Comics’ (‘ComicNumber’, ‘ComicName’, ‘ComicTitle’, ‘ComicDate’, ‘AuthorId’) ’ at line 1

And that would be why. The table/column identifier marker is a backtick `, NOT an apostrophe '. Apostrophes are used for strings.

Give this a try:


    $sql = "INSERT INTO `Comics` (`ComicNumber`, `ComicName`, `ComicTitle`, `ComicDate`, `AuthorId`)  
            VALUES ($ComicNumber, '$ComicName', '$ComicTitle', '$ComicDate', $AuthorId)";    

PS: And then sanitize your input.

Why not get rid of those annoying backticks? There’s no use for them, unless you want to use reserved words as table/column names, and it’s better to avoid that anyway.

Better practice to put them in just in case you do hit upon a reserved word by mistake (left,right, between, month, day, year, date, index etc…) but no, in this example they are not necessary.

So why do I use ` instead of ’ here, does it help define the value? I was under the impression that anything that was not a given function was a string. But, when I change all of my single quote to backticks, I get this

array(5) { [“ComicNumber”]=> string(3) “123” [“ComicName”]=> string(3) “abc” [“ComicTitle”]=> string(3) “def” [“ComicDate”]=> string(8) “2011-1-1” [“AuthorId”]=> string(1) “2” }
Error adding submitted Comic: Unknown column ‘abc’ in ‘field list’

Why don’t you echo $sql to see what the query actually looks like?

And that error does not match the code StarLion gave you. So you’ve done something else. Please repost your code as well.

I am actually not sure where to echo the $sql that you are asking for…

&lt;?php
if (get_magic_quotes_gpc())
{
	function stripslashes_deep($value)
	{
		$value = is_array($value) ?
				array_map('stripslashes_deep', $value) :
				stripslashes($value);

		return $value;
	}

	$_POST = array_map('stripslashes_deep', $_POST);
	$_GET = array_map('stripslashes_deep', $_GET);
	$_COOKIE = array_map('stripslashes_deep', $_COOKIE);
	$_REQUEST = array_map('stripslashes_deep', $_REQUEST);
}

if (isset($_GET['addcomic']))
{
	include 'form.html.php';
	exit();
}

$link = mysqli_connect('localhost', 'root', 'root');
if (!$link)
{
	$error = 'Unable to connect to the database server.';
	include 'error.html.php';
	exit();
}

if (!mysqli_set_charset($link, 'utf8'))
{
	$output = 'Unable to set database connection encoding.';
	include 'output.html.php';
	exit();
}

if (!mysqli_select_db($link, 'icdb'))
{
	$error = 'Unable to locate the comic database.';
	include 'error.html.php';
	exit();
}
var_dump( $_POST );  
if (isset($_POST['ComicNumber']))  
{   
    foreach ($_POST as $key =&gt; $val) 
    { 
        $_POST[$key] = mysqli_real_escape_string($link, $_POST[$key]); 
    } 
      
    $ComicNumber = $_POST['ComicNumber'];   
    $ComicName   = $_POST['ComicName'];   
    $ComicTitle  = $_POST['ComicTitle'];   
    $ComicDate   = $_POST['ComicDate'];   
    $AuthorId    = $_POST['AuthorId'];   
              
    $sql = "INSERT INTO `Comics` (`ComicNumber`, `ComicName`, `ComicTitle`, `ComicDate`, `AuthorId`) 
    		              VALUES ($ComicNumber, $ComicName, $ComicTitle, $ComicDate, $AuthorId)";    
      
    if (!mysqli_query($link, $sql))   
    {   
        $error = 'Error adding submitted Comic: ' . mysqli_error($link);   
        include 'error.html.php';   
        exit();   
    }   

    header('Location: .');   
    exit();   
} 

if (isset($_GET['deletecomic']))
{
	$id = mysqli_real_escape_string($link, $_POST['id']);
	$sql = "DELETE FROM Comics WHERE id='$id'";
	if (!mysqli_query($link, $sql))
	{
		$error = 'Error deleting comic: ' . mysqli_error($link);
		include 'error.html.php';
		exit();
	}

	header('Location: .');
	exit();
}

$result = mysqli_query($link,
		'SELECT Comics.id, ComicNumber, ComicName, ComicTitle, ComicDate, ComicAuthor
		FROM Comics INNER JOIN ComicAuthor
			ON AuthorId = ComicAuthor.id');
if (!$result)
{
	$error = 'Error fetching Comics: ' . mysqli_error($link);
	include 'error.html.php';
	exit();
}

while ($row = mysqli_fetch_array($result))
{
	$Comics[] = array('id' =&gt; $row['id'], 'ComicNumber' =&gt; $row['ComicNumber'],
			'ComicName' =&gt; $row['ComicName'], 'ComicTitle' =&gt; $row['ComicTitle'],
			'ComicDate' =&gt; $row['ComicDate'], 'ComicAuthor' =&gt; $row['ComicAuthor']);
}

include 'comics.html.php';
?&gt;
&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
		"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"&gt;
&lt;html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"&gt;
	&lt;head&gt;
		&lt;title&gt;Add Joke&lt;/title&gt;
		&lt;meta http-equiv="content-type"
				content="text/html; charset=utf-8"/&gt;
		&lt;style type="text/css"&gt;
		textarea {
			display: block;
			width: 10%;
		}
		&lt;/style&gt;
	&lt;/head&gt;
	&lt;body&gt;
		&lt;form action="?" method="post"&gt;
			&lt;div&gt;
				&lt;label for="ComicNumber"&gt;Comic Number:&lt;/label&gt;
				&lt;textarea id="ComicNumber" name="ComicNumber" rows="1" cols="10"&gt;&lt;/textarea&gt;
				
				&lt;label for="ComicName"&gt;Comic Name:&lt;/label&gt;
				&lt;textarea id="ComicName" name="ComicName" rows="1" cols="10"&gt;&lt;/textarea&gt;
				
				&lt;label for="ComicTitle"&gt;Comic Title:&lt;/label&gt;
				&lt;textarea id="ComicTitle" name="ComicTitle" rows="1" cols="10"&gt;&lt;/textarea&gt;
				
				&lt;label for="ComicDate"&gt;Comic Date:&lt;/label&gt;
				&lt;textarea id="ComicDate" name="ComicDate" rows="1" cols="10"&gt;&lt;/textarea&gt;
				
				&lt;label for="AuthorId"&gt;Author Id:&lt;/label&gt;
				&lt;textarea id="AuthorId" name="AuthorId" rows="1" cols="10"&gt;&lt;/textarea&gt;
			&lt;/div&gt;
			&lt;div&gt;&lt;input type="submit" value="Add"/&gt;&lt;/div&gt;
		&lt;/form&gt;
	&lt;/body&gt;
&lt;/html&gt;

Hint: You ignored the apostrophes i added in the second half of the query. Apostrophes go around string values. Backticks go around field names or table names.

Anytime mysql hits a non-reserved-word-string that isnt inside quotes (single or double) or backticks, it assumes you meant a field name or table name.