<!DOCTYPE html> <html> <head> <title>Админ-панель</title> </head> <body> <form method="post" action="add.php"> Название статьи <br> <input type="text" name="title"><br> Текст новоист<br> <textarea cols="40" rows="10" name="text"></textarea><br> <input type="submit" name="add" value="Добавить"><br> </form> <?php include_once ("../includes/config/connect1.php"); if(isset($_POST['add'])) { $title = strip_tags(trim($_POST['title'])); $text = strip_tags(trim($_POST['text'])); mysql_query(" INSERT INTO blog (title, text) VALUES ('$title, $text') "); } ?> </body> </html> 
Akina
15.2k 1 golden mark 10 silver marks 30 bronze marks
- 3and why the values in common quotes, including comma? never substitute values in the request text at all, use bind parameters php.net/manual/ru/mysqli-stmt.bind-param.php - Mike
- I changed and everything did ... - user234201
- pastebin.com/YzfVjuk2 pastebin.com/jSdfWXYw - user234201
- INSERT INTO blog (title, text) VALUES ('$ title', '$ text') - Akina
- php.net/manual/ru/intro.mysql.php . This extension has been deprecated since PHP 5.5.0, and has been removed from release 7.0.0. Use mysqli or PDO_MySQL instead. - E_p
|
3 answers
You have an error in the request, you need to correct for:
INSERT INTO blog (title, text) VALUES ('$title', '$text') But I do not advise using this option, because here you can use SQL Injection
I would advise you to rewrite the code using
mysqli- documentation
Option with the preparation of the request (Procedural style):
// Подключение к базе данных $link = mysqli_connect('localhost', 'my_user', 'my_password', 'world'); // Подготавливаемый запрос $stmt = mysqli_prepare($link, "INSERT INTO blog (title, text) VALUES (?, ?);"); // Собираем запрос mysqli_stmt_bind_param($stmt, "ss", $title, $text); // Выполняем запрос mysqli_stmt_execute($stmt); // закрываем запрос mysqli_stmt_close($stmt); Option with the preparation of the request (OOP style):
$mysqli = new mysqli($host, $user, $pass, $date_base); // Подготавливаем запрос if(!($stmt = $mysqli->prepare("INSERT INTO blog (title, text) VALUES (?, ?);"))) { // В случаи ошибки echo(date("H:i:s(dm)")." Exit->Error: PREPARE SQL INSERT"); } /* Сбор запроса update */ if(!($stmt->bind_param("ss", $title, $text))){ // В случаи ошибки echo(date("H:i:s(dm)")." Exit->Error: SQL Bind Param (".$stmt->errno.") ".$stmt->error); } /* Выполняем запрос */ if(!$stmt->execute()) { // В случаи ошибки echo(date("H:i:s(dm)")." Exit->Error: Не удалось выполнить запрос: (".$stmt->errno.") ".$stmt->error); } /* Закрываем запрос */ $stmt->close(); In principle, you can remove the check and get:
$mysqli = new mysqli($host, $user, $pass, $date_base); $stmt = $mysqli->prepare("INSERT INTO blog (title, text) VALUES (?, ?);"); $stmt->bind_param("ss", $title, $text); $stmt->execute(); Sample code without mysqli is not desirable
Correct mysql_query for this option:
mysql_query(" INSERT INTO blog (title, text) VALUES ('".mysql_real_escape_string($title)."', '".mysql_real_escape_string($text)."');"); 
users users
841 2 silver marks 27 bronze marks
|
Friends, thank you all who helped, thank you. Found a mistake due to the fact that attributed die (mysql_error ()) and realized what the error.
PS I'm new to php
|
Try this:
mysqli_query(" INSERT INTO blog (title, text) VALUES ('".$title."', '".$text."') "); 
Kromster
9,781 7 golden marks 31 silver badge 59 bronze marks
Andriy Yushko Andriy Yushko
one 3 bronze marks
|