I want to insert some values into a mysql database and thought it can't be that hard. However I was wrong, maybe i am overlooking something simple.
This is my code:
$db = mysqli_connect("localhost", "*****", "*********", "usr_web633_3");
if(!$db)
{
exit("Error: ".mysqli_connect_error());
}
$sql = "INSERT INTO anmeldungen ('ID', 'vorname', 'name', 'gender', 'str', 'hausnummer', 'telefon', 'gemeinde', 'vegetarier'')
VALUES ('id', 'vorname', 'name', 'gender', 'str', 'hausnummer', 'telefon', 'gemeinde', 'vegetarier')";
$sqlinsert = mysqli_query($db, $sql);
if($sqlinsert == true) {
echo "works!";
}
else {
echo "doesn't work:(";
}
It doesn't work like it should.. the values are just placeholders.
Hope you can help!
Escape column and table names with backticks.
INSERT INTO `anmeldungen` (`ID`, vorname, name, gender, str, hausnummer, telefon, gemeinde, vegetarier)
VALUES (1, 'vorname', 'name', 'gender', 'str', 'hausnummer', 'telefon', 'gemeinde', 'vegetarier')
And you had a quote too much at the last column name. Use a single backtick instead. But actually you only need to escape reserved words in MySQL
And watch out for your column data types. You can't insert a string into a number column. So id can probably only be a number.
And if your id is an auto-increment value then you should not provide a value at all. Use null or leave the column from your insert statement completely.
INSERT INTO `anmeldungen` (`ID`, vorname, ...
VALUES (null, 'vorname', ...
You are using the wrong quotes for the columns. And there is a redundant quote at the end of your column list.
Try ` instead of ':
INSERT INTO anmeldungen
(`ID`, `vorname`, `name`, `gender`, `str`, `hausnummer`, `telefon`, `gemeinde`, `vegetarier`)
VALUES
('id', 'vorname', 'name', 'gender', 'str', 'hausnummer', 'telefon', 'gemeinde', 'vegetarier')
Stop using values and start using prepared statements. Quote from the PHP.net manual
$link = mysqli_connect("localhost", "my_user", "my_password", "world");
/* check connection */
if (mysqli_connect_errno()) {
printf("Connect failed: %s
", mysqli_connect_error());
exit();
}
$city = "Amersfoort";
if ($stmt = mysqli_prepare($link, "SELECT District FROM City WHERE Name=?")) {
/* bind parameters for markers */
mysqli_stmt_bind_param($stmt, "s", $city);
/* execute query */
mysqli_stmt_execute($stmt);
/* bind result variables */
mysqli_stmt_bind_result($stmt, $district);
/* fetch value */
mysqli_stmt_fetch($stmt);
printf("%s is in district %s
", $city, $district);
/* close statement */
mysqli_stmt_close($stmt);
}
And an update for the SQL on the prepared statement for inserting would be from here
$stmt = $mysqli->prepare("UPDATE movies SET filmName = ?,
filmDescription = ?,
filmImage = ?,
filmPrice = ?,
filmReview = ?
WHERE filmID = ?");
$stmt->bind_param('sssdii',
$_POST['filmName'],
$_POST['filmDescription'],
$_POST['filmImage'],
$_POST['filmPrice'],
$_POST['filmReview'],
$_POST['filmID']);
$stmt->execute();
$stmt->close();
Make sure you escape your fields correctly using the methods above! This however doesn't mean that you shouldn't validate the input.
I think you made a mistake in the line
$sql = "INSERT INTO anmeldungen ('ID', 'vorname', 'name', 'gender', 'str', 'hausnummer', 'telefon', 'gemeinde', 'vegetarier'')
there are two quotes after vegetarier.
correct it...it should work