This question already has an answer here:
In my webpage, I ask a user to fill out a form specifying their age, race, gender, and state. Upon submission, the data is submitted to the same page and the page will process it with the following code to submit it to a database (all database login info is faked in this example):
<?php
if($_COOKIE['infoGiven']==true){
$con=mysql_connect('localhost','asasdfasd','asdf','asdfasdf');
if($_COOKIE['like']==true){
$sql="INSERT INTO LIKE(state, age, gender, race)
VALUES(\'".$_POST["state"]."\'".$_POST["age"]."\'".$_POST["gender"]."\'".$_POST["race"].")";
$con->query($sql);
}
if($_COOKIE['like']!=true){
$sql="INSERT INTO DISLIKE(state, age, gender, race)
VALUES(\'".$_POST["state"]."\'".$_POST["age"]."\'".$_POST["gender"]."\'".$_POST["race"].")";
$con->query($sql);
}
}
?>
This should simply submit the user data to the database, but instead I receive a blank page with a "500" error. There is no code inside the . Keep in mind that, prior to form submission, the page renders properly.
</div>
You're missing the commas in your insert statement; you also don't have to escape single quotes when you're utilizing double quotes.
As your code is right now, you're trying to insert one really concatenated string.
$sql="INSERT INTO LIKE(state, age, gender, race)
VALUES(\'".$_POST["state"]."\'".$_POST["age"]."\'".$_POST["gender"]."\'".$_POST["race"].")";
Should be:
$sql="INSERT INTO `LIKE`(state, age, gender, race)
VALUES('".$_POST["state"]."', '".$_POST["age"]."', '".$_POST["gender"]."', '".$_POST["race"]."')";
But that's to illustrate the punctuation issues with the parameters: don't use that code itself, because the alternatives are more secure and less deprecated.
Better version using mysqli prepared statements:
$db = new mysqli("DBHOST","DBUSERNAME","DBPASS","DBNAME");
$stmt = $db->prepare("INSERT INTO `LIKE`(state, age, gender, race) VALUES (?,?,?,?)");
$stmt->bind_param('i', $VALUE)
^ bind parameters like this. The first parameter is the type of the second parameter (integer in this case, 's' for string, etcetera). $VALUE is the variable to bind. The number of parameters bound has to match the numbers of placeholders/question marks; this prepared statement expects four.
To bind multiple parameters in one line, you can use the format bind_param('sss', $string1, $string2, $string3), to pick an example. Then:
$stmt->execute();
$stmt->close();
I'd also check your connection object to make sure it's successfully connecting to the database with the actual login information. Along with that, don't forget to sanitize/validate your input before it goes into the database. This covers it well.