I am developing website and the funny thing is that I can insert data to all table except one of my table.
PHP PART
function newproperty(){
global $link;
if(isset($_POST['sendprop']) && $_POST['agree'] == 'Yes'){
$name=mysqli_real_escape_string($link,$_POST['name']);
$owner=mysqli_real_escape_string($link,$_POST['owner']);
$tel=mysqli_real_escape_string($link,$_POST['tel']);
$email=$_SESSION['cust_user'];
$type=$_POST['type'];
$loc=$_POST['location'];
$address=mysqli_real_escape_string($link,$_POST['address']);
$bed=$_POST['bed'];
$price=$_POST['price'];
$descrip=mysqli_real_escape_string($link,$_POST['desc']);
$temp = explode(".", $_FILES["pic"]["name"]);
$thumb = round(microtime(true)) . '.' . end($temp);
move_uploaded_file($_FILES["pic"]["tmp_name"], 'assets/propthumb/'.$thumb);
$query="insert into property
(prop_name, prop_email, prop_owner,
prop_tel, prop_type, prop_location,
prop_bed, prop_price, prop_thumb,
prop_desc, prop_address)
values
('$name','$email','$owner',
'$tel','$type','$loc',
'$bed','$price','$thumb',
'$descrip','$address')";
$run=mysqli_query($link,$query);
if($run){
echo"<script>alert('Property has been inserted successfully');</script>";
echo"<script>window.open('list.php','_self');</script>";
}
}
}
HTML PART
<form action="submit.php" method="post" enctype="multipart/form-data">
<div class="container bgsearch shadow">
<div class="container-fluid ">
<br>
<div class="row">
<div class="col-lg-10 col-lg-offset-1">
<img src="assets/images/hero1.png" class=" img-responsive">
</div>
</div>
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h3 class="wtxt text-center">Submit Property</h3>
<br>
<hr id="hr">
</div>
</div>
<div class="row">
<div class="col-lg-6 col-lg-offset-3">
<a href="list.php" class="form-control btn btn-success btn-block">List of my properties</a>
<br>
</div>
</div>
<div class="row">
<div class="col-lg-2"></div>
<div class="col-lg-4">
<input type="text" class="form-control btn-block" name="name" placeholder="Property Name">
<input type="text" class="form-control btn-block" name="owner" placeholder="Owner Name">
<input type="tel" class="form-control btn-block" name="tel" placeholder="Owner Telephone Number">
<select class=" btn-block form-control" name="type" required>
<option value='...'>...</option>
</select>
<select class=" btn-block form-control" name="location" required>
<option value='...'>...</option>
.
</select>
<input type="text" class="form-control btn-block" name="address" placeholder="Address">
<input type="number" name="bed" class=" btn-block form-control" placeholder="Bedroom" min="0">
</div>
<div class="col-lg-4">
<input type="number" name="price" class=" btn-block form-control" placeholder="Price (TL)" step="25" min="200">
<lable class="wtxt"><h5><b>Property Thumbnail Image</b></h5></lable>
<input type="file" class="form-control btn-block" name="pic" accept="image/*">
<textarea class="form-control btn-block" name="desc" rows="6" required></textarea>
<div class="checkbox">
<label>
<input type="checkbox" name="agree" value="Yes"> Agree With Terms & Conditions
</label>
</div>
</div>
<div class="col-lg-2"></div>
</div>
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<input type="submit" class="form-control btn btn-warning btn-block" name="sendprop" value="Submit">
</div>
</div>
<br><br>
</div>
</div>
</form>
<?php newproperty(); ?>
What I have tried and still does not work are: 1. Drop table and make new one 2. change name of my table 3. change insert into... values to insert into.. set... 4. ....
Please help me as soon as you can.
Handle an error condition, e.g.
if($run){
// whatever
} else {
echo "<script>alert('SQL error: "
. htmlspecialchars(mysqli_error($link))
. "');</script>"
}
As to figuring out why the statement isn't working, for debugging, emit the SQL text and test that in a different client.
You're calling mysqli_real_escape_string function on some values, but not on others. So, your SQL INSERT statement is still vulnerable to SQL Injection.
A better pattern is to use a prepared statement with bind placeholders. It's really not that hard.