I get this error:
Query failed: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' ,,)' at line 2
On this PHP code:
<?php
$id = $_POST['id'];
$longitude = $_POST['longitude'];
$latitude = $_POST['latitude'];
$timestamp = $_POST['stringFromDate'];
$link = mysql_connect('server', 'user', 'pass')
or die('Could not connect: ' . mysql_error());
mysql_select_db('db_name') or die('Could not select database');
// Performing SQL query
$query="INSERT INTO locatie (id, longitude, latitude, timestamp)
VALUES ($id, $longitude,$latitude,$timestamp)";
$result = mysql_query($query) or die('Query failed: ' . mysql_error());
echo "OK";
// Free resultset
mysql_free_result($result);
// Closing connection
mysql_close($link);
?>
Im a beginner, so i dont know what im doing wrong
EDIT: This is the code that writes to the php file:
- (void)myFuntionThatWritesToDatabaseInBackgroundWithLatitude:(NSString *)latitude longitude:(NSString *)longitude date:
(NSString *)stringFromDate {
_phonenumber = [[NSUserDefaults standardUserDefaults] objectForKey:@"phoneNumber"];
NSMutableString *postString = [NSMutableString stringWithString:kPostURL];
NSString*jsonString = [[NSString alloc] initWithFormat:@"{\"id\":\"%@\",\"longitude\":\"%@\",\"latitude\":\"%@\",\"timestamp\":\"%@\"}",_phonenumber, longitude , latitude, stringFromDate];
[postString appendString:[NSString stringWithFormat:@"?data=%@", jsonString]];
[postString setString:[postString stringByAddingPercentEscapesUsingEncoding:NSUTF8StringEncoding]];
NSMutableURLRequest *request = [[NSMutableURLRequest alloc] initWithURL:[NSURL URLWithString:postString ]];
[request setHTTPMethod:@"POST"];
[[NSURLConnection alloc] initWithRequest:request delegate:self ];
NSLog(@"Post String =%@", postString);
// LocationTestViewController*locationTestViewController = [[LocationTestViewController alloc]init];
// phonenumber = locationTestViewController.telefoonnummer;
NSLog(@"HERE1 : %@", _phonenumber);
}
Perhaps you should use another notation and prevent SQL injections.
The best way is to use prepared statements.
http://php.net/manual/de/pdo.prepared-statements.php
$id = $_POST['id'];
$longitude = $_POST['longitude'];
$latitude = $_POST['latitude'];
$timestamp = $_POST['stringFromDate'];
$stmt = $dbh->prepare("INSERT INTO locatie (id, longitude, latitude, timestamp) VALUES (?,?,?,?)");
$stmt->bindParam(1, $id);
$stmt->bindParam(2, $longitude);
$stmt->bindParam(3, $latitude);
$stmt->bindParam(4, $timestamp);
I really suggest, like @MichaelBerkowski said, that you check the content of your POST data. I'm pretty sure that one of these vars are totally empty :
$id = $_POST['id'];
$longitude = $_POST['longitude'];
$latitude = $_POST['latitude'];
$timestamp = $_POST['stringFromDate'];
Problem number 1: You are using the mysql_* functions. These have a red warning box telling you not to use them for a reason.
Problem number 2: You aren't escaping your data. This leaves you vulnerable to XSS attacks and SQL syntax errors caused by unexpected input.
Problem number 3: You aren't quoting your data in the SQL query.
All three of these problems can be solved by using prepared statements and parameterized queries which require a modern API (solving problem 1) and automatically quote and escape the data (solving problems 2 and 3).
you Need to add the quotes if they are text:
$query="INSERT INTO locatie (id, longitude, latitude, timestamp)
VALUES ($id, '$longitude','$latitude','$timestamp')";
You should put variables inside single '' Quote
$query="INSERT INTO locatie (id, longitude, latitude, timestamp) VALUES ('$id', '$longitude','$latitude','$timestamp')";