0

I want to insert into a MySQL database from a webpage using PHP, but when trying to use variables it does not work (it works just fine if I use something not while using $something)

Here is the code:

mysqli_query($con,"INSERT INTO Atendido (idPaciente,idDoctor,fecha,costo,tipoAtencion) values ('".$_GET['iddoctor']."', '".$_GET['idpacient']."', '".$_GET['date']."', '".$_GET['amount']."', '".$_GET['description']."')");

and the data comes from an other page with this form:

<form action="thanks/index.php" method="get">
    <span class="largetext">ID. doctor</span><br/>
    <input type="password" name="iddoctor"><br/>
    <span class="largetext">ID. patient</span><br/>
    <input type="password" name="idpatient"><br/>
    <span class="largetext">Date</span><br/>
    <input type="date" name="date"><br/>
    <span class="largetext">Amount</span><br/>
    <input type="number" name="amount"><br/>
    <span class="largetext">Description</span><br/>
    <input type="text" name="description"><br/><br/>
    <input type="submit" value="Accept" style="background-color:#FF5F00; color:#FFFFFF; opacity: 0.77;">
</form>

Thank you! To everyone who noted the SQL injection problem, I will also have a look onto that.

I now works, here is the corrected code:

mysqli_query($con,"INSERT INTO Atendido (idPaciente,idDoctor,fecha,costo,tipoAtencion) VALUES ('".$_GET['idpatient']."', '".$_GET['iddoctor']."','".$_GET['date']."', '".$_GET['amount']."', '".$_GET['description']."')");
Improve this question
13
  • 8
    Holy SQL injection Batman! Commented Nov 15, 2013 at 1:46
  • 1
    I wait for the first comment: YOU ARE VULNERABLE FOR SQL INJECTION Commented Nov 15, 2013 at 1:46
  • 3
    check out you date format, wrong date format may not cause fail insert Commented Nov 15, 2013 at 1:51
  • 1
    Have you actually looked for an error message? Check the return value of mysqli_query, and if it's false look at mysqli_error($con). I bet it says you have a syntax error. Commented Nov 15, 2013 at 1:53
  • 1
    For one thing, you have $_GET['idpacient'] and name="idpatient" so no match. I believe you wanted to use $_GET['idpatient'] or name="idpacient" (take your pick) - so that alone, I do believe will put things to a grinding halt. Commented Nov 15, 2013 at 1:55

3 Answers 3

Reset to default
1

As discussed with the OP, $_GET['idpacient'] and name="idpatient" so no match.

I believe you wanted to use $_GET['idpatient'] or name="idpacient"

Take your pick on which one to correct.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

the fields are in wrong order:

Atendido (idPaciente, idDoctor
VALUES ('".$_GET['iddoctor']."', '".$_GET['idpacient']."'

change to:

"INSERT INTO Atendido (idPaciente,idDoctor,fecha,costo,tipoAtencion)
 VALUES ('".$_GET['idpacient']."', '".$_GET['iddoctor']."',
 '".$_GET['date']."', '".$_GET['amount']."', '".$_GET['description']."')")
Improve this answer

3 Comments

The fields may be in the wrong order, but that shouldn't prevent the INSERT occurring.
can be, like foreign key violetion
It now works, thank you all. I will also take a look onto SQL injection.
0

Your INSERT syntax makes little sense as it is:

mysqli_query($con,"INSERT INTO Atendido (idPaciente,idDoctor,fecha,costo,tipoAtencion) values ('".$_GET['iddoctor']."', '".$_GET['idpacient']."', '".$_GET['date']."', '".$_GET['amount']."', '".$_GET['description']."')");

I would suggest you do the following—and use sprintf—to make formatting easier:

$insert_query = sprintf("INSERT INTO Atendido (idPaciente,idDoctor,fecha,costo,tipoAtencion) values ('%s','%s','%s','%s','%s')", $_GET['iddoctor'], $_GET['idpacient'], $_GET['date'], $_GET['amount'], $_GET['description']);
mysqli_query($con,$insert_query);

What is nice about sprintf is it allows you to easily separate formatting logic from the data itself. Think of it as a small-scale templating system.

Also, I would even suggest taking it one step further by doing this:

$data_keys = array('idPaciente','idDoctor','fecha','costo','tipoAtencion');
$data_values = array();
foreach($data_keys as $key) {
  $value = array_key_exists($key, $_GET) && !empty($_GET[$key]) ? $_GET[$key] : null;
  if (!empty($value)) {
    $data_values[$key] = $value;
  }
}
if (!empty($data_values)) {    
  $insert_query = sprintf("INSERT INTO Atendido (%s) values ('%s')", implode(',', array_keys($data_values)), implode("','", $data_values) );
  echo $insert_query;
  mysqli_query($con,$insert_query);
}

That way you have a process to filter the $_GET values and make the creation of the INSERT easier to understand irregardless of how many values you have.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.