Home/ Questions/Q 7856639
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-02T20:46:21+00:00

I am having issues inserting this into my database I think tis when I

  • 0

I am having issues inserting this into my database I think tis when I try to convert my prdocutPrice string or stock string into decimal and int values. I am pretty certain I am doing the rest right can someone confirm for me?

<?php 

    if (isset($_POST['addSubmitted'])) {

        $errors = array();
        require_once ('mysql_connect.php');

            //This gets all the other information from the form 
            $name=$_POST['productName']; 
            $description=$_POST['productDescription']; 
            $price= floatval($_POST['productPrice']); 
            $stock= intval($_POST['productStock']);


        if (empty($errors)) {
            //Writes the information to the database 
            mysql_query("INSERT INTO products (name, description, price, stock) VALUES ($name, $description, $price, $stock)"); 
            $result = mysql_query($query);

            if (mysql_affected_rows() == 1) {
                // Show thank you message
                echo '<span style="color:green;">Your product has been added.</span>';
            } else {
                echo '<font color="red">We were unable to add your product to the database.</font>';
            }

        } else {
            echo '<font color="red"><h3>Error!</h3>
            The following error(s) occured:<br /></font>';

            foreach ($errors as $msg) {
                echo " - <font color=\"red\">$msg</font><br />\n";
            }
        }
    }

?>
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    None of your string values are correctly quoted in the INSERT statement. Surround them in single quotes.

    Also, first thing’s first — be sure to call mysql_real_escape_string() on all the string input values, as they are currently vulnerable to SQL injection attacks.

    $name = mysql_real_escape_string($_POST['productName']); 
$description= mysql_real_escape_string($_POST['productDescription']); 
$price= floatval($_POST['productPrice']); 
$stock= intval($_POST['productStock']);

    Further, you are calling mysql_query() twice instead of storing the SQL string into your variable $query.

    // Quote the string values,
// store the SQL as a variable then pass it to mysql_query()
$query = "INSERT INTO products (name, description, price, stock) VALUES ('$name', '$description', $price, $stock)"; 
$result = mysql_query($query);

    A call to echo mysql_error(); would have helped to debug the problems with your SQL statement.

    Finally, one more note I’ll add – in addition to calling intval() or floatval() on strings passed from $_POST, it is usually a good idea to verify that the numbers are actually numbers. Otherwise if they are non numeric values, they will be cast to 0 and you’ll get zeros in your database when you probably shouldn’t have inserted it at all (since it is invalid data).

    if (is_numeric($_POST['productPrice'])) {
   $price = floatval($_POST['productPrice']);
}
else // non numeric value, don't do the insert with bad data

    For positive or zero integers, I like to use ctype_digit():

    if (ctype_digit($_POST['productStock'])) {
  $stock = intval($_POST['productStock']);
}
else // bad input value, don't do insert
    • 0