I’m trying to write someting into the DB using PHP but if I try to use mysql_real_escape_string() I don’t get any errors but nothing gets saved into the DB and I don’t know why =/ specially because I did the same on another PHP file and it worked perfectly…
<?php if(isset($_POST['reporte'])) $falla = $_POST['reporte']; else $falla = ''; if(!isset($falla)){ echo '<font color='red'>Intentó enviar una forma vacía. Por favor intente de nuevo.</font>'; }else{ $fecha = mysql_real_escape_string(stripslashes($_POST['fecha'])); $usuario = mysql_real_escape_string(stripslashes($_POST['usuario'])); connection... $sql = 'INSERT INTO $tbl_name(usuario, comentario, fecha, estado) VALUES('$usuario','$falla','$fecha', '0')' or die('mysql_error()'); now I don’t check if ‘fecha’ or ‘usuario’ are empty since they are sent via a hidden field in the form.
Edit
I did the switch there’s still no error and nothing gets into the db =/ I’m looking at the documentation, but I’m puzzled because I’ve done this before the exact same way and it worked…haha…
Edit 2
Yes I have a
mysql_query($sql) or die('Error SQL !'.$sql.'<br>'.mysql_error()); Yes I’ve set the $tbl_name along with the connection in:
$host='localhost'; $username='user'; $password='pass'; $db_name='cosa'; $tbl_name='reportes'; and I’ve done the check in the database monitor and printed it…it returns OK… however, what do you mean by ‘sanitizing’ $falla? I recognize the injection, but I’m quite new with php per se.
Edit 3
I use die just to test, however there are no errors displayed it functions smoothly just won’t insert a thing if I use ‘mysql_real_escape_string()’
Edit 4
This is my current code:
<?php if(isset($_POST['reporte'])) $falla = $_POST['reporte']; else $falla = ''; if(!isset($falla)){ echo '<font color='red'>Intentó enviar una forma vacía. Por favor intente de nuevo.</font>'; }else{ $host='localhost'; // Host name $username='user'; // Mysql username $password='pass'; // Mysql password $db_name='cosa'; // Database name $tbl_name='reportes'; // Table name // To protect MySQL injection $fecha = mysql_real_escape_string(stripslashes($_POST['fecha'])); $usuario = mysql_real_escape_string(stripslashes($_POST['usuario'])); $falla = mysql_real_escape_string(stripslashes($falla)); $db = mysql_connect($host, $username, $password) or die('Cannot Connect '.mysql_error()); mysql_select_db($db_name) or die('Cannot select DB '.mysql_error()); $sql = 'INSERT INTO $tbl_name(usuario, comentario, fecha, estado) VALUES('$usuario','$falla','$fecha', '0')' or die('mysql_error()'); mysql_query($sql) or die('Error SQL !'.$sql.'<br>'.mysql_error()); header('location:../../user/usuario.php'); mysql_close(); } ?> That’s the complete one, and also changed according to the recommendations I’ve been getting here…still not getting anything into the DB…
I think you may need to open the mysql connection prior to using mysql_real_escape_string. See the documentation.
EDIT
Try this, but what are the datatypes on your table? Are all the fields (usuario, comentario, fecha, estado) strings? That’s what your insert statement is saying, I believe.