Why is data not inserted in this code into my database? I suspect a SQL Error

Question

UPDATED QUESTION

Previous Question: Why is data not inserted in this code into my database?

---

Current Error recieved:
INSERT command denied to user ''@'localhost' for table 'all'

Here is the PHP/HTML code,

<?php
/*
    Assignment Form
    by Rohan Verma,
    alias RHNVRM.
*/
// Initialisation
        include('config.php');    
// End Initialisation
?>
<!DOCTYPE html>
<html>
<head>
<!-- ... -->
<title>Assignment</title>
</head>
<body>
<form action="submit.php" method="post">
<label>Roll No:</label>
<select name="roll">
<optgroup label="Choose your Roll Number">
<?php
    // Generator for options
for ($i = 1; $i <= 20; $i++) {
    echo "<option value = '$i'>$i</option>";
}
    //End
?>
</optgroup>
</select>
<label>Your Name: </label> <input type="text" name="u_name"/>
<br />
<label>Name of Person: </label> <input type="text" name="p_name"/>
<br />
<label>About Him:</label>
<br />
<textarea style="width:350px;" name="p_text"></textarea>
<br />
<input type="submit" />
</form>
</body>
</html>

Here is the submission code.

<?php
/* 
    Submission 
    by RHNVRM
    +For Project for Assignment
*/

$roll_no = $_POST['roll'];
$u_name  = $_POST['u_name'];
$p_name  = $_POST['p_name'];
$p_text  = $_POST['p_text'];

$sql = "INSERT INTO `sv_assign`.`all` (`roll`, `name`, `person`, `about`)
     VALUES (".(int)$roll_no .", " . 
               mysql_real_escape_string($u_name) . ", " . 
               mysql_real_escape_string($p_name) . ", ".
               mysql_real_escape_string($p_text) . ");";

mysql_query($sql) or die(mysql_error());

mysql_close() or die
?>

config.php

<?php
$dbhost = 'localhost';
$dbuser = 'root';
$dbpass = '*********';

$conn = mysql_connect($dbhost, $dbuser, $dbpass) or die('Error connecting to mysql');

$dbname = 'sv_assign';
mysql_select_db($dbname);
?>

Answer 1

Some times when we use form tag in HTML code , then we should use method post in form tag .I experienced this problem .

Answer 2

It seems there are 2 issues here:

1. INSERT command denied to user ''@'localhost' for table 'all' - this means that the DB user you are connecting from does not have permissions to run INSERT. Read here or contact your server administrator. In fact, this error is weird because you are connection using "root" user.

2. In your INSERT query, you have not enclosed the string values in quotes.

   $sql = "INSERT INTO sv_assign.all (roll, name, person, about) VALUES (" . (int)$roll_no . ", '" . mysql_real_escape_string($u_name) . "', '" . mysql_real_escape_string($p_name) . "', '" . mysql_real_escape_string($p_text) . "'");

Hope this helps.

Answer 3

This \'$roll_no\' should be just '$roll_no'. Same for the rest. What's happening is it's becoming the sample below. You're using double quotes to wrap your query string so no need to escape the single quotes inside.

VALUES (\'value\', \'value\', \'value\', \'value\');

**EDIT**

Sanitize your code to avoid SQL injections by using mysql_real_escape_string or use PDO for handling queries better. Refer to @Daok for the mysql_real_escape_string reminder.

Note: This is an answer prior to the OP updating the question with an error in the query.

Answer 4

Remove mysql_real_escape_string for the variable $roll_no. Just make sure It's an int when inserting it. You can just do (int)$roll_no. If It's a string, it will be converted to 0, so no worries.

Answer 5

$sql = "INSERT INTO `sv_assign`.`main` (`roll`, `name`, `person`, `about`)
 VALUES (\'$roll_no\', \'$u_name\', \'$p_name\', \'$p_text\');";

Should be changed to :

    $sql = "INSERT INTO `sv_assign`.`main` (`roll`, `name`, `person`, `about`)
     VALUES (".mysql_real_escape_string($roll_no) .", " . 
               mysql_real_escape_string($u_name) . ", " . 
               mysql_real_escape_string($p_name) . ", " .
               mysql_real_escape_string($p_text) . ");";

The mysql_real_escape_string is a good habit to not have SQL injection.