Why the Value of form.AddField won't accept string

I want to send some data to my server…
so i make this C# code

IEnumerator SaveAllPlayerPrefs(string[] parms)
	{
		WWWForm form = new WWWForm();

		form.AddField("bone" , value);

		WWW webRequest = new WWW(db_url + "SaveAllPlayerPref.php", form);

		yield return webRequest;
	}

And i have php code for recieving that

<?php
 
    $sql_connect = mysql_connect("localhost", "root", "") or die ("no DB Connection");
    
    mysql_select_db("example") or die ("DB not found");

    $bone = $_POST['bone'];
    
    mysql_query("INSERT INTO save_game (bone) VALUES ($bone);");

    mysql_close($sql_connect);
?>

The problem is when i try this code it works nicely, but it when the value is still int.
when i change the value into string type, it can’t send to database, and my unity is crash,

later i try to change the value to char, i try to send

‘a’
but when i do that in database its not saving ‘a’ instead its saving 97, the ASCI value…

I dont’t understand what’s wrong with this, and in my database in server, i set the value is varchar(100)…

please help me and thx before :slight_smile:

I can’t imagine why Unity would crash, but I can understand why your PHP code would fail. When you’re using SQL, strings are required to be surrounded by single quotes, and you’re neither escaping nor cleaning your input.

What you have is:

mysql_query("INSERT INTO save_game (bone) VALUES ($bone);");

but what you need is:

mysql_query("INSERT INTO save_game (bone) VALUES ('$bone');");

Note the addition of single quotes surrounding the variable.

I presume that when the PHP code encountered a fatal error and threw an Exception, it either output nothing, causing Unity to hang, or output an Exception, which Unity caught and rethrew.

A couple of side notes:

-The reason sending a char worked is because chars are represented as small integers internally. You were using the (varName, int) version of the command instead of the (varName, string) one.

-You should almost certainly clean your input strings before inserting them into your database. This means you need to check them for single quotes and semi-colons at the very least. Why? Because if someone (somehow) put the value of "');DELETE FROM save_game WHERE ('1=1" or something similar, you don’t want that to get run as it is. Look into PDO as HasrhadK mentions; this does it for you automatically if you use the right methods.