php sql insert problem

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
midboss
Forum Newbie
Posts: 3
Joined: Tue Aug 18, 2009 7:20 pm

php sql insert problem

Post by midboss »

I have a form which contains two input tags of type text and two textarea tags. They accept a name, contact info, problem and requirements. The following code is the form's action page.

Code: Select all

 
<?php
$name = $_POST['name'];
$contactinfo = $_POST['contactinfo'];
$problem = $_POST['problem'];
$requirements = $_POST['requirements'];
 
$connect = mysql_connect("localhost", "root", "");
mysql_select_db("elektrisolutionsdb", $connect);
$insert_query = "insert into workrequests(date,name,contactinfo,problem,requirements) VALUES(NOW(),$name, $contactinfo, $problem, $requirements)";
$sql = mysql_query($insert_query) or die("SQL ERROR: ".mysql_error());
 
if($sql) {
    echo"<p>Thank you for submitting a work request form to Elektri.</p>";
    }
else {
    echo"<p>An error has occured. Your work request has not been processed.</p>";
    }
    
?>
 
Unfortunately my .mysql_error() code is saying "SQL ERROR: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '@hotmail.com, computer crashes, use vb.net)' at line 1". I tried inputting an email address without the @ symbol to see if that was the only problem and it returned "SQL ERROR: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'crashes, use vb.net)' at line 1"

The database is comprised of an int id column, two varchar columns for the name and contact info, two text columns for the problem and requirements, and a date column for the time it was processed.

I am using XAMPP's mysql and apache for this.

My two questions are these:
Am I not supposed to use a textarea tag inside of a form?
How do I handle the @ symbol inside of an insert?
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: php sql insert problem

Post by jackpf »

Try running mysql_real_escape_string() on your post data.
User avatar
aceconcepts
DevNet Resident
Posts: 1424
Joined: Mon Feb 06, 2006 11:26 am
Location: London

Re: php sql insert problem

Post by aceconcepts »

Firstly I do believe 'date' is a MySql reserved word.

Secondly try enclosing you value variables in single quotes e.g. '$var'
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: php sql insert problem

Post by jackpf »

aceconcepts wrote:Firstly I do believe 'date' is a MySql reserved word.

Secondly try enclosing you value variables in single quotes e.g. '$var'
Oh yeah, I didn't even notice that lol. I just saw he wasn't escaping data, and by the nature of the error I just assumed that was the problem...

If date is indeed a reserved word, you can get round that by quoting it with backticks (`).
midboss
Forum Newbie
Posts: 3
Joined: Tue Aug 18, 2009 7:20 pm

Re: php sql insert problem

Post by midboss »

The php website says mysql_real_escape_string() only works for escaping \x00, \n, \r, \, ', " and \x1a. I don't quite understand why any of those character sequences would require escaping but I tried it anyway and then removed it after I tried aceconcepts' solution of putting single quotes around the value variables. I also changed my column name to datesent.

Thank you aceconcepts.
Last edited by midboss on Thu Aug 20, 2009 12:28 pm, edited 1 time in total.
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: php sql insert problem

Post by jackpf »

They require escaping cause you'll get the <span style='color:blue' title='I&#39;m naughty, are you naughty?'>smurf</span> hacked out of you if you don't.

Also, your query will break if anyone enters any of them characters.
midboss
Forum Newbie
Posts: 3
Joined: Tue Aug 18, 2009 7:20 pm

Re: php sql insert problem

Post by midboss »

Oh. I'll include them then. Thank you.
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: php sql insert problem

Post by jackpf »

:)

You should do so with all user suplied data when using them in queries.

A quick google of SQL injection should explain why in more depth.
Post Reply