Page 1 of 1

php sql insert problem

Posted: Tue Aug 18, 2009 8:14 pm
by midboss
I have a form which contains two input tags of type text and two textarea tags. They accept a name, contact info, problem and requirements. The following code is the form's action page.

Code: Select all

 
<?php
$name = $_POST['name'];
$contactinfo = $_POST['contactinfo'];
$problem = $_POST['problem'];
$requirements = $_POST['requirements'];
 
$connect = mysql_connect("localhost", "root", "");
mysql_select_db("elektrisolutionsdb", $connect);
$insert_query = "insert into workrequests(date,name,contactinfo,problem,requirements) VALUES(NOW(),$name, $contactinfo, $problem, $requirements)";
$sql = mysql_query($insert_query) or die("SQL ERROR: ".mysql_error());
 
if($sql) {
    echo"<p>Thank you for submitting a work request form to Elektri.</p>";
    }
else {
    echo"<p>An error has occured. Your work request has not been processed.</p>";
    }
    
?>
 
Unfortunately my .mysql_error() code is saying "SQL ERROR: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '@hotmail.com, computer crashes, use vb.net)' at line 1". I tried inputting an email address without the @ symbol to see if that was the only problem and it returned "SQL ERROR: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'crashes, use vb.net)' at line 1"

The database is comprised of an int id column, two varchar columns for the name and contact info, two text columns for the problem and requirements, and a date column for the time it was processed.

I am using XAMPP's mysql and apache for this.

My two questions are these:
Am I not supposed to use a textarea tag inside of a form?
How do I handle the @ symbol inside of an insert?

Re: php sql insert problem

Posted: Tue Aug 18, 2009 8:34 pm
by jackpf
Try running mysql_real_escape_string() on your post data.

Re: php sql insert problem

Posted: Tue Aug 18, 2009 9:05 pm
by aceconcepts
Firstly I do believe 'date' is a MySql reserved word.

Secondly try enclosing you value variables in single quotes e.g. '$var'

Re: php sql insert problem

Posted: Tue Aug 18, 2009 9:52 pm
by jackpf
aceconcepts wrote:Firstly I do believe 'date' is a MySql reserved word.

Secondly try enclosing you value variables in single quotes e.g. '$var'
Oh yeah, I didn't even notice that lol. I just saw he wasn't escaping data, and by the nature of the error I just assumed that was the problem...

If date is indeed a reserved word, you can get round that by quoting it with backticks (`).

Re: php sql insert problem

Posted: Thu Aug 20, 2009 11:24 am
by midboss
The php website says mysql_real_escape_string() only works for escaping \x00, \n, \r, \, ', " and \x1a. I don't quite understand why any of those character sequences would require escaping but I tried it anyway and then removed it after I tried aceconcepts' solution of putting single quotes around the value variables. I also changed my column name to datesent.

Thank you aceconcepts.

Re: php sql insert problem

Posted: Thu Aug 20, 2009 11:28 am
by jackpf
They require escaping cause you'll get the <span style='color:blue' title='I&#39;m naughty, are you naughty?'>smurf</span> hacked out of you if you don't.

Also, your query will break if anyone enters any of them characters.

Re: php sql insert problem

Posted: Thu Aug 20, 2009 12:31 pm
by midboss
Oh. I'll include them then. Thank you.

Re: php sql insert problem

Posted: Thu Aug 20, 2009 1:06 pm
by jackpf
:)

You should do so with all user suplied data when using them in queries.

A quick google of SQL injection should explain why in more depth.