Page 1 of 1

Simple INSERT INTO Query won't work

Posted: Thu Oct 29, 2009 6:11 pm
by codemonkey
Hello Everyone,

This is likely the easiest problem to solve, however after hours of staring at this code I can't think anymore. The following query will not add my variables to my SQL database! However, an echo statement with the variables works fine.

$message = $_POST['message'];
$author = $_POST['author'];

$sql = "INSERT INTO Quotes (Quote, Author)
. VALUES ('$message', '$author')";

mysql_query($sql);


What am I missing?

Thank-you,
-Jonathan

Re: Simple INSERT INTO Query won't work

Posted: Thu Oct 29, 2009 6:18 pm
by John Cartwright
You have an errand period inside your query.

Code: Select all

$sql = "INSERT INTO Quotes (Quote, Author)
. VALUES ('$message', '$author')";
to

Code: Select all

$sql = "INSERT INTO Quotes (Quote, Author) VALUES ('$message', '$author')";
Secondly, you should consider using

Code: Select all

mysql_query($sql) or die(mysql_error())
to determine why the query failed.

Thirdly, you should always pass your input thru mysql_real_escape_string() to avoid SQL injection.

I.e.,

Code: Select all

 
$message = mysql_real_escape_string($_POST['message']);
$author = mysql_real_escape_string($_POST['author']);
Fourthly, please use

Code: Select all

 
tags when posting PHP code.

Re: Simple INSERT INTO Query won't work

Posted: Thu Oct 29, 2009 8:52 pm
by codemonkey
Hi John,

Thank-you for your help, I appreciate it. From now on I will be sure to put my code within the code tags when making posts.

What does it mean to "avoid SQL injection"?