Page 1 of 1

addslashes

Posted: Wed Aug 30, 2006 7:45 am
by rsmarsha
I'm trying to use add slashes in a query and am getting errors.

Code: Select all

"INSERT INTO mailing_lists (list_name,list_text) VALUES (".$_POST['list_name'].",".addslashes($stringnew)."";

Posted: Wed Aug 30, 2006 7:47 am
by s.dot
What errors are you getting? Your SQL syntax looks fine. Although it could be shortened to this:

Code: Select all

"INSERT INTO mailing_lists (list_name,list_text) VALUES (".$_POST['list_name'].",".addslashes($stringnew);
Also, you may want to insert single quotes around your values.

Code: Select all

"...VALUES('".$_POST['list_name']."','".addslashes($stringnew)."'";
Also, you might be interested in one of the string escaping functions like mysql_real_escape_string()

Posted: Wed Aug 30, 2006 8:40 am
by rsmarsha
the error i'm getting is :

Code: Select all

Query(Add): INSERT INTO mailing_lists (list_name,list_text) VALUES('slashes','test\\\'test\\\'test' FailedYou have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1
Current query is :

Code: Select all

INSERT INTO mailing_lists (list_name,list_text) VALUES('".$_POST['list_name']."','".addslashes($stringnew)."'"

//it's wrapped in a small DB function like

db_query("INSERT INTO mailing_lists (list_name,list_text) VALUES('".$_POST['list_name']."','".addslashes($stringnew)."'", 'Add');

//but all other queries work in that manner and i've tried it alone, with same results.

Posted: Wed Aug 30, 2006 8:42 am
by volka
so it's not just a copy&paste error, you really forgot the closing )

Posted: Wed Aug 30, 2006 9:12 am
by rsmarsha
Oops. :oops: Well i added that and still get errors. I even took the code down to :

Code: Select all

$i = "INSERT INTO mailing_lists (list_name) (".$_POST['list_name'].")";
$iq = mysql_query($i, $db_conn) or die("Query $i Failed".mysql_error());
I still get erors there too and i can't see why.

Posted: Wed Aug 30, 2006 9:23 am
by volka
me neither ...because you didn't post the new error message...

Posted: Wed Aug 30, 2006 9:39 am
by timvw
Shouldn't use addslashes but mysql_real_escape_string instead...

Assuming the two columns are of type (VAR)CHAR.. In that case you'd have to add quotes around the values too... So your query would become:

Code: Select all

$query = "INSERT INTO mailing_lists(list_name, list_text) VALUES ('" 
                  . mysql_real_escape_string($_POST['list_name']) 
                  . "', '" . mysql_real_escape_string($stringnew) 
                  . "');";

Posted: Thu Aug 31, 2006 2:47 am
by rsmarsha
Thanks, that works. :)

Now just have to work out how to format text entered into the db to work with the php mail function, or use swiftmail. :)

Posted: Thu Aug 31, 2006 3:22 am
by Jenk
You also need to accomodate for maggic quotes.