[SOLVED] Can't insert @ or . in my database

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Draco_03
Forum Regular
Posts: 577
Joined: Fri Aug 15, 2003 12:25 pm
Location: Montreal, Canada

[SOLVED] Can't insert @ or . in my database

Post by Draco_03 »

Code: Select all

$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$company = $_POST['company'];
$email = $_POST['mail'];
				
mysql_query("INSERT INTO user VALUES('', $firstname, $lastname, $company, $email)")or die(MySQL_Error());
I tested just typing 1 in every of my 4 field, it works

My table field are all VARCHAR except my id wich is INT auto increment

As soon as I try entering a character (like @ or .) it gives me the following error

Code: Select all

You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near '@com)' at line 1
any hints ?
Last edited by Draco_03 on Wed Mar 21, 2007 1:09 pm, edited 1 time in total.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Missing quotes; several of them. Missing SQL injection prevention too.
Draco_03
Forum Regular
Posts: 577
Joined: Fri Aug 15, 2003 12:25 pm
Location: Montreal, Canada

Post by Draco_03 »

feyd wrote:Missing quotes; several of them. Missing SQL injection prevention too.
SQL injection prevention, you mean error trapping ie : email verification ?
Because I will be adding it.

My probleme is fixed (missing quote have been added)
Thank you Feyd
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Validation, verification and sanitation are all apart of the efforts.

mysql_real_escape_string() needs to be used at minimum.
Draco_03
Forum Regular
Posts: 577
Joined: Fri Aug 15, 2003 12:25 pm
Location: Montreal, Canada

Post by Draco_03 »

Alright, other then my email validation i'll add

Code: Select all

if (!get_magic_quotes_gpc())
{
       $email = mysql_real_escape_string($email);
}
Thank you
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Just so we're clear, mysql_real_escape_string() needs to be done to all values you are passing to MySQL.
Draco_03
Forum Regular
Posts: 577
Joined: Fri Aug 15, 2003 12:25 pm
Location: Montreal, Canada

Post by Draco_03 »

thx for clearing that up
Post Reply