PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
Moderator: General Moderators
Draco_03
Forum Regular
Posts: 577 Joined: Fri Aug 15, 2003 12:25 pm
Location: Montreal, Canada
Post
by Draco_03 » Wed Mar 21, 2007 12:48 pm
Code: Select all
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$company = $_POST['company'];
$email = $_POST['mail'];
mysql_query("INSERT INTO user VALUES('', $firstname, $lastname, $company, $email)")or die(MySQL_Error());
I tested just typing 1 in every of my 4 field, it works
My table field are all VARCHAR except my id wich is INT auto increment
As soon as I try entering a character (like @ or .) it gives me the following error
Code: Select all
You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near '@com)' at line 1
any hints ?
Last edited by
Draco_03 on Wed Mar 21, 2007 1:09 pm, edited 1 time in total.
feyd
Neighborhood Spidermoddy
Posts: 31559 Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA
Post
by feyd » Wed Mar 21, 2007 12:55 pm
Missing quotes; several of them. Missing SQL injection prevention too.
Draco_03
Forum Regular
Posts: 577 Joined: Fri Aug 15, 2003 12:25 pm
Location: Montreal, Canada
Post
by Draco_03 » Wed Mar 21, 2007 1:09 pm
feyd wrote: Missing quotes; several of them. Missing SQL injection prevention too.
SQL injection prevention, you mean error trapping ie : email verification ?
Because I will be adding it.
My probleme is fixed (missing quote have been added)
Thank you Feyd
feyd
Neighborhood Spidermoddy
Posts: 31559 Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA
Post
by feyd » Wed Mar 21, 2007 1:21 pm
Validation, verification and sanitation are all apart of the efforts.
mysql_real_escape_string() needs to be used at minimum.
Draco_03
Forum Regular
Posts: 577 Joined: Fri Aug 15, 2003 12:25 pm
Location: Montreal, Canada
Post
by Draco_03 » Wed Mar 21, 2007 1:48 pm
Alright, other then my email validation i'll add
Code: Select all
if (!get_magic_quotes_gpc())
{
$email = mysql_real_escape_string($email);
}
Thank you
feyd
Neighborhood Spidermoddy
Posts: 31559 Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA
Post
by feyd » Wed Mar 21, 2007 2:02 pm
Just so we're clear,
mysql_real_escape_string() needs to be done to all values you are passing to MySQL.
Draco_03
Forum Regular
Posts: 577 Joined: Fri Aug 15, 2003 12:25 pm
Location: Montreal, Canada
Post
by Draco_03 » Wed Mar 21, 2007 2:46 pm
thx for clearing that up