Page 1 of 1
[SOLVED] Can't insert @ or . in my database
Posted: Wed Mar 21, 2007 12:48 pm
by Draco_03
Code: Select all
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$company = $_POST['company'];
$email = $_POST['mail'];
mysql_query("INSERT INTO user VALUES('', $firstname, $lastname, $company, $email)")or die(MySQL_Error());
I tested just typing 1 in every of my 4 field, it works
My table field are all VARCHAR except my id wich is INT auto increment
As soon as I try entering a character (like @ or .) it gives me the following error
Code: Select all
You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near '@com)' at line 1
any hints ?
Posted: Wed Mar 21, 2007 12:55 pm
by feyd
Missing quotes; several of them. Missing SQL injection prevention too.
Posted: Wed Mar 21, 2007 1:09 pm
by Draco_03
feyd wrote:Missing quotes; several of them. Missing SQL injection prevention too.
SQL injection prevention, you mean error trapping ie : email verification ?
Because I will be adding it.
My probleme is fixed (missing quote have been added)
Thank you Feyd
Posted: Wed Mar 21, 2007 1:21 pm
by feyd
Validation, verification and sanitation are all apart of the efforts.
mysql_real_escape_string() needs to be used at minimum.
Posted: Wed Mar 21, 2007 1:48 pm
by Draco_03
Alright, other then my email validation i'll add
Code: Select all
if (!get_magic_quotes_gpc())
{
$email = mysql_real_escape_string($email);
}
Thank you
Posted: Wed Mar 21, 2007 2:02 pm
by feyd
Just so we're clear,
mysql_real_escape_string() needs to be done to all values you are passing to MySQL.
Posted: Wed Mar 21, 2007 2:46 pm
by Draco_03
thx for clearing that up