Page 1 of 1
Comment Box Error - Error, insert query failed
Posted: Mon Jun 04, 2007 4:04 pm
by reyes99
I am getting an error : Error, insert query failed when writing to a sql database text type field from a php form.
When they use special characters in the comment box it gives them "Error, insert query failed. "
Is there any way to clean up the text for example if they use "have'nt" or any other illegal characters?
I dont want it to prompt them I just want it to save the text without the characters.
Thanks
Ralph
Posted: Mon Jun 04, 2007 4:06 pm
by guitarlvr
Posted: Mon Jun 04, 2007 4:13 pm
by reyes99
Sorry, I am new to PHP.
How would I use that to write the comment field to the database? This is how I am saving it to the database:
$query = "INSERT INTO survey (ps_no, name, dept, comptype, ans1, ans2, ans3, ans4, ans5, ans6, ans7, ans8, pc_comm, lap_comm)
VALUES ('$psno', '$name', '$dept', '$comtype', '$ans1', '$ans2', '$ans3', '$ans4', '$ans5', '$ans6', '$ans7', '$ans8', '$pccomm', '$lapcomm')";
The comment fields are $pccomm and $lapcomm
Thanks
Ralph
Posted: Mon Jun 04, 2007 4:17 pm
by RobertGonzalez
Post the code that sets those vars.
Posted: Mon Jun 04, 2007 4:18 pm
by maliskoleather
Code: Select all
$query = "INSERT INTO survey (ps_no, name, dept, comptype, ans1, ans2, ans3, ans4, ans5, ans6, ans7, ans8, pc_comm, lap_comm)
VALUES ('$psno', '$name', '$dept', '$comtype', '$ans1', '$ans2', '$ans3', '$ans4', '$ans5', '$ans6', '$ans7', '$ans8', '".mysql_real_escape_string($pccomm)."', '".mysql_real_escape_string($lapcomm."')";
the only reason I only escaped the two variables you posted is because i have no idea what the others are. You should escape ANY variable that is user-submitted
Posted: Mon Jun 04, 2007 4:26 pm
by RobertGonzalez
Everyone of those insert variables should be run through
mysql_real_escape_string().
Posted: Mon Jun 04, 2007 4:31 pm
by reyes99
Thanks maliskoleather,
I tried that but now I am getting this error:
PHP Parse error: syntax error, unexpected ';' in C:\Inetpub\wwwroot\delltest\addrec.php on line 37
line 37 is :
VALUES '$psno', '$name', '$dept', '$comtype', '$ans1', '$ans2', '$ans3', '$ans4', '$ans5', '$ans6', '$ans7', '$ans8', '".mysql_real_escape_string($pccomm)."', '".mysql_real_escape_string($lapcomm."')";
I don't see any thing wrong??
Thanks
Posted: Mon Jun 04, 2007 4:35 pm
by maliskoleather
whoops. typo on my part.
Code: Select all
mysql_real_escape_string($lapcomm)."')";
is what it should be
Posted: Mon Jun 04, 2007 4:46 pm
by reyes99
Great that worked!!!
Thank you all for your help.
Posted: Mon Jun 04, 2007 4:48 pm
by RobertGonzalez
I'd still like to reiterate... since you are inserting, everything that is going into the table that could be supplied, or manipulated, by a user should be run through
mysql_real_escape_string().
Posted: Mon Jun 04, 2007 6:14 pm
by superdezign
Everah wrote:I'd still like to reiterate... since you are inserting, everything that is going into the table that could be supplied, or manipulated, by a user should be run through
mysql_real_escape_string().
I escape all data that goes into databases, just in case, somehow, I make an error somewhere or add quotes or something into a string.... Not just user input. Is that too much?
Posted: Mon Jun 04, 2007 6:25 pm
by RobertGonzalez
I wouldn't say so. I think it is always better to err on the side of caution.