Page 1 of 1

Comment Box Error - Error, insert query failed

Posted: Mon Jun 04, 2007 4:04 pm
by reyes99
I am getting an error : Error, insert query failed when writing to a sql database text type field from a php form.

When they use special characters in the comment box it gives them "Error, insert query failed. "

Is there any way to clean up the text for example if they use "have'nt" or any other illegal characters?

I dont want it to prompt them I just want it to save the text without the characters.


Thanks

Ralph

Posted: Mon Jun 04, 2007 4:06 pm
by guitarlvr

Posted: Mon Jun 04, 2007 4:13 pm
by reyes99
Sorry, I am new to PHP.

How would I use that to write the comment field to the database? This is how I am saving it to the database:

$query = "INSERT INTO survey (ps_no, name, dept, comptype, ans1, ans2, ans3, ans4, ans5, ans6, ans7, ans8, pc_comm, lap_comm)
VALUES ('$psno', '$name', '$dept', '$comtype', '$ans1', '$ans2', '$ans3', '$ans4', '$ans5', '$ans6', '$ans7', '$ans8', '$pccomm', '$lapcomm')";

The comment fields are $pccomm and $lapcomm


Thanks

Ralph

Posted: Mon Jun 04, 2007 4:17 pm
by RobertGonzalez
Post the code that sets those vars.

Posted: Mon Jun 04, 2007 4:18 pm
by maliskoleather

Code: Select all

$query = "INSERT INTO survey (ps_no, name, dept, comptype, ans1, ans2, ans3, ans4, ans5, ans6, ans7, ans8, pc_comm, lap_comm) 
          VALUES ('$psno', '$name', '$dept', '$comtype', '$ans1', '$ans2', '$ans3', '$ans4', '$ans5', '$ans6', '$ans7', '$ans8', '".mysql_real_escape_string($pccomm)."', '".mysql_real_escape_string($lapcomm."')";
the only reason I only escaped the two variables you posted is because i have no idea what the others are. You should escape ANY variable that is user-submitted

Posted: Mon Jun 04, 2007 4:26 pm
by RobertGonzalez
Everyone of those insert variables should be run through mysql_real_escape_string().

Posted: Mon Jun 04, 2007 4:31 pm
by reyes99
Thanks maliskoleather,

I tried that but now I am getting this error:

PHP Parse error: syntax error, unexpected ';' in C:\Inetpub\wwwroot\delltest\addrec.php on line 37

line 37 is :
VALUES '$psno', '$name', '$dept', '$comtype', '$ans1', '$ans2', '$ans3', '$ans4', '$ans5', '$ans6', '$ans7', '$ans8', '".mysql_real_escape_string($pccomm)."', '".mysql_real_escape_string($lapcomm."')";

I don't see any thing wrong??

Thanks

Posted: Mon Jun 04, 2007 4:35 pm
by maliskoleather
whoops. typo on my part.

Code: Select all

mysql_real_escape_string($lapcomm)."')";
is what it should be

Posted: Mon Jun 04, 2007 4:46 pm
by reyes99
Great that worked!!!

Thank you all for your help.

Posted: Mon Jun 04, 2007 4:48 pm
by RobertGonzalez
I'd still like to reiterate... since you are inserting, everything that is going into the table that could be supplied, or manipulated, by a user should be run through mysql_real_escape_string().

Posted: Mon Jun 04, 2007 6:14 pm
by superdezign
Everah wrote:I'd still like to reiterate... since you are inserting, everything that is going into the table that could be supplied, or manipulated, by a user should be run through mysql_real_escape_string().
I escape all data that goes into databases, just in case, somehow, I make an error somewhere or add quotes or something into a string.... Not just user input. Is that too much?

Posted: Mon Jun 04, 2007 6:25 pm
by RobertGonzalez
I wouldn't say so. I think it is always better to err on the side of caution.