Jump to content

Cant figure why this mysql giving me a errorr?

Monkuar

By Monkuar
in PHP Coding Help

 Share

Recommended Posts

Monkuar Advanced Member

Monkuar

Posted
Posted 

for ($a=0;$a<$num;$a++)
    {
        $DB->query("INSERT INTO ibf_itemshop_inventory(productid,memberid,paid) VALUES( '". mysql_real_escape_string($product["productid"]) ."','". mysql_real_escape_string($ibforums->member["id"]) .",'". mysql_real_escape_string($product["price"]) ."')");
    }

 

im using mysql real escape against for hackers..

 

but it's giving me a error:

 

 

 

 

 

mySQL query error: INSERT INTO ibf_itemshop_inventory(productid,memberid,paid) VALUES( '10','1,'0')

 

mySQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '0')' at line 1

mySQL error code:

Date: Sunday 28th 2009f June 2009 07:29:54 AM

Link to comment
Share on other sites
RichardRotterdam Member

RichardRotterdam

Posted
Posted

just looking at the following query in your error it seems you forgot a single quote

 

INSERT INTO ibf_itemshop_inventory(productid,memberid,paid) VALUES( '10','1','0')

 

and btw if the id's are only suppose to be numbers/integers your better of checking if those values are indeed numbers/integers instead of using mysql_real_escape_string

Link to comment
Share on other sites
Monkuar Advanced Member

Monkuar

Posted
  • Author
Posted

Is that security risk?

 

I use this:

 

for each variable

good enough?

 

$id = $ibforums->input["id"];
$num = $ibforums->input["num"];
if (isset($id)){
if (is_numeric($id)) {

} else {
	die("Your ip has been saved in the Database and will be reported to your ISP.");
}
}
if (isset($num)){
if (is_numeric($num)) {

} else {
	die("Your ip has been saved in the Database and will be reported to your ISP.");
}
}

 

my code is from 2002 but i enchance it alittle each time :D

Link to comment
Share on other sites
wildteen88 Regular Member

wildteen88

Posted
Posted

Having empty if statements is pointless. You're better of doing

 

if (isset($ibforums->input["id"], $ibforums->input["num"])) {
    if(!is_numeric($ibforums->input["id"]) && !is_numeric($ibforums->input["num"])) {
        die("Your ip has been saved in the Database and will be reported to your ISP.");
   }

   $id = $ibforums->input["id"];
   $num = $ibforums->input["num"];
}

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.