Monkuar Posted June 28, 2009 Share Posted June 28, 2009 for ($a=0;$a<$num;$a++) { $DB->query("INSERT INTO ibf_itemshop_inventory(productid,memberid,paid) VALUES( '". mysql_real_escape_string($product["productid"]) ."','". mysql_real_escape_string($ibforums->member["id"]) .",'". mysql_real_escape_string($product["price"]) ."')"); } im using mysql real escape against for hackers.. but it's giving me a error: mySQL query error: INSERT INTO ibf_itemshop_inventory(productid,memberid,paid) VALUES( '10','1,'0') mySQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '0')' at line 1 mySQL error code: Date: Sunday 28th 2009f June 2009 07:29:54 AM Link to comment https://forums.phpfreaks.com/topic/163970-cant-figure-why-this-mysql-giving-me-a-errorr/ Share on other sites More sharing options...
RichardRotterdam Posted June 28, 2009 Share Posted June 28, 2009 just looking at the following query in your error it seems you forgot a single quote INSERT INTO ibf_itemshop_inventory(productid,memberid,paid) VALUES( '10','1','0') and btw if the id's are only suppose to be numbers/integers your better of checking if those values are indeed numbers/integers instead of using mysql_real_escape_string Link to comment https://forums.phpfreaks.com/topic/163970-cant-figure-why-this-mysql-giving-me-a-errorr/#findComment-865016 Share on other sites More sharing options...
Monkuar Posted June 28, 2009 Author Share Posted June 28, 2009 Is that security risk? I use this: for each variable good enough? $id = $ibforums->input["id"]; $num = $ibforums->input["num"]; if (isset($id)){ if (is_numeric($id)) { } else { die("Your ip has been saved in the Database and will be reported to your ISP."); } } if (isset($num)){ if (is_numeric($num)) { } else { die("Your ip has been saved in the Database and will be reported to your ISP."); } } my code is from 2002 but i enchance it alittle each time Link to comment https://forums.phpfreaks.com/topic/163970-cant-figure-why-this-mysql-giving-me-a-errorr/#findComment-865018 Share on other sites More sharing options...
wildteen88 Posted June 28, 2009 Share Posted June 28, 2009 Having empty if statements is pointless. You're better of doing if (isset($ibforums->input["id"], $ibforums->input["num"])) { if(!is_numeric($ibforums->input["id"]) && !is_numeric($ibforums->input["num"])) { die("Your ip has been saved in the Database and will be reported to your ISP."); } $id = $ibforums->input["id"]; $num = $ibforums->input["num"]; } Link to comment https://forums.phpfreaks.com/topic/163970-cant-figure-why-this-mysql-giving-me-a-errorr/#findComment-865020 Share on other sites More sharing options...
GingerRobot Posted June 28, 2009 Share Posted June 28, 2009 Learn something new every day. I didn't know isset() could take a variable number of arguments. Link to comment https://forums.phpfreaks.com/topic/163970-cant-figure-why-this-mysql-giving-me-a-errorr/#findComment-865033 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.