[SOLVED] mysql_query Error

[Cetanu]

For some reason, it's telling me that this is wrong:

 

<?php

if($_SESSION['username']=="Admin" || $_SESSION['user_id']=="Chris P" || $_SESSION['user_id']=="Cetanu"){ 
echo "<br/><br/><form action='shop.php' method='post'> 
<strong>Adding an Item</strong><br/><br/> 
Name: <input type='text' maxlength='30' name='name'/><br/> 
Description:<br/> <textarea rows='5' cols='50' name='description'>Be sure to remember the +attack, -attack, etc.</textarea><br/>
Quantity: <input type='text' name='quant'/><br/>
Price: <input type='text' name='price'/> <br/>
<select name='species'> 
<option value='Predator'>Predator</option>
<option value='Alien'>Alien</option> 
<option value='Marine'>Marine</option> 
</select><br/> 
<input type='submit' name='add' value='Confirm Add'/> | <input type='reset' value='Reset'/>
</form> ";
  

if(isset($_POST['add'])){ 
if(!$_POST['name'] || !$_POST['description'] || !$_POST['price'] || !$_POST['quant'] || !$_POST['species']){
   echo "<script>alert('Try Again, and fill in all fields.'); location='shop.php';</script>"; 
} 
   include "db.php"; 
   mysql_query("INSERT INTO shop (item_name, item_description, price, quantity, species) 
   VALUES(`'{$_POST['name']}'` , `'{$_POST['description']}'` , `'{$_POST['price']}'` , `'{$_POST['quant']}'` , `'{$_POST['species']}'`") or die(mysql_error()); 
  echo "<script>alert('Item Added');</script>"; 
  } 
} 
else{ 
echo ""; 
} 
?>

 

When I enter my information it tells me there is an error in my syntax, but I've done this before and it usually works fine.

[trq]

You have both ` and ' around your values. Remove the `backticks`.

 

and ps: You should seriously take a look at mysql_real_escape_string, your database is begging to be broken into.

[Cetanu]

It tells me there's an error anyway after I take out the `````

 

 

I dunno how to USE mysql_real_escape_string() what goes in the () part?

[trq]

Post your actual error.

 

I dunno how to USE mysql_real_escape_string() what goes in the () part?

 

All user inputted data needs to be sanitized (and should also be validated) before going into a query.

 

$price = mysql_real_escape_string($_POST['price']); // now use $price in your query.

[Cetanu]

Oh, simple enough, then. I'll do that.

 

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 2

[trq]

Put your query into a variable end echo it so we can see the results.

[Cetanu]

Okay.

 

 

By the way, new error:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'A ranged weapon that ensnares and kills enemies in a metal net. Attack +5 Honor ' at line 2

 

>_> I'll go echo it into a variable.

 

UPDATE:

 

$query = mysql_query("INSERT INTO shop (item_name, item_description, price, quantity, species) 
   VALUES('{$name}' , '{$description}' , '{$price}' , '{$quant}' , '{$species}'") or die(mysql_error()); 
echo $query; 

 

 

Yields nothing, just the error, which has changed back to the first one.

[mikesta707]

Put the query string in a variable, not the query action itself. all that will do is either return a mysql resource, or return false.

 

$query = "INSERT INTO shop (item_name, item_description, price, quantity, species)
   VALUES('{$name}' , '{$description}' , '{$price}' , '{$quant}' , '{$species}'";

echo $query;

 

But I don't think you need to wrap your variables with curly brackets ("{}") unless they are arrays. try getting rid of those curly brackets

[Cetanu]

After removing the {} it echoed my query back to me (because I removed mysql_query() )

 

But then, when I put the mysql_query back on, it gives me an error again.

 

This is the query when it's echoed

INSERT INTO shop (item_name, item_description, price, quantity, species) VALUES('Netgun' , 'A ranged weapon that ensnares and kills enemies in its metal net. Attack +5 Honor -10 ' , '1800' , '1 ' , 'Predator'

 

[mikesta707]

are you price and quantity columns integers? if so remove the quotes surrounding $price and $quant variables.

 

Also, you may want to do a trim on your $quant variable because there is whitespace after it, and I'm not sure if you want that (although that may be due to incorrect placement of your single quotes

[Cetanu]

Oooooh yeah, I'm such an idiot! I forgot all about the integers not needing '.

I've removed them, but still get an error message.

[mikesta707]

echo the query again. what does it look like

[Cetanu]

INSERT INTO shop (item_name, item_description, price, quantity, species) VALUES('Netgun' , 'A ranged weapon that ensnares and kills enemies in its metal net. Attack +5 Honor -10 ' , 1800 , 1 , 'Predator'

[mikesta707]

perhaps delete the space between the numbers and the commas, IE it should look like

 

, 1800, 1,

[Cetanu]

Same error.  :'(

 

 

I FEEL LIKE A RETARD.

 

mysql_query("INSERT INTO shop (item_name, item_description, price, quantity, species)

  VALUES('$name', '$description', $price, $quant, '$species'") or die(mysql_error());

 

 

That was was what threw the error. I dunno HOW we didn't notice that there wasn't the required first ) to end the VALUES part. The correct syntax is:

mysql_query("INSERT INTO shop (item_name, item_description, price, quantity, species)

  VALUES('$name', '$description', $price, $quant, '$species')") or die(mysql_error());

 

 

 

Thanks for your help.