rockstarrem Posted February 6, 2010 Share Posted February 6, 2010 Hello, I'm learning PHP/MySQL and I'm running into some trouble. When I post something from PHP to the database with something like ' in the post, I get the following error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'm here ')' at line 1 So I get it's saying that my MySQL syntax is wrong and it's passing the ' from the post like it's actual syntax... heres my code: <?php $mysqli = new mysqli(); $mysqli->connect("localhost", "root", "", "jesus"); $title = $_POST["title"]; $name = $_POST["name"]; $post = $_POST["new_post"]; $newquery = "INSERT INTO `jesus`.`posts` ( `title` , `name` , `post` ) VALUES ('$title', '$name', '$post');"; $mysqli->query($newquery, MYSQLI_STORE_RESULT); if ($mysqli->errno) { printf("Unable to connect to the database:<br /> %s", $mysqli->error); exit(); } echo "Success!"; ?> Quote Link to comment Share on other sites More sharing options...
Mchl Posted February 6, 2010 Share Posted February 6, 2010 mysql_real_escape_string Quote Link to comment Share on other sites More sharing options...
rockstarrem Posted February 6, 2010 Author Share Posted February 6, 2010 mysql_real_escape_string I get a few of these errors now: Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'SYSTEM'@'localhost' (using password: NO) in C:\wamp\www\do_blog.php on line 10 Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in C:\wamp\www\do_blog.php on line 10 Unable to connect to the database: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '', 'Domenic's', 'Testing's')' at line 1 My code is: <?php $mysqli = new mysqli(); $mysqli->connect("localhost", "root", "", "jesus"); $title = $_POST["title"]; $name = $_POST["name"]; $post = $_POST["new_post"]; $newquery = "INSERT INTO `jesus`.`posts` ( `title` , `name` , `post` ) VALUES ('$title', '$name', '$post');"; mysql_real_escape_string($title); mysql_real_escape_string($name); mysql_real_escape_string($post); $mysqli->query($newquery, MYSQLI_STORE_RESULT); if ($mysqli->errno) { printf("Unable to connect to the database:<br /> %s", $mysqli->error); exit(); } echo "Success!"; ?> Quote Link to comment Share on other sites More sharing options...
rockstarrem Posted February 6, 2010 Author Share Posted February 6, 2010 I fixed the above problem, but I'm still getting this: Unable to connect to the database: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '', 'Domenic's', 'Testing's')' at line 1 My code is... <?php $mysqli = new mysqli(); $mysqli->connect("localhost", "root", "", "jesus"); $title = $_POST["title"]; $name = $_POST["name"]; $post = $_POST["new_post"]; $newquery = "INSERT INTO `jesus`.`posts` ( `title` , `name` , `post` ) VALUES ('$title', '$name', '$post');"; $link = mysql_connect("localhost", "root", ""); mysql_real_escape_string($title); mysql_real_escape_string($name); mysql_real_escape_string($post); $mysqli->query($newquery, MYSQLI_STORE_RESULT); if ($mysqli->errno) { printf("Unable to connect to the database:<br /> %s", $mysqli->error); exit(); } echo "Success!"; ?> Quote Link to comment Share on other sites More sharing options...
Mchl Posted February 6, 2010 Share Posted February 6, 2010 Sorry... I didn't notice you were connecting using mysqli. It has it's own escaping function mysqli_real_escape_string that you should use. Quote Link to comment Share on other sites More sharing options...
rockstarrem Posted February 6, 2010 Author Share Posted February 6, 2010 Hello, It's still not working: Unable to connect to the database: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Test'', 'Test'')' at line 1 My code is... <?php $mysqli = new mysqli(); $mysqli->connect("localhost", "root", "", "jesus"); $title = $_POST["title"]; $name = $_POST["name"]; $post = $_POST["new_post"]; $newquery = "INSERT INTO `jesus`.`posts` ( `title` , `name` , `post` ) VALUES ('$title', '$name', '$post');"; $title = $mysqli->real_escape_string($title); $name = $mysqli->real_escape_string($name); $post = $mysqli->real_escape_string($post); $mysqli->query($newquery, MYSQLI_STORE_RESULT); if ($mysqli->errno) { printf("Unable to connect to the database:<br /> %s", $mysqli->error); exit(); } echo "Success!"; ?> Quote Link to comment Share on other sites More sharing options...
Mchl Posted February 6, 2010 Share Posted February 6, 2010 <?php $mysqli = new mysqli(); $mysqli->connect("localhost", "root", "", "jesus"); $title = $_POST["title"]; $name = $_POST["name"]; $post = $_POST["new_post"]; //Escape first $title = $mysqli->real_escape_string($title); $name = $mysqli->real_escape_string($name); $post = $mysqli->real_escape_string($post); //Put into query later $newquery = "INSERT INTO `jesus`.`posts` ( `title` , `name` , `post` ) VALUES ('$title', '$name', '$post');"; $mysqli->query($newquery, MYSQLI_STORE_RESULT); if ($mysqli->errno) { printf("Unable to connect to the database:<br /> %s", $mysqli->error); exit(); } echo "Success!"; ?> Quote Link to comment Share on other sites More sharing options...
rockstarrem Posted February 6, 2010 Author Share Posted February 6, 2010 Wow, thanks a ton! Quote Link to comment Share on other sites More sharing options...
Mchl Posted February 6, 2010 Share Posted February 6, 2010 Remember you should ALWAYS make sure you escape or otherwise sanitize variables being put into your queries. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.