rockstarrem Posted February 6, 2010 Share Posted February 6, 2010 Hello, I'm learning PHP/MySQL and I'm running into some trouble. When I post something from PHP to the database with something like ' in the post, I get the following error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'm here ')' at line 1 So I get it's saying that my MySQL syntax is wrong and it's passing the ' from the post like it's actual syntax... heres my code: <?php $mysqli = new mysqli(); $mysqli->connect("localhost", "root", "", "jesus"); $title = $_POST["title"]; $name = $_POST["name"]; $post = $_POST["new_post"]; $newquery = "INSERT INTO `jesus`.`posts` ( `title` , `name` , `post` ) VALUES ('$title', '$name', '$post');"; $mysqli->query($newquery, MYSQLI_STORE_RESULT); if ($mysqli->errno) { printf("Unable to connect to the database:<br /> %s", $mysqli->error); exit(); } echo "Success!"; ?> Link to comment https://forums.phpfreaks.com/topic/191139-characters-like-and/ Share on other sites More sharing options...
Mchl Posted February 6, 2010 Share Posted February 6, 2010 mysql_real_escape_string Link to comment https://forums.phpfreaks.com/topic/191139-characters-like-and/#findComment-1007849 Share on other sites More sharing options...
rockstarrem Posted February 6, 2010 Author Share Posted February 6, 2010 mysql_real_escape_string I get a few of these errors now: Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'SYSTEM'@'localhost' (using password: NO) in C:\wamp\www\do_blog.php on line 10 Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in C:\wamp\www\do_blog.php on line 10 Unable to connect to the database: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '', 'Domenic's', 'Testing's')' at line 1 My code is: <?php $mysqli = new mysqli(); $mysqli->connect("localhost", "root", "", "jesus"); $title = $_POST["title"]; $name = $_POST["name"]; $post = $_POST["new_post"]; $newquery = "INSERT INTO `jesus`.`posts` ( `title` , `name` , `post` ) VALUES ('$title', '$name', '$post');"; mysql_real_escape_string($title); mysql_real_escape_string($name); mysql_real_escape_string($post); $mysqli->query($newquery, MYSQLI_STORE_RESULT); if ($mysqli->errno) { printf("Unable to connect to the database:<br /> %s", $mysqli->error); exit(); } echo "Success!"; ?> Link to comment https://forums.phpfreaks.com/topic/191139-characters-like-and/#findComment-1007857 Share on other sites More sharing options...
rockstarrem Posted February 6, 2010 Author Share Posted February 6, 2010 I fixed the above problem, but I'm still getting this: Unable to connect to the database: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '', 'Domenic's', 'Testing's')' at line 1 My code is... <?php $mysqli = new mysqli(); $mysqli->connect("localhost", "root", "", "jesus"); $title = $_POST["title"]; $name = $_POST["name"]; $post = $_POST["new_post"]; $newquery = "INSERT INTO `jesus`.`posts` ( `title` , `name` , `post` ) VALUES ('$title', '$name', '$post');"; $link = mysql_connect("localhost", "root", ""); mysql_real_escape_string($title); mysql_real_escape_string($name); mysql_real_escape_string($post); $mysqli->query($newquery, MYSQLI_STORE_RESULT); if ($mysqli->errno) { printf("Unable to connect to the database:<br /> %s", $mysqli->error); exit(); } echo "Success!"; ?> Link to comment https://forums.phpfreaks.com/topic/191139-characters-like-and/#findComment-1007858 Share on other sites More sharing options...
Mchl Posted February 6, 2010 Share Posted February 6, 2010 Sorry... I didn't notice you were connecting using mysqli. It has it's own escaping function mysqli_real_escape_string that you should use. Link to comment https://forums.phpfreaks.com/topic/191139-characters-like-and/#findComment-1007861 Share on other sites More sharing options...
rockstarrem Posted February 6, 2010 Author Share Posted February 6, 2010 Hello, It's still not working: Unable to connect to the database: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Test'', 'Test'')' at line 1 My code is... <?php $mysqli = new mysqli(); $mysqli->connect("localhost", "root", "", "jesus"); $title = $_POST["title"]; $name = $_POST["name"]; $post = $_POST["new_post"]; $newquery = "INSERT INTO `jesus`.`posts` ( `title` , `name` , `post` ) VALUES ('$title', '$name', '$post');"; $title = $mysqli->real_escape_string($title); $name = $mysqli->real_escape_string($name); $post = $mysqli->real_escape_string($post); $mysqli->query($newquery, MYSQLI_STORE_RESULT); if ($mysqli->errno) { printf("Unable to connect to the database:<br /> %s", $mysqli->error); exit(); } echo "Success!"; ?> Link to comment https://forums.phpfreaks.com/topic/191139-characters-like-and/#findComment-1007867 Share on other sites More sharing options...
Mchl Posted February 6, 2010 Share Posted February 6, 2010 <?php $mysqli = new mysqli(); $mysqli->connect("localhost", "root", "", "jesus"); $title = $_POST["title"]; $name = $_POST["name"]; $post = $_POST["new_post"]; //Escape first $title = $mysqli->real_escape_string($title); $name = $mysqli->real_escape_string($name); $post = $mysqli->real_escape_string($post); //Put into query later $newquery = "INSERT INTO `jesus`.`posts` ( `title` , `name` , `post` ) VALUES ('$title', '$name', '$post');"; $mysqli->query($newquery, MYSQLI_STORE_RESULT); if ($mysqli->errno) { printf("Unable to connect to the database:<br /> %s", $mysqli->error); exit(); } echo "Success!"; ?> Link to comment https://forums.phpfreaks.com/topic/191139-characters-like-and/#findComment-1007870 Share on other sites More sharing options...
rockstarrem Posted February 6, 2010 Author Share Posted February 6, 2010 Wow, thanks a ton! Link to comment https://forums.phpfreaks.com/topic/191139-characters-like-and/#findComment-1007885 Share on other sites More sharing options...
Mchl Posted February 6, 2010 Share Posted February 6, 2010 Remember you should ALWAYS make sure you escape or otherwise sanitize variables being put into your queries. Link to comment https://forums.phpfreaks.com/topic/191139-characters-like-and/#findComment-1007886 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.