Jump to content

Can't do an INSERT via a web query. Syntax???

RRT

By RRT
in PostgreSQL

 Share

Recommended Posts

RRT Newbie

RRT

Posted
Posted

I can't do an INSERT via a web query. Can you look at my syntax and see if I have a typo below?:

 

-------------------------------------

 

<?php

$CID = $_POST['CID'];

$ImageFile = $_POST['ImageFile'];

$ItemTitle = $_POST['ItemTitle'];

$ItemNo = $_POST['ItemNo'];

$Barcode = $_POST['Barcode'];

$Description = $_POST['Description'];

$Dept = $_POST['Dept'];

$Price = $_POST['Price'];

$Quantity = $_POST['Quantity'];

$Shipping = $_POST['Shipping'];

 

.

.

.

 

$query = 'INSERT INTO inventory (cid, image_pic, item_title, item_no, barcode, description, dept, price, quantity, ship_rate) VALUES ('$CID','$ImageFile','$ItemTitle','$ItemNo', '$Barcode','$Description','$Dept','$Price','$Quantity','$Shipping')';

 

 

-------------------------------------

 

This is what I get back when I try to submit the query (Line 20 is the query line posted above.):

 

Parse error: syntax error, unexpected T_VARIABLE in /perform_insert.php on line 20

requinix Prolific Member

requinix

Posted
Posted

I wouldn't call it a typo because it was probably intentional.

 

You can't use raw 's inside a '-quoted string. PHP thinks you're ending the string and starting something else.

 

Read me

 

Also, you're vulnerable to SQL injection. That's very bad. Google it and learn to use mysql_real_escape_string.

RRT Newbie

RRT

Posted
  • Author
Posted

Thanks for the info about the SQL injection, I will take that into account.

 

So you are suggesting that I change my code to something like this, right?:

=======================

 

$query = sprintf("INSERT INTO inventory VALUES ('%s','%s','%s','%s', '%s','%s','%s','%s','%s','%s')";,

                  mysql_real_escape_string($CID),

mysql_real_escape_string($ImageFile),

mysql_real_escape_string($ItemTitle),

mysql_real_escape_string($ItemNo),

mysql_real_escape_string($Barcode),

mysql_real_escape_string($Description),

mysql_real_escape_string($Dept),

mysql_real_escape_string($Price),

mysql_real_escape_string($Quantity),

                  mysql_real_escape_string($Shipping));

mysql_query($query);

 

 

=======================

 

 

requinix Prolific Member

requinix

Posted
Posted

That will work just as well, but only after you fix the syntax error.

 

Are $CID and $ItemNo and such numbers? You shouldn't be treating them as strings. Guessing,

$query = sprintf("INSERT INTO inventory VALUES (%d, '%s', '%s', %d, '%s', '%s', '%s', %f, %d, %f)",
$CID,
mysql_real_escape_string($ImageFile),
mysql_real_escape_string($ItemTitle),
$ItemNo,
mysql_real_escape_string($Barcode),
mysql_real_escape_string($Description),
mysql_real_escape_string($Dept),
$Price, $Quantity, $Shipping);
mysql_query($query);

RRT Newbie

RRT

Posted
  • Author
Posted

That did it!  THANKS!!!  I had to use "pg_escape_string" instead of "mysql_real_escape_string" since I am using postgres, but other than that its similar.  Besides string data, do they make  escape methods for  other types of data, such as integers, floats, etc?  Maybe those types aren't suseptable  to exploit? That would make sense to me, as commands aren't numbers but strings of words.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.