RRT Posted December 23, 2010 Share Posted December 23, 2010 I can't do an INSERT via a web query. Can you look at my syntax and see if I have a typo below?: ------------------------------------- <?php $CID = $_POST['CID']; $ImageFile = $_POST['ImageFile']; $ItemTitle = $_POST['ItemTitle']; $ItemNo = $_POST['ItemNo']; $Barcode = $_POST['Barcode']; $Description = $_POST['Description']; $Dept = $_POST['Dept']; $Price = $_POST['Price']; $Quantity = $_POST['Quantity']; $Shipping = $_POST['Shipping']; . . . $query = 'INSERT INTO inventory (cid, image_pic, item_title, item_no, barcode, description, dept, price, quantity, ship_rate) VALUES ('$CID','$ImageFile','$ItemTitle','$ItemNo', '$Barcode','$Description','$Dept','$Price','$Quantity','$Shipping')'; ------------------------------------- This is what I get back when I try to submit the query (Line 20 is the query line posted above.): Parse error: syntax error, unexpected T_VARIABLE in /perform_insert.php on line 20 Quote Link to comment Share on other sites More sharing options...
requinix Posted December 23, 2010 Share Posted December 23, 2010 I wouldn't call it a typo because it was probably intentional. You can't use raw 's inside a '-quoted string. PHP thinks you're ending the string and starting something else. Read me Also, you're vulnerable to SQL injection. That's very bad. Google it and learn to use mysql_real_escape_string. Quote Link to comment Share on other sites More sharing options...
RRT Posted December 25, 2010 Author Share Posted December 25, 2010 Thanks for the info about the SQL injection, I will take that into account. So you are suggesting that I change my code to something like this, right?: ======================= $query = sprintf("INSERT INTO inventory VALUES ('%s','%s','%s','%s', '%s','%s','%s','%s','%s','%s')";, mysql_real_escape_string($CID), mysql_real_escape_string($ImageFile), mysql_real_escape_string($ItemTitle), mysql_real_escape_string($ItemNo), mysql_real_escape_string($Barcode), mysql_real_escape_string($Description), mysql_real_escape_string($Dept), mysql_real_escape_string($Price), mysql_real_escape_string($Quantity), mysql_real_escape_string($Shipping)); mysql_query($query); ======================= Quote Link to comment Share on other sites More sharing options...
requinix Posted December 25, 2010 Share Posted December 25, 2010 That will work just as well, but only after you fix the syntax error. Are $CID and $ItemNo and such numbers? You shouldn't be treating them as strings. Guessing, $query = sprintf("INSERT INTO inventory VALUES (%d, '%s', '%s', %d, '%s', '%s', '%s', %f, %d, %f)", $CID, mysql_real_escape_string($ImageFile), mysql_real_escape_string($ItemTitle), $ItemNo, mysql_real_escape_string($Barcode), mysql_real_escape_string($Description), mysql_real_escape_string($Dept), $Price, $Quantity, $Shipping); mysql_query($query); Quote Link to comment Share on other sites More sharing options...
RRT Posted December 26, 2010 Author Share Posted December 26, 2010 That did it! THANKS!!! I had to use "pg_escape_string" instead of "mysql_real_escape_string" since I am using postgres, but other than that its similar. Besides string data, do they make escape methods for other types of data, such as integers, floats, etc? Maybe those types aren't suseptable to exploit? That would make sense to me, as commands aren't numbers but strings of words. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.