SQL syntax error

[bassy]

Hey,

Im getting the error:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's','Test Name,'123456679','Test Restaurant Description' at line 1

 

I cant figure out what the problem is! Please help...

Here is my PHP code. Thanks in advance.

 

<?php


$email = strtolower(strip_tags($_POST['email']));		
$restname = (strip_tags($_POST['restname']));		
$cname = (strip_tags($_POST['cname']));
$phoneNum = (strip_tags($_POST['phoneNum']));
$descrip = (strip_tags($_POST['descrip']));
$password = md5(strip_tags($_POST['password']));
$specials = (strip_tags($_POST['specials']));
$price = (strip_tags($_POST['price']));
$foodtype = (strip_tags($_POST['foodtype']));
$reppassword = md5(strip_tags($_POST['reppassword']));
$submit = (strip_tags($_POST['submit']));



if ($submit)
{

//check for existance
if ($email&&$password&&$reppassword&&$restname&&$cname&&$phoneNum&&$descrip&&$foodtype&&$specials&&$price)
{


if($password==$reppassword)

{
//check character length of cname
if (strlen ($cname)>50)
{
echo "Contact Name is too long. 25 character maximum.";
}

	else 
	{
		//check password length
		if(strlen($password)<6)
	{

		echo "Password must be at least 6 characters in length";
	}

		else
	{
		//register the user

		//encrypt passowrd
		$password = md5($password);
		$reppassword = md5($reppassword);

		//open database
		$connect = mysql_connect("mysql2.mylogin.ie","username","password") or die ('Error:' . mysql_error());
		mysql_select_db("database");

		$query = "INSERT INTO table1 (id, email, restname, cname, phoneNum, descrip, password, specials, price, foodtype) VALUES ('','$email','$restname','$cname','$phoneNum','$descrip','$password','$specials','$price','$foodtype')";
		mysql_query($query) or die ('Error updating database. Please try again later.' .mysql_error());

		echo ("Thank you. You have been registered! <a href ='index.php'> Click here</a> to return to the home page and log in using your email and password.");
	}

	}
}
		else
		echo "Passwords to not match. Please enter two identical passwords.";
}

		else
		echo "Please fill in <strong>ALL</strong> required fields.";
}

?>

[trq]

You need to escape data going into your database. See mysql_real_escape_string.

[bassy]

Ok I looked at that but I'm new to this so I can't figure out where to put it and what syntax to use. 

Can you give me any more detail?

[the182guy]

Use it on your user input like

 

$cname = mysql_real_escape_string(strip_tags($_POST['cname']));

[TeNDoLLA]

To the original problem, echo out your $query variable before running it, and see if it has all the values in place as they should be and there is nothing bizarre in the query. The error tells you there is SYNTAX error in SQL query.

[bassy]

It seems that if I put something like an apostrophe  '  in the field it causes the problem.

id I avoid apostrophes the problem doesn't happen and it inputs the data to the database just fine.

 

[the182guy]

It seems that if I put something like an apostrophe  '  in the field it causes the problem.

id I avoid apostrophes the problem doesn't happen and it inputs the data to the database just fine.

 

This should be solved. You haven't taken any notice of thorpe's suggestion.

[Maq]

It seems that if I put something like an apostrophe  '  in the field it causes the problem.

id I avoid apostrophes the problem doesn't happen and it inputs the data to the database just fine.

You need to escape data going into your database. See mysql_real_escape_string.

As mentioned before, read thorpe's reply.  There is even a link to the manual that explains exactly what this function does and how it solves your SQL issue.  "mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a. "

 

[AyKay47]

It seems that if I put something like an apostrophe  '  in the field it causes the problem.

id I avoid apostrophes the problem doesn't happen and it inputs the data to the database just fine.

You need to escape data going into your database. See mysql_real_escape_string.

As mentioned before, read thorpe's reply.  There is even a link to the manual that explains exactly what this function does and how it solves your SQL issue.  "mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a. "

not to get confused with the add_slashes function, which many people use instead of mysql_real_escape_string when inserting data into a db...mysql_real_escape string is much smarter and escapes more characters as well..

 

from php.net

"This function must always (with few exceptions) be used to make data safe before sending a query to MySQL. "