Getting mysql syntax error when inserting php value in database..?

[jdock1]

 

 

Im building a list of offers and adding them to a table in a database.

 

Pretty much all it is is HTML. Im inserting an ahref link that has a php echo in it. So it looks like this:

 

<div class="offerlinks"><a href="http://website.com/offer/blahblah&blah=blah&sid=<?php echo $_SESSION['uid'];?>">Offer name</a><br><b>Info:</b> Signup<br><b>Value</b> 1 pt</div>

 

When I insert this (through my form) I get mysql error 1064 which is syntax error. I tested it without the php & it gives me 0, which worked fine.

 

I need the php code so I can append userid to the SID var.

 

Am I doing something wrong? Well I guess I obviously am so the real question is what am I doing wrong & how could I do it the right way?

 

Thanks guys

[Buddski]

Perhaps showing us the SQL query that is throwing the error might help.

[jdock1]

Perhaps showing us the SQL query that is throwing the error might help.

Perhaps showing us the SQL query that is throwing the error might help.

$query = "INSERT INTO offers VALUES ('$offer')";

 

I dont think this would be the problem? Its a simple insert. Idk I am inserting it through a textarea , which is where I get $offer from $_POST

[Buddski]

Does your 'offers' table only contain the 1 field?

Can you show the whole code where $offer is set?

Also post the entire mysql error you are receiving, it will usually tell you where the syntax error in the query is occurring

[Drummin]

Sounds like your $_SESSION['uid'] is not set.

[Buddski]

Just to clarify, are you typing

<div class="offerlinks"><a href="http://website.com/offer/blahblah&blah=blah&sid=<?php echo $_SESSION['uid'];?>">Offer name</a><br><b>Info:</b> Signup<br><b>Value</b> 1 pt</div>

into your textarea?

[the182guy]

Echo out the query and paste it here, or run it through phpMyAdmin.

[jdock1]

Does your 'offers' table only contain the 1 field?

Can you show the whole code where $offer is set?

Also post the entire mysql error you are receiving, it will usually tell you where the syntax error in the query is occurring

Yes sorry here it is

 

& yeah it does only contact 1 field

 

<?php
$offer = $_POST['offer'];
$query = "INSERT INTO offers VALUES ('$offer')";



?>
<b><a href="http://site.com/admin/template.txt" target="_new">Current offer template</a></b>
<form action="" method="post">

<textarea name="offer" cols="50" rows="15"></textarea>
<br><br>
<input type="submit" value="Insert" name="insert" />
</form>
</font>

<?php
if ($_POST['insert'] == "Insert")
{
mysql_query($query,$link);
echo mysql_errno($link);
#echo "<br><font size='5' color='#00CC00'>Offer successfully added.</font><br>";	
}
?>

& I am only getting the error output as "1064". Idk any other mysql error tracking code on the top of my head so I just use that

 

but like I said when I do it without the php code I get 0 & it inserts in the database succesfully

 

thanks!

[jdock1]

Just to clarify, are you typing

<div class="offerlinks"><a href="http://website.com/offer/blahblah&blah=blah&sid=<?php echo $_SESSION['uid'];?>">Offer name</a><br><b>Info:</b> Signup<br><b>Value</b> 1 pt</div>

into your textarea?

 

Yes I am. Thats what I need inserted in the database. I need to be able to add offers through a database and echo out the results so I can order them & easily delete them. Instead of putting it all on a static page. Its just so much easier. I need to insert the code through a form.

[trq]

I need to insert the code through a form.

 

PHP code won't execute from within a database though. It's just a string. Why are you passing the session id around through the querystring anyway?

[Buddski]

You are not escaping the $offer variable.

If you were to echo the $query string you will see why you are getting a syntax error.

$query = "INSERT INTO offers VALUES ('$offer')";
echo  $query;
// The result would be
// INSERT INTO offers VALUES ('<div class="offerlinks"><a href="http://website.com/offer/blahblah&blah=blah&sid=<?php echo $_SESSION['uid'];?>">Offer name</a><br><b>Info:</b> Signup<br><b>Value</b> 1 pt</div>')

Typing in $_SESSION['uid'] into the text field will, as thorpe pointed out, just be a string, there would be no execution of that piece of code.

[jdock1]

I need to insert the code through a form.

 

PHP code won't execute from within a database though. It's just a string. Why are you passing the session id around through the querystring anyway?

 

Yes your right I just realized that. I inserted the code through PHPmyadmin successfully but when I echod the results on my site I saw that it didnt execute.

 

Im just passing a session variable because the links Im using through my advertising network needs the userid appended to the URL so it can postback to my site saying userid completed the offer so my script can credit the user. Its for my "points" site. Im just looking for an easier way to add offers.

[jdock1]

You are not escaping the $offer variable.

If you were to echo the $query string you will see why you are getting a syntax error.

$query = "INSERT INTO offers VALUES ('$offer')";
echo  $query;
// The result would be
// INSERT INTO offers VALUES ('<div class="offerlinks"><a href="http://website.com/offer/blahblah&blah=blah&sid=<?php echo $_SESSION['uid'];?>">Offer name</a><br><b>Info:</b> Signup<br><b>Value</b> 1 pt</div>')

Typing in $_SESSION['uid'] into the text field will, as thorpe pointed out, just be a string, there would be no execution of that piece of code.

 

Ic. Thank you. So my new question would be, how can I possibly do this? The code is not executing. I need the session appended to the end of the URL. This isn't possible then? PHP cannot execute through echoing the database results?

[Buddski]

You could save the string as a formatted string, then when the row is returned you can insert the $_SESSION['uid'] on display.

<div class="offerlinks"><a href="http://website.com/offer/blahblah&blah=blah&sid=%s">Offer name</a><br><b>Info:</b> Signup<br><b>Value</b> 1 pt</div>

Then when the code is displayed to the user

echo sprintf($query_result,$_SESSION['uid']);

Or something to that effect.

[Drummin]

And what does this get you?

<?PHP
$offer="<div class=\"offerlinks\"><a href=\"http://website.com/offer/blahblah&blah=blah&sid=$_SESSION[uid]\">Offer name</a><br><b>Info:</b> Signup<br><b>Value</b> 1 pt</div>";
$offer = mysqli_real_escape_string($offer);
mysql_query("INSERT INTO offers VALUES ('$offer')") or die(mysql_error());
?>

[Drummin]

I just created a test DB and added a table called "offers" with the fields `links` and `id` AUTO_INCREMENT.

 

Slight modification to last code posted resulted in correct insert to table.  This is what was added.

<div class="offerlinks"><a href="http://website.com/offer/blahblah&blah=blah&sid=22">Offer name</a><br><b>Info:</b> Signup<br><b>Value</b> 1 pt</div>

I needed to add the $link variable to the mysqli_real_escape_string.  Here's exactly the code I used.

$link = mysqli_connect($host, $login, $pass);
$_SESSION['uid']=22;
$offer="<div class=\"offerlinks\"><a href=\"http://website.com/offer/blahblah&blah=blah&sid=$_SESSION[uid]\">Offer name</a><br><b>Info:</b> Signup<br><b>Value</b> 1 pt</div>";
$offer = mysqli_real_escape_string($link, $offer);
mysql_query("INSERT INTO offers (links) VALUES ('$offer')") or die(mysql_error());