Sql Syntax Error Why?

lovephp · November 16, 2012

hey friends why am i getting this error when i use don't in form?

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 't ', status = '', time = '135310002' at line 18

Pikachu2000 · November 16, 2012

You aren't escaping your data. Which, incidentally, also leaves you open to SQL injection. mysql_real_escape_string

lovephp · November 16, 2012

oh yes, would this be the right way to do it?

function insertP($postData) {

$postData = mysql_real_escape_string(trim(strip_tags($postData)));// im doing it here?


				 $sql = " INSERT INTO table SET
				 aname = '".$_SESSION['aname']."',
cname = '".$postData['cname']."',
address = '".$postData['address']."',
hnumber = '".$postData['hnumber']."',
altnumber = '".$postData['altnumber']."',
lamount = '".$postData['lamount']."',
mrepayments = '".$postData['mrepayments']."',
ssn = '".$postData['ssn']."',
dln = '".$postData['dln']."',
				 mincome = '".$postData['mincome']."',
				 lpayday = '".$postData['lpayday']."',
				 npayday = '".$postData['npayday']."',
				 abalance = '".$postData['abalance']."',
				 msaving = '".$postData['msaving']."',
				 dob = '".$postData['dob']."',
				 apnumber = '".$postData['apnumber']."',
				 comments = '".$postData['comments']."',
				 status = '".$postData['status']."',
			 time = '".time()."'
";
executeSql($sql);

Edited November 16, 2012 by lovephp

Pikachu2000 · November 16, 2012

You can't use any of those functions on an entire array at once.

Edited November 16, 2012 by Pikachu2000

lovephp · November 16, 2012

what would be the best way?

Pikachu2000 · November 16, 2012

If you insist on a one-size-fits-all approach, and your arrays are not multidimensional, you could use array_map.

lovephp · November 16, 2012

how bout like this?

    function clean($str){
			 $str = mysql_real_escape_string($str);
			 $str = htmlspecialchars($str);
			 $str = strip_tags($str);
		 return($str);
   )
///////////////////////////////////    
   function insertP($postData) {        

				    $sql = " INSERT INTO table SET
				    aname = '".$_SESSION['aname']."',
           cname = '".clean($postData['cname'])."',
           address    = '".clean($postData['address'])."',
           hnumber = '".clean($postData['hnumber'])."',
           altnumber = '".clean($postData['altnumber'])."',
           lamount = '".clean($postData['lamount'])."',
           mrepayments = '".clean($postData['mrepayments'])."',
           ssn = '".clean($postData['ssn'])."',
           dln = '".clean($postData['dln'])."',
				    mincome    = '".clean($postData['mincome'])."',
				    lpayday    = '".clean($postData['lpayday'])."',
				    npayday    = '".clean($postData['npayday'])."',
				    abalance = '".clean($postData['abalance'])."',
				    msaving    = '".clean($postData['msaving'])."',
				    dob    = '".clean($postData['dob'])."',
				    apnumber = '".clean($postData['apnumber'])."',
				    comments = '".clean($postData['comments'])."',
				    status    = '".clean($postData['status'])."',
    				 time    = '".time()."'
           ";
           executeSql($sql);

		 }

btw do i have to use it for time aswell?

Pikachu2000 · November 16, 2012

You should pass the data to mysql_real_escape_string last instead of first, and I really wouldn't use strip_tags when inserting data, I'd use it when retrieving and displaying the data.

No, time() isn't sent by the user, so no need to escape it. I wouldn't use a UNIX timestamp, though, I'd store YYYY-MM-DD hh:mm:ss in a DATETIME type field and populate it with MySQL's NOW() function. That format is much more flexible, and MySQL has a boat load of native functions for it.

lovephp · November 16, 2012

thanks bro. so which all functions shall i add up in the clean function?

1. mysql_real_escape_string

2. htmlspecialchars

3. stripslashes ???

4. trim??? anymore shall i add up?

Pikachu2000 · November 16, 2012

trim() should really be part of your validation routine, then all you need to do is make sure strings are escaped and numeric values are indeed numeric before the query is executed.

lovephp · November 16, 2012

how about this function bro ?

function clean($value){
               if (is_array($value)){
                       foreach($value as $k => $v){
                               $value[$k] = clean($v);
                       }
               }else{
                       if(get_magic_quotes_gpc() == 1){
                               $value = stripslashes($value);
                       }
                       $value = trim(htmlspecialchars($value, ENT_QUOTES, "utf-8")); //convert input into friendly characters to stop XSS
                       $value = mysql_real_escape_string($value);
               }   
               return $value;
       }

Sign In

Sql Syntax Error Why?

Recommended Posts

lovephp

Link to comment

Share on other sites

Pikachu2000

Link to comment

Share on other sites

lovephp

Link to comment

Share on other sites

Pikachu2000

Link to comment

Share on other sites

lovephp

Link to comment

Share on other sites

Pikachu2000

Link to comment

Share on other sites

lovephp

Link to comment

Share on other sites

Pikachu2000

Link to comment

Share on other sites

lovephp

Link to comment

Share on other sites

Pikachu2000

Link to comment

Share on other sites

lovephp

Link to comment

Share on other sites

Join the conversation

Browse

Activity

Important Information