lovephp Posted November 16, 2012 Share Posted November 16, 2012 hey friends why am i getting this error when i use don't in form? You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 't ', status = '', time = '135310002' at line 18 Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted November 16, 2012 Share Posted November 16, 2012 You aren't escaping your data. Which, incidentally, also leaves you open to SQL injection. mysql_real_escape_string Quote Link to comment Share on other sites More sharing options...
lovephp Posted November 16, 2012 Author Share Posted November 16, 2012 (edited) oh yes, would this be the right way to do it? function insertP($postData) { $postData = mysql_real_escape_string(trim(strip_tags($postData)));// im doing it here? $sql = " INSERT INTO table SET aname = '".$_SESSION['aname']."', cname = '".$postData['cname']."', address = '".$postData['address']."', hnumber = '".$postData['hnumber']."', altnumber = '".$postData['altnumber']."', lamount = '".$postData['lamount']."', mrepayments = '".$postData['mrepayments']."', ssn = '".$postData['ssn']."', dln = '".$postData['dln']."', mincome = '".$postData['mincome']."', lpayday = '".$postData['lpayday']."', npayday = '".$postData['npayday']."', abalance = '".$postData['abalance']."', msaving = '".$postData['msaving']."', dob = '".$postData['dob']."', apnumber = '".$postData['apnumber']."', comments = '".$postData['comments']."', status = '".$postData['status']."', time = '".time()."' "; executeSql($sql); Edited November 16, 2012 by lovephp Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted November 16, 2012 Share Posted November 16, 2012 (edited) You can't use any of those functions on an entire array at once. Edited November 16, 2012 by Pikachu2000 Quote Link to comment Share on other sites More sharing options...
lovephp Posted November 16, 2012 Author Share Posted November 16, 2012 what would be the best way? Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted November 16, 2012 Share Posted November 16, 2012 If you insist on a one-size-fits-all approach, and your arrays are not multidimensional, you could use array_map. Quote Link to comment Share on other sites More sharing options...
lovephp Posted November 16, 2012 Author Share Posted November 16, 2012 how bout like this? function clean($str){ $str = mysql_real_escape_string($str); $str = htmlspecialchars($str); $str = strip_tags($str); return($str); ) /////////////////////////////////// function insertP($postData) { $sql = " INSERT INTO table SET aname = '".$_SESSION['aname']."', cname = '".clean($postData['cname'])."', address = '".clean($postData['address'])."', hnumber = '".clean($postData['hnumber'])."', altnumber = '".clean($postData['altnumber'])."', lamount = '".clean($postData['lamount'])."', mrepayments = '".clean($postData['mrepayments'])."', ssn = '".clean($postData['ssn'])."', dln = '".clean($postData['dln'])."', mincome = '".clean($postData['mincome'])."', lpayday = '".clean($postData['lpayday'])."', npayday = '".clean($postData['npayday'])."', abalance = '".clean($postData['abalance'])."', msaving = '".clean($postData['msaving'])."', dob = '".clean($postData['dob'])."', apnumber = '".clean($postData['apnumber'])."', comments = '".clean($postData['comments'])."', status = '".clean($postData['status'])."', time = '".time()."' "; executeSql($sql); } btw do i have to use it for time aswell? Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted November 16, 2012 Share Posted November 16, 2012 You should pass the data to mysql_real_escape_string last instead of first, and I really wouldn't use strip_tags when inserting data, I'd use it when retrieving and displaying the data. No, time() isn't sent by the user, so no need to escape it. I wouldn't use a UNIX timestamp, though, I'd store YYYY-MM-DD hh:mm:ss in a DATETIME type field and populate it with MySQL's NOW() function. That format is much more flexible, and MySQL has a boat load of native functions for it. Quote Link to comment Share on other sites More sharing options...
lovephp Posted November 16, 2012 Author Share Posted November 16, 2012 thanks bro. so which all functions shall i add up in the clean function? 1. mysql_real_escape_string 2. htmlspecialchars 3. stripslashes ??? 4. trim??? anymore shall i add up? Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted November 16, 2012 Share Posted November 16, 2012 trim() should really be part of your validation routine, then all you need to do is make sure strings are escaped and numeric values are indeed numeric before the query is executed. Quote Link to comment Share on other sites More sharing options...
lovephp Posted November 16, 2012 Author Share Posted November 16, 2012 how about this function bro ? function clean($value){ if (is_array($value)){ foreach($value as $k => $v){ $value[$k] = clean($v); } }else{ if(get_magic_quotes_gpc() == 1){ $value = stripslashes($value); } $value = trim(htmlspecialchars($value, ENT_QUOTES, "utf-8")); //convert input into friendly characters to stop XSS $value = mysql_real_escape_string($value); } return $value; } Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.