Jump to content

Sql Syntax Error Why?


lovephp

Recommended Posts

oh yes, would this be the right way to do it?

 

function insertP($postData) {

$postData = mysql_real_escape_string(trim(strip_tags($postData)));// im doing it here?


				 $sql = " INSERT INTO table SET
				 aname = '".$_SESSION['aname']."',
cname = '".$postData['cname']."',
address = '".$postData['address']."',
hnumber = '".$postData['hnumber']."',
altnumber = '".$postData['altnumber']."',
lamount = '".$postData['lamount']."',
mrepayments = '".$postData['mrepayments']."',
ssn = '".$postData['ssn']."',
dln = '".$postData['dln']."',
				 mincome = '".$postData['mincome']."',
				 lpayday = '".$postData['lpayday']."',
				 npayday = '".$postData['npayday']."',
				 abalance = '".$postData['abalance']."',
				 msaving = '".$postData['msaving']."',
				 dob = '".$postData['dob']."',
				 apnumber = '".$postData['apnumber']."',
				 comments = '".$postData['comments']."',
				 status = '".$postData['status']."',
			 time = '".time()."'
";
executeSql($sql);


how bout like this?

 

    function clean($str){
			 $str = mysql_real_escape_string($str);
			 $str = htmlspecialchars($str);
			 $str = strip_tags($str);
		 return($str);
   )
///////////////////////////////////    
   function insertP($postData) {        

				    $sql = " INSERT INTO table SET
				    aname = '".$_SESSION['aname']."',
           cname = '".clean($postData['cname'])."',
           address    = '".clean($postData['address'])."',
           hnumber = '".clean($postData['hnumber'])."',
           altnumber = '".clean($postData['altnumber'])."',
           lamount = '".clean($postData['lamount'])."',
           mrepayments = '".clean($postData['mrepayments'])."',
           ssn = '".clean($postData['ssn'])."',
           dln = '".clean($postData['dln'])."',
				    mincome    = '".clean($postData['mincome'])."',
				    lpayday    = '".clean($postData['lpayday'])."',
				    npayday    = '".clean($postData['npayday'])."',
				    abalance = '".clean($postData['abalance'])."',
				    msaving    = '".clean($postData['msaving'])."',
				    dob    = '".clean($postData['dob'])."',
				    apnumber = '".clean($postData['apnumber'])."',
				    comments = '".clean($postData['comments'])."',
				    status    = '".clean($postData['status'])."',
    				 time    = '".time()."'
           ";
           executeSql($sql);

		 }

 

btw do i have to use it for time aswell?

You should pass the data to mysql_real_escape_string last instead of first, and I really wouldn't use strip_tags when inserting data, I'd use it when retrieving and displaying the data.

 

No, time() isn't sent by the user, so no need to escape it. I wouldn't use a UNIX timestamp, though, I'd store YYYY-MM-DD hh:mm:ss in a DATETIME type field and populate it with MySQL's NOW() function. That format is much more flexible, and MySQL has a boat load of native functions for it.

how about this function bro ?

 

function clean($value){
               if (is_array($value)){
                       foreach($value as $k => $v){
                               $value[$k] = clean($v);
                       }
               }else{
                       if(get_magic_quotes_gpc() == 1){
                               $value = stripslashes($value);
                       }
                       $value = trim(htmlspecialchars($value, ENT_QUOTES, "utf-8")); //convert input into friendly characters to stop XSS
                       $value = mysql_real_escape_string($value);
               }   
               return $value;
       }

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.