Sql Syntax Error Why?

[lovephp]

hey friends why am i getting this error when i use don't in form?

 

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 't ', status = '', time = '135310002' at line 18

[Pikachu2000]

You aren't escaping your data. Which, incidentally, also leaves you open to SQL injection. mysql_real_escape_string

[lovephp]

oh yes, would this be the right way to do it?

 

function insertP($postData) {

$postData = mysql_real_escape_string(trim(strip_tags($postData)));// im doing it here?


				 $sql = " INSERT INTO table SET
				 aname = '".$_SESSION['aname']."',
cname = '".$postData['cname']."',
address = '".$postData['address']."',
hnumber = '".$postData['hnumber']."',
altnumber = '".$postData['altnumber']."',
lamount = '".$postData['lamount']."',
mrepayments = '".$postData['mrepayments']."',
ssn = '".$postData['ssn']."',
dln = '".$postData['dln']."',
				 mincome = '".$postData['mincome']."',
				 lpayday = '".$postData['lpayday']."',
				 npayday = '".$postData['npayday']."',
				 abalance = '".$postData['abalance']."',
				 msaving = '".$postData['msaving']."',
				 dob = '".$postData['dob']."',
				 apnumber = '".$postData['apnumber']."',
				 comments = '".$postData['comments']."',
				 status = '".$postData['status']."',
			 time = '".time()."'
";
executeSql($sql);

[Pikachu2000]

You can't use any of those functions on an entire array at once.

[lovephp]

what would be the best way?

[Pikachu2000]

If you insist on a one-size-fits-all approach, and your arrays are not multidimensional, you could use array_map.

[lovephp]

how bout like this?

 

    function clean($str){
			 $str = mysql_real_escape_string($str);
			 $str = htmlspecialchars($str);
			 $str = strip_tags($str);
		 return($str);
   )
///////////////////////////////////    
   function insertP($postData) {        

				    $sql = " INSERT INTO table SET
				    aname = '".$_SESSION['aname']."',
           cname = '".clean($postData['cname'])."',
           address    = '".clean($postData['address'])."',
           hnumber = '".clean($postData['hnumber'])."',
           altnumber = '".clean($postData['altnumber'])."',
           lamount = '".clean($postData['lamount'])."',
           mrepayments = '".clean($postData['mrepayments'])."',
           ssn = '".clean($postData['ssn'])."',
           dln = '".clean($postData['dln'])."',
				    mincome    = '".clean($postData['mincome'])."',
				    lpayday    = '".clean($postData['lpayday'])."',
				    npayday    = '".clean($postData['npayday'])."',
				    abalance = '".clean($postData['abalance'])."',
				    msaving    = '".clean($postData['msaving'])."',
				    dob    = '".clean($postData['dob'])."',
				    apnumber = '".clean($postData['apnumber'])."',
				    comments = '".clean($postData['comments'])."',
				    status    = '".clean($postData['status'])."',
    				 time    = '".time()."'
           ";
           executeSql($sql);

		 }

 

btw do i have to use it for time aswell?

[Pikachu2000]

You should pass the data to mysql_real_escape_string last instead of first, and I really wouldn't use strip_tags when inserting data, I'd use it when retrieving and displaying the data.

 

No, time() isn't sent by the user, so no need to escape it. I wouldn't use a UNIX timestamp, though, I'd store YYYY-MM-DD hh:mm:ss in a DATETIME type field and populate it with MySQL's NOW() function. That format is much more flexible, and MySQL has a boat load of native functions for it.

[lovephp]

thanks bro. so which all functions shall i add up in the clean function?

 

 

1. mysql_real_escape_string

2. htmlspecialchars

 

3. stripslashes ???

 

4. trim??? anymore shall i add up?

[Pikachu2000]

trim() should really be part of your validation routine, then all you need to do is make sure strings are escaped and numeric values are indeed numeric before the query is executed.

[lovephp]

how about this function bro ?

 

function clean($value){
               if (is_array($value)){
                       foreach($value as $k => $v){
                               $value[$k] = clean($v);
                       }
               }else{
                       if(get_magic_quotes_gpc() == 1){
                               $value = stripslashes($value);
                       }
                       $value = trim(htmlspecialchars($value, ENT_QUOTES, "utf-8")); //convert input into friendly characters to stop XSS
                       $value = mysql_real_escape_string($value);
               }   
               return $value;
       }