lovephp Posted November 16, 2012 Share Posted November 16, 2012 hey friends why am i getting this error when i use don't in form? You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 't ', status = '', time = '135310002' at line 18 Link to comment https://forums.phpfreaks.com/topic/270806-sql-syntax-error-why/ Share on other sites More sharing options...
Pikachu2000 Posted November 16, 2012 Share Posted November 16, 2012 You aren't escaping your data. Which, incidentally, also leaves you open to SQL injection. mysql_real_escape_string Link to comment https://forums.phpfreaks.com/topic/270806-sql-syntax-error-why/#findComment-1393070 Share on other sites More sharing options...
lovephp Posted November 16, 2012 Author Share Posted November 16, 2012 oh yes, would this be the right way to do it? function insertP($postData) { $postData = mysql_real_escape_string(trim(strip_tags($postData)));// im doing it here? $sql = " INSERT INTO table SET aname = '".$_SESSION['aname']."', cname = '".$postData['cname']."', address = '".$postData['address']."', hnumber = '".$postData['hnumber']."', altnumber = '".$postData['altnumber']."', lamount = '".$postData['lamount']."', mrepayments = '".$postData['mrepayments']."', ssn = '".$postData['ssn']."', dln = '".$postData['dln']."', mincome = '".$postData['mincome']."', lpayday = '".$postData['lpayday']."', npayday = '".$postData['npayday']."', abalance = '".$postData['abalance']."', msaving = '".$postData['msaving']."', dob = '".$postData['dob']."', apnumber = '".$postData['apnumber']."', comments = '".$postData['comments']."', status = '".$postData['status']."', time = '".time()."' "; executeSql($sql); Link to comment https://forums.phpfreaks.com/topic/270806-sql-syntax-error-why/#findComment-1393072 Share on other sites More sharing options...
Pikachu2000 Posted November 16, 2012 Share Posted November 16, 2012 You can't use any of those functions on an entire array at once. Link to comment https://forums.phpfreaks.com/topic/270806-sql-syntax-error-why/#findComment-1393076 Share on other sites More sharing options...
lovephp Posted November 16, 2012 Author Share Posted November 16, 2012 what would be the best way? Link to comment https://forums.phpfreaks.com/topic/270806-sql-syntax-error-why/#findComment-1393077 Share on other sites More sharing options...
Pikachu2000 Posted November 16, 2012 Share Posted November 16, 2012 If you insist on a one-size-fits-all approach, and your arrays are not multidimensional, you could use array_map. Link to comment https://forums.phpfreaks.com/topic/270806-sql-syntax-error-why/#findComment-1393078 Share on other sites More sharing options...
lovephp Posted November 16, 2012 Author Share Posted November 16, 2012 how bout like this? function clean($str){ $str = mysql_real_escape_string($str); $str = htmlspecialchars($str); $str = strip_tags($str); return($str); ) /////////////////////////////////// function insertP($postData) { $sql = " INSERT INTO table SET aname = '".$_SESSION['aname']."', cname = '".clean($postData['cname'])."', address = '".clean($postData['address'])."', hnumber = '".clean($postData['hnumber'])."', altnumber = '".clean($postData['altnumber'])."', lamount = '".clean($postData['lamount'])."', mrepayments = '".clean($postData['mrepayments'])."', ssn = '".clean($postData['ssn'])."', dln = '".clean($postData['dln'])."', mincome = '".clean($postData['mincome'])."', lpayday = '".clean($postData['lpayday'])."', npayday = '".clean($postData['npayday'])."', abalance = '".clean($postData['abalance'])."', msaving = '".clean($postData['msaving'])."', dob = '".clean($postData['dob'])."', apnumber = '".clean($postData['apnumber'])."', comments = '".clean($postData['comments'])."', status = '".clean($postData['status'])."', time = '".time()."' "; executeSql($sql); } btw do i have to use it for time aswell? Link to comment https://forums.phpfreaks.com/topic/270806-sql-syntax-error-why/#findComment-1393081 Share on other sites More sharing options...
Pikachu2000 Posted November 16, 2012 Share Posted November 16, 2012 You should pass the data to mysql_real_escape_string last instead of first, and I really wouldn't use strip_tags when inserting data, I'd use it when retrieving and displaying the data. No, time() isn't sent by the user, so no need to escape it. I wouldn't use a UNIX timestamp, though, I'd store YYYY-MM-DD hh:mm:ss in a DATETIME type field and populate it with MySQL's NOW() function. That format is much more flexible, and MySQL has a boat load of native functions for it. Link to comment https://forums.phpfreaks.com/topic/270806-sql-syntax-error-why/#findComment-1393085 Share on other sites More sharing options...
lovephp Posted November 16, 2012 Author Share Posted November 16, 2012 thanks bro. so which all functions shall i add up in the clean function? 1. mysql_real_escape_string 2. htmlspecialchars 3. stripslashes ??? 4. trim??? anymore shall i add up? Link to comment https://forums.phpfreaks.com/topic/270806-sql-syntax-error-why/#findComment-1393088 Share on other sites More sharing options...
Pikachu2000 Posted November 16, 2012 Share Posted November 16, 2012 trim() should really be part of your validation routine, then all you need to do is make sure strings are escaped and numeric values are indeed numeric before the query is executed. Link to comment https://forums.phpfreaks.com/topic/270806-sql-syntax-error-why/#findComment-1393090 Share on other sites More sharing options...
lovephp Posted November 16, 2012 Author Share Posted November 16, 2012 how about this function bro ? function clean($value){ if (is_array($value)){ foreach($value as $k => $v){ $value[$k] = clean($v); } }else{ if(get_magic_quotes_gpc() == 1){ $value = stripslashes($value); } $value = trim(htmlspecialchars($value, ENT_QUOTES, "utf-8")); //convert input into friendly characters to stop XSS $value = mysql_real_escape_string($value); } return $value; } Link to comment https://forums.phpfreaks.com/topic/270806-sql-syntax-error-why/#findComment-1393095 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.