INSERT MySQL command returns error

[JapaneseRedhead]

Hello PHP Freaks,

 

I've been trying to run this command from my website, but it always returns aan error, although it works on the phpmyadmin and on Terminal. So there must be something wrong with my code, I think. This is the command:

 

INSERT INTO test VALUES ("hello");

 

My HTML and PHP documents are attachted.

 

Can anyone see what is wrong?

 

Thanks

testQueryRunner.html

run_query.php

[Love2c0de]

Have you got an 'ID' field in your database table?

 

Regards,

 

Lab.

[JapaneseRedhead]

No, I don't.

 

The interesting fact, however, is that this command does work from Terminal and phpmyadmin. Perhaps I'm missing something, but doesn't that mean that there is nothing wrong the way I've set up the database, but rather with the code?

 

Thanks for your help.

[Love2c0de]

Does your problem lie when you host it online?

 

If so have you changed your sql connection values in your "database_connection.php" script?

 

Regards,

 

L2c.

[JapaneseRedhead]

I checked out the database_connection.php, and the input is still up-to-date. That the SELECT command works makes me think that this is not the issue.

 

The error that is returned when I give the INSERT command is:

 

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\"hello\")' at line 1

 

I don't know what to make of it, since this error doesn't appear at other times...

[Barand]

I always use single quotes inside queries. Does it work if you use

 

 

INSERT INTO test VALUES ('hello');

[JapaneseRedhead]

Unfortunately it does not.

 

Would somebody mind going to my website (http://3j-network.com/testQueryRunner.html) and putting in the command

INSERT INTO test VALUES ("hello");

and seeing what happens? Perhaps someone can find a solution that way...

[Barand]

If you got an email from someone you didn't know saying "Click this link", would you?

[JapaneseRedhead]

Oh, IC. I understand.

 

Does this issue sound familiar at all? that the command works from phpmyadmin and Terminal but not from the website?

 

Here is my code that I attached earlier.

 

HTML:

 

<!DOCTYPE html>
<html>
    <head>
        <title>English Assessment Test - 3J-Network</title>
    </head>


    <body><table align="center"><tr><td width="610">
        <table><tr>
            <td>
                <p><form action="scripts/run_query.php" method="POST">
                    <fieldset>
                        <textarea id="query_text" name="query"
                        cols="65" rows="8"></textarea>
                    </fieldset>
                    <br />
                    <fieldset class="center">
                        <input type="submit" value="Run Query">
                        <input type="reset" value="Clear and Restart" />
                    </fieldset>
                </form></p>
            </td>
        </tr></table>
    </td></tr></table></body>
</html>

 

 

PHP:

 

<?php

require '/homepages/9/d445176724/htdocs/firhavenacademy/scripts/app_config.php';
require '/homepages/9/d445176724/htdocs/firhavenacademy/scripts/database_connection.php';

$query = $_REQUEST['query'];
$result = mysql_query($query);

if (!$result) {
    die("<p>Error: " . mysql_error() . "</p>");
} else {
    mysql_query($query);
    echo "<ul>";
    while ($row = mysql_fetch_row($result)) {
      echo "<li>{$row[0]}</li>";
    }
    echo "</ul>";
}

?>

 

Thanks for your help so far.

[Jessica]

You're letting just anyone run SQL queries????

[Love2c0de]

I'd block all attempts at someone trying to enter DELETE or UPDATE for example. I wouldn't let anyone run a query at all though.

 

Regards,

 

L2c.

[AyKay47]

You most likely have magic_quotes_gpc enabled which is escaping the double quotes and throwing the query off.

That being said, your script is WIDE open to SQL injection as you are not sanitizing the user input whatsoever not to mention the gaping security holes that allowing a user complete control of your database causes.

I cannot think of a scenario where I would give a user complete control of my database, what is your logic here and we will help you to implement it correctly.

[Barand]

I'd block all attempts at someone trying to enter DELETE or UPDATE for example. I wouldn't let anyone run a query at all though.

 

Regards,

 

L2c.

 

Yeah. DROP is OK.

 

Only allow if starts with "SELECT" if you must allow such input. You could restrict the privileges with the login.

[Love2c0de]

Yeah. DROP is OK.

 

I stated those were examples, implying there were more possible dangerous queries.

 

Kind regards,

 

L2c.

[JapaneseRedhead]

Thank you all for your warnings. I've taken the page down.