JapaneseRedhead Posted February 26, 2013 Share Posted February 26, 2013 Hello PHP Freaks, I've been trying to run this command from my website, but it always returns aan error, although it works on the phpmyadmin and on Terminal. So there must be something wrong with my code, I think. This is the command: INSERT INTO test VALUES ("hello"); My HTML and PHP documents are attachted. Can anyone see what is wrong? Thanks testQueryRunner.html run_query.php Quote Link to comment https://forums.phpfreaks.com/topic/274989-insert-mysql-command-returns-error/ Share on other sites More sharing options...
Love2c0de Posted February 26, 2013 Share Posted February 26, 2013 Have you got an 'ID' field in your database table? Regards, Lab. Quote Link to comment https://forums.phpfreaks.com/topic/274989-insert-mysql-command-returns-error/#findComment-1415213 Share on other sites More sharing options...
JapaneseRedhead Posted February 26, 2013 Author Share Posted February 26, 2013 No, I don't. The interesting fact, however, is that this command does work from Terminal and phpmyadmin. Perhaps I'm missing something, but doesn't that mean that there is nothing wrong the way I've set up the database, but rather with the code? Thanks for your help. Quote Link to comment https://forums.phpfreaks.com/topic/274989-insert-mysql-command-returns-error/#findComment-1415214 Share on other sites More sharing options...
Love2c0de Posted February 26, 2013 Share Posted February 26, 2013 Does your problem lie when you host it online? If so have you changed your sql connection values in your "database_connection.php" script? Regards, L2c. Quote Link to comment https://forums.phpfreaks.com/topic/274989-insert-mysql-command-returns-error/#findComment-1415218 Share on other sites More sharing options...
JapaneseRedhead Posted February 26, 2013 Author Share Posted February 26, 2013 I checked out the database_connection.php, and the input is still up-to-date. That the SELECT command works makes me think that this is not the issue. The error that is returned when I give the INSERT command is: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\"hello\")' at line 1 I don't know what to make of it, since this error doesn't appear at other times... Quote Link to comment https://forums.phpfreaks.com/topic/274989-insert-mysql-command-returns-error/#findComment-1415221 Share on other sites More sharing options...
Barand Posted February 26, 2013 Share Posted February 26, 2013 I always use single quotes inside queries. Does it work if you use INSERT INTO test VALUES ('hello'); Quote Link to comment https://forums.phpfreaks.com/topic/274989-insert-mysql-command-returns-error/#findComment-1415224 Share on other sites More sharing options...
JapaneseRedhead Posted February 26, 2013 Author Share Posted February 26, 2013 Unfortunately it does not. Would somebody mind going to my website (http://3j-network.com/testQueryRunner.html) and putting in the command INSERT INTO test VALUES ("hello"); and seeing what happens? Perhaps someone can find a solution that way... Quote Link to comment https://forums.phpfreaks.com/topic/274989-insert-mysql-command-returns-error/#findComment-1415226 Share on other sites More sharing options...
Barand Posted February 26, 2013 Share Posted February 26, 2013 If you got an email from someone you didn't know saying "Click this link", would you? Quote Link to comment https://forums.phpfreaks.com/topic/274989-insert-mysql-command-returns-error/#findComment-1415228 Share on other sites More sharing options...
JapaneseRedhead Posted February 26, 2013 Author Share Posted February 26, 2013 Oh, IC. I understand. Does this issue sound familiar at all? that the command works from phpmyadmin and Terminal but not from the website? Here is my code that I attached earlier. HTML: <!DOCTYPE html><html> <head> <title>English Assessment Test - 3J-Network</title> </head> <body><table align="center"><tr><td width="610"> <table><tr> <td> <p><form action="scripts/run_query.php" method="POST"> <fieldset> <textarea id="query_text" name="query" cols="65" rows="8"></textarea> </fieldset> <br /> <fieldset class="center"> <input type="submit" value="Run Query"> <input type="reset" value="Clear and Restart" /> </fieldset> </form></p> </td> </tr></table> </td></tr></table></body></html> PHP: <?phprequire '/homepages/9/d445176724/htdocs/firhavenacademy/scripts/app_config.php';require '/homepages/9/d445176724/htdocs/firhavenacademy/scripts/database_connection.php';$query = $_REQUEST['query'];$result = mysql_query($query);if (!$result) { die("<p>Error: " . mysql_error() . "</p>");} else { mysql_query($query); echo "<ul>"; while ($row = mysql_fetch_row($result)) { echo "<li>{$row[0]}</li>"; } echo "</ul>";}?> Thanks for your help so far. Quote Link to comment https://forums.phpfreaks.com/topic/274989-insert-mysql-command-returns-error/#findComment-1415231 Share on other sites More sharing options...
Jessica Posted February 27, 2013 Share Posted February 27, 2013 You're letting just anyone run SQL queries???? Quote Link to comment https://forums.phpfreaks.com/topic/274989-insert-mysql-command-returns-error/#findComment-1415248 Share on other sites More sharing options...
Love2c0de Posted February 27, 2013 Share Posted February 27, 2013 I'd block all attempts at someone trying to enter DELETE or UPDATE for example. I wouldn't let anyone run a query at all though. Regards, L2c. Quote Link to comment https://forums.phpfreaks.com/topic/274989-insert-mysql-command-returns-error/#findComment-1415257 Share on other sites More sharing options...
AyKay47 Posted February 27, 2013 Share Posted February 27, 2013 You most likely have magic_quotes_gpc enabled which is escaping the double quotes and throwing the query off. That being said, your script is WIDE open to SQL injection as you are not sanitizing the user input whatsoever not to mention the gaping security holes that allowing a user complete control of your database causes. I cannot think of a scenario where I would give a user complete control of my database, what is your logic here and we will help you to implement it correctly. Quote Link to comment https://forums.phpfreaks.com/topic/274989-insert-mysql-command-returns-error/#findComment-1415258 Share on other sites More sharing options...
Barand Posted February 27, 2013 Share Posted February 27, 2013 I'd block all attempts at someone trying to enter DELETE or UPDATE for example. I wouldn't let anyone run a query at all though. Regards, L2c. Yeah. DROP is OK. Only allow if starts with "SELECT" if you must allow such input. You could restrict the privileges with the login. Quote Link to comment https://forums.phpfreaks.com/topic/274989-insert-mysql-command-returns-error/#findComment-1415259 Share on other sites More sharing options...
Love2c0de Posted February 27, 2013 Share Posted February 27, 2013 Yeah. DROP is OK. I stated those were examples, implying there were more possible dangerous queries. Kind regards, L2c. Quote Link to comment https://forums.phpfreaks.com/topic/274989-insert-mysql-command-returns-error/#findComment-1415261 Share on other sites More sharing options...
JapaneseRedhead Posted February 27, 2013 Author Share Posted February 27, 2013 Thank you all for your warnings. I've taken the page down. Quote Link to comment https://forums.phpfreaks.com/topic/274989-insert-mysql-command-returns-error/#findComment-1415407 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.