bluebyyou Posted June 29, 2007 Share Posted June 29, 2007 When I try this I get the "Unknown column in 'field list'" error $newtext = stripslashes(strip_tags($_POST['text'])); $query = "INSERT INTO piccomment (picid,posterid,postername,comment) VALUES ('$_POST[picid]','$_POST[posterid]','$_POST[postername]',$newtext)"; query_db($query); it works fine when im just doing: "INSERT INTO piccomment (picid,posterid,postername,comment) VALUES ('$_POST[picid]','$_POST[posterid]','$_POST[postername]','$_POST[text]')"; Quote Link to comment Share on other sites More sharing options...
btherl Posted June 29, 2007 Share Posted June 29, 2007 You probably need single quotes around $newtext. Also you should escape $newtext with mysql_real_escape_string(), as well as all the other variables, to avoid mysql injection. Quote Link to comment Share on other sites More sharing options...
bluebyyou Posted June 29, 2007 Author Share Posted June 29, 2007 what im put the single quote around it this error happens: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1 Quote Link to comment Share on other sites More sharing options...
bubblegum.anarchy Posted June 29, 2007 Share Posted June 29, 2007 Try applying the mysql_real_escape_string() function to $newtext before the query string instantiation. Quote Link to comment Share on other sites More sharing options...
bluebyyou Posted June 29, 2007 Author Share Posted June 29, 2007 I added in mysql_real_escape_string() and am still getting "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1" however, when I submit the form once it works, the second time I try is when i get the error. So it looks like might not be a problem with my query.. I am going to post my code, it is kind of confusing and is mostly uncommented so I hope someone can help me make sense of it. I Commented where I thought the problem was. http://www.wiuartinny.com/pic.php?id=38 << You can see the page here(except the comment form because thats for logged in users only) <?php session_start(); // START SESSION (MUST BE FIRST ON EVERY PAGE) include("header.php"); include("db_connect.php"); if (isset($_POST['submitcomment'])) // CHECK IF COMMENT WAS SUBMITTED { //IF COMMENT SUBMITTED INSERT INTO DATABASE $newtext = stripslashes(strip_tags($_POST['text'])); $finaltext = mysql_real_escape_string($newtext); //HERE IS WHERE I THOUGHT THE PROBLEM WAS $query = "INSERT INTO piccomment (picid,posterid,postername,comment) VALUES ('$_POST[picid]','$_SESSION[user]','$_POST[postername]','$finaltext')"; query_db($query); //RELOAD PAGE WITH THE PICTURE ID SENT FROM THE COMMENT FORM $query2 = "SELECT * FROM pic WHERE pictureid = $_POST[picid]"; query_db($query2); unset($_POST); //ADDED IN TO TRY AND FIX PROBLEM(NOT DOING IT) } else { //LOAD PAGE WITH PICTURE ID FROM GALLERY PAGE $query2 = "SELECT * FROM pic WHERE pictureid = $_GET[id]"; query_db($query2); } $row = mysql_fetch_array($result); extract($row); ?> <div id="gallerynav"> <a href="gallery.php"> Go back to the gallery </a> </div> <div id="gallery"> <div id="galfloatleft"> <h2><?php if ($picturetitle == ""){ echo "Untitled"; } else {echo $picturetitle;} ?></h2> </div> <div id="galfloatright"> <br> <a href="#">Prev</a> | <a href="#">Next</a> </div> </div> <div id="gallerynav"> <?php $query = "SELECT * FROM member WHERE memberid = $pictureuserid"; query_db($query); $row = mysql_fetch_array($result); extract($row); $timestamp = strtotime($picturedate); $format_date = date("F n",$timestamp); ?> <center> <table> <tr><td align="right">Photographer:</td><td align="left"><?php echo $fname." ".$lname; ?></td></tr> <tr><td align="right">Year:</td><td align="left"><?php echo $pictureyear; ?></td></tr> <tr><td align="right">Day:</td><td align="left"><?php echo $pictureday; ?></td></tr> <tr><td align="right">Date:</td><td align="left"><?php echo $format_date; ?></td></tr> <tr><td align="right">Location:</td><td align="left"><?php echo $picturelocation; ?></td></tr> <?php if ($picturetag != "") { $query = "SELECT * FROM member"; query_db($query); $row = mysql_fetch_array($result); ?> <tr><td colspan="2" align="center"><br /></td></tr> <tr><td colspan="2" align="center">In this photo:</td></tr> <tr><td colspan="2" align="center"> <?php $array = explode(",",$picturetag); foreach ($array as $name) { if (in_array($name,$row)) { $query2 = "SELECT fname,lname FROM member WHERE memberid = $name"; query_db2($query2); $row2 = mysql_fetch_array($result2); echo "<a href='profile.php?id=$name'>$row2[0] $row2[1]</a><br />"; } } }?> </td></tr> </table> </center> </div> <div id="gallery"> <img id="larger" src="<?php echo "uploads/$picturefile"; ?>"> </div> <? if ($_SESSION['auth'] == "yes"){ ?> <div id="gallery"> <h3>Add a comment:</h3> <form name="addcomment" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>"> <input type="hidden" name="picid" value="<?php echo $id; ?>"> <input type="hidden" name="posterid" value="<?php echo $_SESSION['user']; ?>"> <input type="hidden" name="postername" value="<?php echo $_SESSION['fname']." ".$_SESSION['lname']; ?>"> <textarea name="text" cols="49" rows="4"></textarea><br><br> <input name="submitcomment" type="submit" value="submit"><br><br> </form> </div> <?php } ?> <?php $query = "SELECT * FROM piccomment WHERE picid = $pictureid"; query_db($query); $num = mysql_num_rows($result); if ($num > 0){ ?> <div id="gallery"> <h2>Comments</h2> <?php while ($row = mysql_fetch_array($result)) { extract($row); ?> <div id="comment"> <div id="commentpic"><img src="images/nopic.gif"></div> <div id='commenttext'> <h4><a href="profile.php?id=<?php echo $posterid; ?>"><?php echo $postername; ?></a> wrote:</h4> <p><?php echo $comment; ?></p> </div> </div> <?php } ?> </div> <?php } ?> <?php include("footer.php"); ?> Quote Link to comment Share on other sites More sharing options...
bluebyyou Posted June 29, 2007 Author Share Posted June 29, 2007 I think I have gotten everything else on the page working now im just having trouble formating the mysql injection prevention stuff, what am I doing wrong there? //RELOAD PAGE WITH THE PICTURE ID SENT FROM THE COMMENT FORM $srippicid = stripslashes(strip_tags($_POST['picid'])); //not workig $escapepicid = mysql_real_escape_string($strippicid); //not working $query2 = "SELECT * FROM pic WHERE pictureid = '$escapepicid'"; //not working query_db2($query2); $row2 = mysql_fetch_array($result2); extract($row2); } else { //LOAD PAGE WITH PICTURE ID FROM GALLERY PAGE $srippicid = stripslashes(strip_tags($_GET['id'])); //not working $escapepicid = mysql_real_escape_string($strippicid); //not working $query2 = "SELECT * FROM pic WHERE pictureid = '$_GET[id]'"; //WORKING!! query_db2($query2); $row2 = mysql_fetch_array($result2); extract($row2); Quote Link to comment Share on other sites More sharing options...
bubblegum.anarchy Posted June 29, 2007 Share Posted June 29, 2007 $srippicid = stripslashes(strip_tags($_POST['picid'])); //not workig $escapepicid = mysql_real_escape_string($strippicid); //not working $srippicid is missing a t Quote Link to comment Share on other sites More sharing options...
bluebyyou Posted June 29, 2007 Author Share Posted June 29, 2007 damn, thank you Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.