[SOLVED] Unknown column 'whatever' in 'field list'

[bluebyyou]

When I try this I get the "Unknown column in 'field list'" error

 

$newtext = stripslashes(strip_tags($_POST['text']));

$query = "INSERT INTO piccomment (picid,posterid,postername,comment) 
	  VALUES ('$_POST[picid]','$_POST[posterid]','$_POST[postername]',$newtext)";
query_db($query);

 

it works fine when im just doing:

 

"INSERT INTO piccomment (picid,posterid,postername,comment)

  VALUES ('$_POST[picid]','$_POST[posterid]','$_POST[postername]','$_POST[text]')";

[btherl]

You probably need single quotes around $newtext.  Also you should escape $newtext with mysql_real_escape_string(), as well as all the other variables, to avoid mysql injection.

[bluebyyou]

what im put the single quote around it this error happens:

 

 

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1

[bubblegum.anarchy]

Try applying the mysql_real_escape_string() function to $newtext before the query string instantiation.

[bluebyyou]

I added in mysql_real_escape_string() and am still getting "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1"

 

however, when I submit the form once it works, the second time I try is when i get the error. So it looks like might not be a problem with my query..

 

 

I am going to post my code, it is kind of confusing and is mostly uncommented so I hope someone can help me make sense of it. I Commented where I thought the problem was.

 

http://www.wiuartinny.com/pic.php?id=38 << You can see the page here(except the comment form because thats for logged in users only)

 

<?php 
session_start(); // START SESSION (MUST BE FIRST ON EVERY PAGE)
include("header.php");
include("db_connect.php");

if (isset($_POST['submitcomment'])) // CHECK IF COMMENT WAS SUBMITTED
{
//IF COMMENT SUBMITTED INSERT INTO DATABASE
$newtext = stripslashes(strip_tags($_POST['text']));
$finaltext = mysql_real_escape_string($newtext);

//HERE IS WHERE I THOUGHT THE PROBLEM WAS
$query = "INSERT INTO piccomment (picid,posterid,postername,comment) 
	  VALUES ('$_POST[picid]','$_SESSION[user]','$_POST[postername]','$finaltext')";
query_db($query);

//RELOAD PAGE WITH THE PICTURE ID SENT FROM THE COMMENT FORM
$query2 = "SELECT * FROM pic WHERE pictureid = $_POST[picid]";
query_db($query2);
unset($_POST); //ADDED IN TO TRY AND FIX PROBLEM(NOT DOING IT)
}
else 
{
//LOAD PAGE WITH PICTURE ID FROM GALLERY PAGE
$query2 = "SELECT * FROM pic WHERE pictureid = $_GET[id]";
query_db($query2);
}
$row = mysql_fetch_array($result);
extract($row); ?>

<div id="gallerynav">
<a href="gallery.php"> Go back to the gallery </a>
</div>
<div id="gallery">
<div id="galfloatleft">

<h2><?php if ($picturetitle == ""){ echo "Untitled"; } else {echo $picturetitle;} ?></h2>

</div>
<div id="galfloatright">
<br>
<a href="#">Prev</a> | <a href="#">Next</a>
</div>
</div>
<div id="gallerynav">
<?php 
$query = "SELECT * FROM member WHERE memberid = $pictureuserid";
query_db($query);
$row = mysql_fetch_array($result);
extract($row);
$timestamp = strtotime($picturedate);
$format_date = date("F n",$timestamp);

?>
<center>
<table>
<tr><td align="right">Photographer:</td><td align="left"><?php echo $fname." ".$lname; ?></td></tr>
<tr><td align="right">Year:</td><td align="left"><?php echo $pictureyear; ?></td></tr>
<tr><td align="right">Day:</td><td align="left"><?php echo $pictureday; ?></td></tr>
<tr><td align="right">Date:</td><td align="left"><?php echo $format_date; ?></td></tr>
<tr><td align="right">Location:</td><td align="left"><?php echo $picturelocation; ?></td></tr>
<?php
if ($picturetag != "")
{ 
$query = "SELECT * FROM member";
query_db($query);
$row = mysql_fetch_array($result);
?>
<tr><td colspan="2" align="center"><br /></td></tr>
<tr><td colspan="2" align="center">In this photo:</td></tr>
<tr><td colspan="2" align="center">
<?php
$array = explode(",",$picturetag);
foreach ($array as $name)
	{
	if (in_array($name,$row))
		{
		$query2 = "SELECT fname,lname FROM member WHERE memberid = $name";
		query_db2($query2);
		$row2 = mysql_fetch_array($result2);
		echo "<a href='profile.php?id=$name'>$row2[0] $row2[1]</a><br />";

		}
	}
}?>
</td></tr>
</table>
</center>
</div>


<div id="gallery">
<img id="larger"  src="<?php echo "uploads/$picturefile"; ?>">
</div>
<? if ($_SESSION['auth'] == "yes"){ ?>
<div id="gallery">
<h3>Add a comment:</h3>
<form name="addcomment" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
<input type="hidden" name="picid" value="<?php echo $id; ?>">
<input type="hidden" name="posterid" value="<?php echo $_SESSION['user']; ?>">
<input type="hidden" name="postername" value="<?php echo $_SESSION['fname']." ".$_SESSION['lname']; ?>">
<textarea name="text" cols="49" rows="4"></textarea><br><br>
<input name="submitcomment" type="submit" value="submit"><br><br>
</form>
</div>
<?php } ?>

<?php
$query = "SELECT * FROM piccomment WHERE picid = $pictureid";
query_db($query);
$num = mysql_num_rows($result);
if ($num > 0){
?>
<div id="gallery">
<h2>Comments</h2>
<?php
while ($row = mysql_fetch_array($result))
{
extract($row); ?>
<div id="comment">
<div id="commentpic"><img src="images/nopic.gif"></div>
<div id='commenttext'>
<h4><a href="profile.php?id=<?php echo $posterid; ?>"><?php echo $postername; ?></a> wrote:</h4>
<p><?php echo $comment; ?></p>
</div>
</div>
<?php } ?>
</div>
<?php } ?>
<?php
include("footer.php");
?>

 

 

[bluebyyou]

I think I have gotten everything else on the page working now im just having trouble formating the mysql injection prevention stuff, what am I doing wrong there?

 

//RELOAD PAGE WITH THE PICTURE ID SENT FROM THE COMMENT FORM
$srippicid = stripslashes(strip_tags($_POST['picid'])); //not workig
$escapepicid = mysql_real_escape_string($strippicid); //not working
$query2 = "SELECT * FROM pic WHERE pictureid = '$escapepicid'";  //not working
query_db2($query2); 
$row2 = mysql_fetch_array($result2);
extract($row2);
}
else 
{
//LOAD PAGE WITH PICTURE ID FROM GALLERY PAGE
$srippicid = stripslashes(strip_tags($_GET['id']));  //not working
$escapepicid = mysql_real_escape_string($strippicid);  //not working
$query2 = "SELECT * FROM pic WHERE pictureid = '$_GET[id]'";   //WORKING!!
query_db2($query2);
$row2 = mysql_fetch_array($result2);
extract($row2);

[bubblegum.anarchy]

$srippicid = stripslashes(strip_tags($_POST['picid'])); //not workig

$escapepicid = mysql_real_escape_string($strippicid); //not working

 

$srippicid is missing a t

 

[bluebyyou]

damn, thank you