shlomikalfa Posted August 23, 2007 Share Posted August 23, 2007 It's been 3 hours now that i'm trying to figure out what is it that i'm doing wrong so i figured what the heck let's put it in here... are there any syntex/other errors in the below code ?!!? $sql = "INSERT INTO `db1`.`downloads` ( `Title` , `Category` , `Subcategory` , `Type` , `Links` , `LinksPass` , `SLinks` , `SLinksPass` , `Description` , `PicLinks` , `ExraInfo` , `ExtraLinks` , `Credits` , `Date` , `Uploader` , `Downloads` , `Comments` ) VALUES {'".$_GET['title']."', '".$_GET['categ']."', '".$_GET['sbcat']."', '".$_GET['lnktp']."', '".$_GET['links']."', '".$_GET['lnkpa']."', '".$_GET['slink']."', '".$_GET['slkpa']."', '".$_GET['descr']."', '".$_GET['picln']."', '".$_GET['exten']."', '".$_GET['acces']."', '".$_GET['credt']."', '', '".$UserName."', '',''}"; $result = mysql_query($sql, $link); if (!$result) { echo "DB Error, could not query the database"; echo 'MySQL Error: ' . mysql_error(); exit; } exit Thanks! Quote Link to comment Share on other sites More sharing options...
btherl Posted August 23, 2007 Share Posted August 23, 2007 What error do you get when you try to run the query? Quote Link to comment Share on other sites More sharing options...
shlomikalfa Posted August 23, 2007 Author Share Posted August 23, 2007 Me NOOB this is the error: DB Error, could not query the databaseMySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '{"{RZR} WarCraft 3 (III) Reign of Choas", "Games ", " Strategy", "[RS.com] Ra' at line 20 Quote Link to comment Share on other sites More sharing options...
btherl Posted August 23, 2007 Share Posted August 23, 2007 I think you need to escape all your input. For example: ... '".mysql_real_escape_string($_GET['sbcat'])."', ... For EVERY input string. Otherwise, people can send invalid input and hijack your database. And that's bad. You might want to print out your query too before executing it. That helps a lot for debugging. Quote Link to comment Share on other sites More sharing options...
shlomikalfa Posted August 23, 2007 Author Share Posted August 23, 2007 done that - THANKS ! _____ but still same error... anything else maybe ?! Quote Link to comment Share on other sites More sharing options...
Fadion Posted August 23, 2007 Share Posted August 23, 2007 Uve got all those string concatenations and stuff that it makes difficult to read. Make queries like: $var1 = mysql_real_escape_string($_GET['var1']); $var2 = mysql_real_escape_string($_GET['var2']); $query = @mysql_query("INSERT INTO table (column1, column2) VALUES('$var1', '$var2')") or die(mysql_error); In this way u clean the code and assign each get variable in a different variable for easy of use in the query. U arent forced to use "`db1`.`downloads`" as db1 is selected with mysql_select_db() and u just need to specify the table. Also smart quotes ` are optional, so dont use them. By the way ure getting an error cos u have used VALUES{} and not VALUES(). Quote Link to comment Share on other sites More sharing options...
shlomikalfa Posted August 23, 2007 Author Share Posted August 23, 2007 INSERT INTO `db1`.`downloads` ( `Title` , `Category` , `Subcategory` , `Type` , `Links` , `LinksPass` , `SLinks` , `SLinksPass` , `Description` , `PicLinks` , `ExraInfo` , `ExtraLinks` , `Credits` , `Date` , `Uploader` , `Downloads` , `Comments` ) VALUES ("WinAmp9 by SK", "Applications", "Antivirus, Firewall, Spyware", "[RS.com] RapidShare.com", "http://rapidshare.com/files/48923473/USDownloader_Demo_.rar", "", "", "", "", "", "", "", "", "", "Shlomi Kalfa", "","") DUDE I LOVE YOU !!! the above just worked!!! - it was all due to the stupid ) and } stuff... bah !!!! THANKS !!!!! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.