Having Difficulty with a POST

[Firestorm3d]

im having issues with this code that is supposed to post into a mysql database.

 

my error

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1

 

my code

<?php 
$guild = $_POST['guild'];
$guildid = $_POST['guildid'];
$playername = $_POST['playername'];
$playerid = $_POST['playerid'];
$coords = $_POST['coords'];
$cc = $_POST['cc'];
$defense01 = $_POST['defense01'];
$defense02 = $_POST['defense02'];
$defense03 = $_POST['defense03'];
$defense04 = $_POST['defense04'];
$defense05 = $_POST['defense05'];
$defense06 = $_POST['defense06'];
$defense07 = $_POST['defense07'];
$defense08 = $_POST['defense08'];
$defense09 = $_POST['defense09'];
$defense10 = $_POST['defense10'];
function connect(){


$con = mysql_connect("localhost","root","sin3169");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }
mysql_select_db("data", $con);
}

function closecon(){
mysql_close($con);
}

function playercheck(){
connect();
$result = mysql_query("SELECT * FROM astro_players WHERE player_id=$playerid") or die (mysql_error());
$row = mysql_fetch_array($result);
if($row['player_id'] != $playerid){
mysql_query("INSERT INTO astro_players (Guild_Title, Guild_ID, Player_Name, Fleet, player_id) 
VALUES ('$guild', '$guildid', '$playername', '0', '$playerid')") or die (mysql_error());
}
}
function basecheck(){
$result = mysql_query("SELECT * FROM astro_bases WHERE coord=$coords") or die (mysql_error());
$row = mysql_fetch_array($result);
if($row['coord'] != $coords){
base();
}
}
function base(){
mysql_query("INSERT INTO astro_bases (coord , cc , Defense01 , Defense02 , Defense03 , Defense04 , Defense05 , Defense06 , Defense07 , Defense08 , Defense09 , Defense10, player_id) VALUES ('$coords' , '$cc' , '$defense01', '$defense02', '$defense03', '$defense04', '$defense05', '$defense06', '$defense07', '$defense08', '$defense09', '$defense10','$playerid')") or die (mysql_error()); 
}
connect();
playercheck();
basecheck();
closecon();

header('Location : http://localhost/inputastro.php');
?>

[PHP Monkeh]

You don't happen to know which insert is generating the error do you?  You could try commenting out the first insert and seeing if the error still occurs etc.  Anyway there's 2 things which I think you should change:

 

mysql_query("INSERT INTO astro_players (Guild_Title, Guild_ID, Player_Name, Fleet, player_id) 
VALUES ('$guild', '$guildid', '$playername', '0', '$playerid')") or die (mysql_error());

 

The 0 there I'm going to assume you wish to be an integer, so you can remove the ' ' around it.

 

Also, if any of the inputs include a " or ' you're going to get errors.  So you should either start using mysql_real_escape_string around your inputs or addslashes().  Example:

 

$guild = addslashes($_POST['guild']);

[linuxlord]

use the following function to avoid this prob while using text input

 

 

function escape($string)
{
    if(!get_magic_quotes_gpc())
     {
return addslashes($string);
     }
return $string;
}

 

like this

$playername = escape($_POST['playername']);

 

also, the ' ' around a numeric is not a problem.

[aschk]

I recommend you build your SQL statement as a variable outside of the mysql_query function, e.g.

 

$sql = "SELECT * FROM <table> WHERE <field> = '{$variable}' ";

 

Then you can do "echo $sql;" to see what is actually being sent to the database. And you can also show us what it is too