Jump to content

Inserting Data into DB problem

chaddsuk

By chaddsuk
in PHP Coding Help

 Share

Recommended Posts

chaddsuk Member

chaddsuk

Posted
Posted

Hey guys im having trouble inserting data into my DB, i get the following error....

 

Parse error: syntax error, unexpected '=' in /home/phphost/public_html/insert.php on line 15

 

My insert php code is below

 

<?
$username="phphost_chadds";
$password="rotherham";
$database="phphost_djdb";

$field1-name = $_POST['name'];
$field2-name = $_POST['email'];
$field3-name = $_POST['comments'];
$field4-name = $_POST['songs'];
$field5-name = $_POST['artists'];

mysql_connect(localhost,$username,$password);
@mysql_select_db($database) or die( "Unable to select database");

$query = "INSERT INTO dj VALUES
('','$field1-name','$field2-name','$field3-name','$field4-name','$field5-name')" ;mysql_query($query);

mysql_close();
?>

 

Anyone any idea what the problem might be?

 

cheers

 

chris

Link to comment
Share on other sites
uniflare Newbie

uniflare

Posted
Posted

hmm, no one seems to care about sql injection nowadays, i could hack that script in a second flat and destroy your entire database.

 

first of all:

 

$field1-name = $_POST['name'];
$field2-name = $_POST['email'];
$field3-name = $_POST['comments'];
$field4-name = $_POST['songs'];
$field5-name = $_POST['artists'];

 

should be:

 

$field1-name = $_POST['name'];
$field2-name = mysq_escape_string($_POST['email']);
$field3-name = mysq_escape_string($_POST['comments']);
$field4-name = mysq_escape_string($_POST['songs']);
$field5-name = mysq_escape_string($_POST['artists']);

------------

 

second what is the exact query being passed to mysql_query ? add an "or die()" event to the mysql_query like so:

 

mysql_connect(localhost,$username,$password);
@mysql_select_db($database) or die( "Unable to select database");

$query = "INSERT INTO dj VALUES
('','$field1-name','$field2-name','$field3-name','$field4-name','$field5-name')" ;

mysql_query($query) or die("Query Failed: ".$query."<br>".mysql_error());

mysql_close();
?>

 

thanks,

Link to comment
Share on other sites
cooldude832 Advanced Member

cooldude832

Posted
Posted

before you start riding the high and mighty horse uniflare you can not do what you said in that order.

 

mysql_real_escape_string will only function after a mysql connection(s) exist on that document.  Otherwise it doesn't know what a valid escape string is as it doesn't know your version of mysql.

 

 

 

Secondly this is an insert query and there is no "I can destroy your database cause i'm amazing" to it.  Yes you could import unwanted data potentially disturbing flow, but as for utter chaos your way off the map.

 

 

as for the problem at hand write it a bit neater show what line 15 is exactly and all queries should be in the form

<?php
$q = "Select this from that";
$r = mysql_query($q) or die(mysql_error()."<br /><br />".$q);
?>

for debugging purposes

Link to comment
Share on other sites
uniflare Newbie

uniflare

Posted
Posted

firstly, i have no horse, secondly im not that amazing (but thanks for thinking so). dunno how that reply came out, i would say sorry but tbh i was trying to help.

 

 

Secondly this is an insert query and there is no "I can destroy your database cause i'm amazing" to it.  Yes you could import unwanted data potentially disturbing flow, but as for utter chaos your way off the map.

i was talking in general..... just so you know.

------------

anyway to help the geezer out:

 

try this bud

<?php
$username="phphost_chadds";
$password="rotherham";
$database="phphost_djdb";

// initiate connection first
mysql_connect(localhost,$username,$password);
@mysql_select_db($database) or die( "Unable to select database");

$field1-name = mysql_escape_string($_POST['name']);
$field2-name = mysql_escape_string($_POST['email']);
$field3-name = mysql_escape_string($_POST['comments']);
$field4-name = mysql_escape_string($_POST['songs']);
$field5-name = mysql_escape_string($_POST['artists']);

$query = "INSERT INTO dj VALUES
('','$field1-name','$field2-name','$field3-name','$field4-name','$field5-name')" ;
mysql_query($query) or die("ERROR IN QUERY: ".$query."<br>".mysql_error());

mysql_close();
?>

 

chaddsuk sorry but ive told so many people about sql injection.... should be a sticky or summint i dunno, maybe these php books nowadays are gettin more relaxed. look around for php security.

 

hope this helps,

Link to comment
Share on other sites
PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

As to the original subject of this thread. The posted code is not the actual, because the line number of the error is not the same.

 

The problem is php variable names can not contain a dash/minus sign -

 

Change the variable names to something permitted by php.

 

 

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.