Anyone help me with this? [PHP] [Archive]

View Full Version : Anyone help me with this? [PHP]

Fehm

02-05-2009, 01:08 PM

So.. i have this:

<?php
include ("config.php");
$event = ($_POST['event']);
$where = ($_POST['where']);
$when = ($_POST['when']);

mysql_query("INSERT INTO event (event, where, when) VALUES ('$event', '$where', '$when')")
or die(mysql_error());
?>

And it's worked alot in the past...

But now i get this error:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'where, when) VALUES ('testing', 'testsin', 'testing')' at line 1

Anyone help please??? Also, If anyone can give me tips on security, then i'll be extremely grateful! :)

Dentafrice

02-05-2009, 01:30 PM

<?php
include ("config.php");
$event = ($_POST['event']);
$where = ($_POST['where']);
$when = ($_POST['when']);

mysql_query("INSERT INTO event (event, `where`, when) VALUES ('$event', '$where', '$when')")
or die(mysql_error());
?>

Escape where with `, it's reserved.

Fehm

02-05-2009, 01:43 PM

Thanks alot, I see now! :)

Robbie

02-05-2009, 01:47 PM

Also, you haven't added any security to your $_POST variables.

HabbDance

02-05-2009, 01:51 PM

he told me it didn't work on msn caleb :p

Fehm

02-05-2009, 02:25 PM

YhYh, still not wokring :L

maybe its because `when` ?? as well as `where`

and how can i add security to $_POST variables?

wsg14

02-05-2009, 07:27 PM

YhYh, still not wokring :L

maybe its because `when` ?? as well as `where`

and how can i add security to $_POST variables?

Use google to figure out how to add security to those variables. And just change your field names to something else and you'll be fine.

Jam-ez

02-05-2009, 11:47 PM

<?php
include 'config.php';
$event = $_POST['event'];
$where = $_POST['where'];
$when = $_POST['when'];

mysql_query( "INSERT INTO `event` ( event, where, when ) VALUES ( '$event' , '$where' , '$when' )" ) or die( mysql_error() );
?>

How can you read your code, pft.
Try that.

ReviewDude

03-05-2009, 10:14 AM

and how can i add security to $_POST variables?

Something along the lines of:

<?php
include ("config.php");
$event = mysql_real_escape_string($_POST['event']);
$where = mysql_real_escape_string($_POST['where']);
$when = mysql_real_escape_string($_POST['when']);

mysql_query("INSERT INTO event (event, where, when) VALUES ('$event', '$where', '$when')")
or die(mysql_error());
?>

I'm sure I'll get shouted down for a far better way of adding security, but that's what I'd use.

Fehm

03-05-2009, 01:16 PM

Something along the lines of:

<?php
include ("config.php");
$event = mysql_real_escape_string($_POST['event']);
$where = mysql_real_escape_string($_POST['where']);
$when = mysql_real_escape_string($_POST['when']);

mysql_query("INSERT INTO event (event, where, when) VALUES ('$event', '$where', '$when')")
or die(mysql_error());
?>

I'm sure I'll get shouted down for a far better way of adding security, but that's what I'd use.

Two Words; Thank you :)

Ive sorted the INSERT INTO last night, new the security issue was something to do with escape string, final piece of the puzzle
Thanks alot! :)

Want to hide these adverts? Register an account for free!