Anyone help me with this? [PHP]

Printable View

02-05-2009, 01:08 PM
Fehm

Anyone help me with this? [PHP]

So.. i have this:

PHP Code:

<?php include ("config.php"); $event = ($_POST['event']); $where = ($_POST['where']); $when = ($_POST['when']); mysql_query("INSERT INTO event (event, where, when) VALUES ('$event', '$where', '$when')") or die(mysql_error()); ?>

And it's worked alot in the past...

But now i get this error:

Code:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'where, when) VALUES ('testing', 'testsin', 'testing')' at line 1

Anyone help please??? Also, If anyone can give me tips on security, then i'll be extremely grateful! :)
02-05-2009, 01:30 PM
Dentafrice

PHP Code:

<?php include ("config.php"); $event = ($_POST['event']); $where = ($_POST['where']); $when = ($_POST['when']); mysql_query("INSERT INTO event (event, `where`, when) VALUES ('$event', '$where', '$when')") or die(mysql_error()); ?>

Escape where with `, it's reserved.
02-05-2009, 01:43 PM
Fehm

Thanks alot, I see now! :)
02-05-2009, 01:47 PM
Robbie

Also, you haven't added any security to your $_POST variables.
02-05-2009, 01:51 PM
HabbDance

he told me it didn't work on msn caleb :p
02-05-2009, 02:25 PM
Fehm

YhYh, still not wokring :L

maybe its because `when` ?? as well as `where`

and how can i add security to $_POST variables?
02-05-2009, 07:27 PM
wsg14

Quote:

Originally Posted by Obulus

YhYh, still not wokring :L

maybe its because `when` ?? as well as `where`

and how can i add security to $_POST variables?

Use google to figure out how to add security to those variables. And just change your field names to something else and you'll be fine.
02-05-2009, 11:47 PM
Jam-ez

PHP Code:

<?php include 'config.php'; $event = $_POST['event']; $where = $_POST['where']; $when = $_POST['when']; mysql_query( "INSERT INTO `event` ( event, where, when ) VALUES ( '$event' , '$where' , '$when' )" ) or die( mysql_error() ); ?>

How can you read your code, pft.
Try that.
03-05-2009, 10:14 AM
ReviewDude

Quote:

Originally Posted by Obulus

and how can i add security to $_POST variables?

Something along the lines of:

PHP Code:

<?php include ("config.php"); $event = mysql_real_escape_string($_POST['event']); $where = mysql_real_escape_string($_POST['where']); $when = mysql_real_escape_string($_POST['when']); mysql_query("INSERT INTO event (event, where, when) VALUES ('$event', '$where', '$when')") or die(mysql_error()); ?>

I'm sure I'll get shouted down for a far better way of adding security, but that's what I'd use.
03-05-2009, 01:16 PM
Fehm

Quote:

Originally Posted by ReviewDude

Something along the lines of:

PHP Code:

<?php include ("config.php"); $event = mysql_real_escape_string($_POST['event']); $where = mysql_real_escape_string($_POST['where']); $when = mysql_real_escape_string($_POST['when']); mysql_query("INSERT INTO event (event, where, when) VALUES ('$event', '$where', '$when')") or die(mysql_error()); ?>

I'm sure I'll get shouted down for a far better way of adding security, but that's what I'd use.

Two Words; Thank you :)

Ive sorted the INSERT INTO last night, new the security issue was something to do with escape string, final piece of the puzzle
Thanks alot! :)