Anyone help me with this? [PHP]

Fehm · 02-05-2009, 01:08 PM

So.. i have this:

PHP Code:


<?php
include ("config.php");
$event = ($_POST['event']);
$where = ($_POST['where']);
$when = ($_POST['when']);
 
mysql_query("INSERT INTO event (event, where, when) VALUES ('$event', '$where', '$when')")
or die(mysql_error());
?>

And it's worked alot in the past...

But now i get this error:

Code:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'where, when) VALUES ('testing', 'testsin', 'testing')' at line 1

Anyone help please??? Also, If anyone can give me tips on security, then i'll be extremely grateful!

Dentafrice · 02-05-2009, 01:30 PM

PHP Code:


 <?php
include ("config.php");
$event = ($_POST['event']);
$where = ($_POST['where']);
$when = ($_POST['when']);
 
mysql_query("INSERT INTO event (event, `where`, when) VALUES ('$event', '$where', '$when')")
or die(mysql_error());
?>

Escape where with `, it's reserved.

Fehm · 02-05-2009, 01:43 PM

Thanks alot, I see now!

Robbie · 02-05-2009, 01:47 PM

Also, you haven't added any security to your $_POST variables.

HabbDance · 02-05-2009, 01:51 PM

he told me it didn't work on msn caleb :p

Fehm · 02-05-2009, 02:25 PM

YhYh, still not wokring :L

maybe its because `when` ?? as well as `where`

and how can i add security to $_POST variables?

wsg14 · 02-05-2009, 07:27 PM

Originally Posted by Obulus

YhYh, still not wokring :L

maybe its because `when` ?? as well as `where`

and how can i add security to $_POST variables?

Use google to figure out how to add security to those variables. And just change your field names to something else and you'll be fine.

Jam-ez · 02-05-2009, 11:47 PM

PHP Code:


<?php

include 'config.php';

$event = $_POST['event'];

$where = $_POST['where'];

$when = $_POST['when'];



mysql_query( "INSERT INTO `event` ( event, where, when ) VALUES ( '$event' , '$where' , '$when' )" ) or die( mysql_error() );

?>

How can you read your code, pft.
Try that.

ReviewDude · 03-05-2009, 10:14 AM

Originally Posted by Obulus

and how can i add security to $_POST variables?

Something along the lines of:

PHP Code:


<?php

include ("config.php");

$event = mysql_real_escape_string($_POST['event']);

$where = mysql_real_escape_string($_POST['where']);

$when = mysql_real_escape_string($_POST['when']);

 

mysql_query("INSERT INTO event (event, where, when) VALUES ('$event', '$where', '$when')")

or die(mysql_error());

?>

I'm sure I'll get shouted down for a far better way of adding security, but that's what I'd use.

Fehm · 03-05-2009, 01:16 PM

Originally Posted by ReviewDude

Something along the lines of:

PHP Code:


<?php
include ("config.php");
$event = mysql_real_escape_string($_POST['event']);
$where = mysql_real_escape_string($_POST['where']);
$when = mysql_real_escape_string($_POST['when']);
 
mysql_query("INSERT INTO event (event, where, when) VALUES ('$event', '$where', '$when')")
or die(mysql_error());
?>

I'm sure I'll get shouted down for a far better way of adding security, but that's what I'd use.

Two Words; Thank you

Ive sorted the INSERT INTO last night, new the security issue was something to do with escape string, final piece of the puzzle
Thanks alot!

Thread: Anyone help me with this? [PHP]

Thread Tools

Anyone help me with this? [PHP]

Posting Permissions