|
 |
|
|
|
| Thread title: mysql error when inserting data |
 |
|
|
| |
|
Thread tools
Search this thread
Display Modes
|
|
|
12-08-2007, 08:23 PM
|
#1
|
Status: Junior Member
Join date: Aug 2006
Location:
Expertise:
Software:
Posts: 58
|
 mysql error when inserting data
When I try to add some data from a form to my database I get this error
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1,Admin,1,qsdfqsdf,1197145012,qsdfqsdf,sqdfqsdfsd ,qsdf,qsdf,qsf,qsdf,qsdf' at line 1
|
this were my insert lines, second one is displayed on error
INSERT INTO contestthread VALUES ,qsdfqsdf,qsdfqsdf,1,1,1197145012,1,,,,Admin,1,Adm in,1180130400,300,1
INSERT INTO contestpost VALUES ,1,Admin,1,qsdfqsdf,1197145012,qsdfqsdf,sqdfqsdfsd ,qsdf,qsdf,qsf,qsdf,qsdf
|
my php
PHP Code:
foreach($_POST as $key => $value) {
$$key = $value;
}
// Thread variables
$username = "Admin";
$uid = 1;
$firstpostid = get_lastPostID();
// Post variables
$threadID = get_threadID();
// Add slashes to have no mistakes with php functions.
AddSlashes($Title);
AddSlashes($Sub);
AddSlashes($Description);
AddSlashes($Website);
AddSlashes($Tagline);
AddSlashes($Color);
AddSlashes($Style);
AddSlashes($Formats);
$cvalues = array( '', // thread id
$Title, // Title
$Sub, // sub-title
$firstpostid, //id of first post in topic
$firstpostid, //id of last post
strtotime('now'), //date in sec of last post
$CatID, // category id
'', // open(0 = yes | no = 1)
'', // comments
'', // entries
$username, // username of starter
$uid, // userid of starter
$username, // lastposter name
strtotime($Length), // Length of contest
$Prize, // prize
$Payment // payment
);
$pvalues = array( '', //post id
$threadID, // thread id
$username, // username
$uid, // user id
$Title, // title of thread
strtotime('now'), //time of post in sec
$Summary, // summary
$Description, // message
$Website, // website
$Tagline, // tagline
$Color, // color
$Style, // style
$Formats // formats
);
$contest = "INSERT INTO contestthread VALUES ".implode(',', $cvalues);
$post = "INSERT INTO contestpost VALUES ".implode(',', $pvalues);
$result1 = mysql_query($contest);
$result2 = mysql_query($post);
if($result1 && mysql_num_rows($result1) != 0 || $result2 && mysql_num_rows($result2) != 0) {
echo 'Uploaded';
}else {
echo "Sorry there has been an error, try again.<br />";
echo mysql_error()."<br />".$contest."<br />".$post;
}
I'm not getting my problem, I looked at my database and everything looked fine too me.
|
|
|
|
12-08-2007, 08:55 PM
|
#2
|
Status: Community Archaeologist
Join date: Jul 2004
Location: Scotland
Expertise: Software Development
Software: vim, PHP
Posts: 3,820
|
Your SQL queries are not formatted properly.
Incorrect
Code:
INSERT INTO contestpost VALUES
,1,Admin,1,qsdfqsdf,1197145012,qsdfqsdf,sqdfqsdfsd ,qsdf,qsdf,qsf,qsdf,qsdf
Corrected
Code:
INSERT INTO
contestpost
(
thread_id, username, user_id, thread_title,
time_post, summary, message, website,
tagline, color, style, formats
)
VALUES
(
1, 'Admin', 1, 'qsdfqsdf',
1197145012, 'qsdfqsdf', 'sqdfqsdfsd', 'qsdf',
'qsdf', 'qsf', 'qsdf', 'qsdf'
);
The above is just an example, and the column names might not be what are in your table. For detailed information on how to write INSERT queries, please read INSERT in the MySQL Manual.
Correctly formatting your queries (lines beginning "$contest = ..." and "$post = ...") will prevent the errors from occurring but the way in which you go about this is prone to all manner of problems -- in terms of security -- in the long run. But that's outwith the scope of your question here.
|
|
|
|
12-09-2007, 12:35 AM
|
#3
|
Status: Junior Member
Join date: Aug 2006
Location:
Expertise:
Software:
Posts: 58
|
could you tell me more about how it should? because I don't want any security leeks.
|
|
|
|
12-17-2007, 04:30 PM
|
#4
|
Status: I'm new around here
Join date: Dec 2007
Location:
Expertise:
Software:
Posts: 19
|
Don't use AddSlashes - use http://us.php.net/manual/en/function...ape-string.php if you are working with mySQL as it is safer. AddSlashes allows certain hex and stuff to make it through un-harmed.
Also, you might need to strip_slashes if your data is messed with by your server.
PHP Code:
//undo slashes for poorly configured servers
$_POST['text'] = (get_magic_quotes_gpc()) ? stripslashes($_POST['text']) : $_POST['text'];
|
|
|
|
12-21-2007, 08:53 PM
|
#5
|
Status: Junior Member
Join date: Aug 2006
Location:
Expertise:
Software:
Posts: 58
|
So use the code below for inserting in the database?
PHP Code:
$Title = (get_magic_quotes_gpc()) ? stripslashes($Title) : $Title;
$Sub = (get_magic_quotes_gpc()) ? stripslashes($Sub) : $Sub;
$Description = (get_magic_quotes_gpc()) ? stripslashes($Description) : $Description;
$Website = (get_magic_quotes_gpc()) ? stripslashes($Website) : $Website;
$Tagline = (get_magic_quotes_gpc()) ? stripslashes($Tagline) : $Tagline;
$Color = (get_magic_quotes_gpc()) ? stripslashes($Color) : $Color;
$Style = (get_magic_quotes_gpc()) ? stripslashes($Style) : $Style;
$Formats = (get_magic_quotes_gpc()) ? stripslashes($Formats) : $Formats;
|
|
|
|
12-31-2007, 04:26 PM
|
#6
|
Status: I'm new around here
Join date: Dec 2007
Location: Tennessee
Expertise:
Software:
Posts: 20
|
I just want to recommend that you use a function like this instead of using addslashes(). Addslashes is a security blanket full of holes.
Code:
function validateit($value) {
$value = str_replace('javascript:', '_', $value);
$value = str_replace('document.location', '_', $value);
$value = str_replace('vbscript:', '_', $value);
$value = str_replace('<marquee', '_', $value);
$value = str_replace('<script', '_', $value);
$value = str_replace('?php', '_', $value);
$value = mysql_real_escape_string(strip_tags(htmlentities(trim($value))));
return $value;
}
This will help against sql injections, cross site scripting, and all that jazz.
|
|
|
|
12-31-2007, 04:45 PM
|
#7
|
Status: Geek
Join date: Apr 2006
Location: Denver, CO
Expertise: Software
Software: Chrome, Notepad++
Posts: 6,894
|
Originally Posted by phpintheusa 
I just want to recommend that you use a function like this instead of using addslashes(). Addslashes is a security blanket full of holes.
Code:
function validateit($value) {
$value = str_replace('javascript:', '_', $value);
$value = str_replace('document.location', '_', $value);
$value = str_replace('vbscript:', '_', $value);
$value = str_replace('<marquee', '_', $value);
$value = str_replace('<script', '_', $value);
$value = str_replace('?php', '_', $value);
$value = mysql_real_escape_string(strip_tags(htmlentities(trim($value))));
return $value;
}
This will help against sql injections, cross site scripting, and all that jazz. |
Dont manually escape all the HTML. Use htmlspecialchars and unescape the values that you want in (<b><i>, ect.)
|
|
|
|
12-31-2007, 05:09 PM
|
#8
|
Status: I'm new around here
Join date: Dec 2007
Location: Tennessee
Expertise:
Software:
Posts: 20
|
When you want html to be allowed, you can do this:
Code:
$value = mysql_real_escape_string(trim($value));
Nice blog, VI, good reading!
|
|
|
|
01-01-2008, 07:33 PM
|
#9
|
Status: Junior Member
Join date: Aug 2006
Location:
Expertise:
Software:
Posts: 58
|
Ok thanks 
I've got another problem with css and php, I've attached a css file.
But It won't use it, I change the color of a class but it won't do it when viewing the file.
Code:
dd .amount {
color: #580;
font-weight: bold;
}
Code:
<dd class="amount">$<? echo $prize; ?></dd>
|
|
|
|
01-01-2008, 08:13 PM
|
#10
|
Status: Geek
Join date: Apr 2006
Location: Denver, CO
Expertise: Software
Software: Chrome, Notepad++
Posts: 6,894
|
Thats not how html and css works
Try
Code:
.amount {
color: #580;
font-weight: bold;
}
Code:
<dd class="amount">$<? echo $prize; ?></dd>
[/QUOTE]
|
|
|
|
|
|
|
|
|
|
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
|
|
|
|
|
Linear Mode
Forum Contains New Posts 
Forum Contains No New Posts 
Forum is Closed