I have a testimonial page where the user can write a testimonial for me.
I get this error message if the user use a single quote mark.
example:
Demonstrated professionalism and creativity as the company's web and marketing materials designer. Will produce this error; You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's web and marketing materials designer. ')' at line 1
here is my code for the php: -
-
//check for required fields from the form
-
if ((!$_POST[company]) || (!$_POST[fname]) || (!$_POST[comments])) {
-
header("Location: addtestimonial.html");
-
exit;
-
}
-
//connect to server and select database
-
bab bab bab...
-
-
-
//create and issue the first query
-
$add_testimo = "insert into testimo values ('', '$_POST[company]', now(), '$_POST[fname]', '$_POST[comments]') ";
-
mysql_query($add_testimo,$conn) or die(mysql_error());
-
-
//get the id of the last query
-
$testimo_id = mysql_insert_id();
-
-
//create nice message for user
-
$display_block = "<P>The <strong>$topic_title</strong> testimonial has been created. <br>
-
You wrote: <br>
-
$_POST[comments], <br>
-
$_POST[company], <br>
-
$_POST[fname],<P>
-
Thank you for your business and your time. If you need any upgrades
-
please ket ne know.</p>";
-
?>
-
HTML code -
<form method=post action="do_addtestimonial.php">
-
<p align="left"><strong class="maintext">Your Companies Name:</strong><br>
-
<input type="text" name="company" size=40 maxlength=150>
-
<p align="left"><strong class="maintext">Your First Name:</strong><br>
-
<input type="text" name="fname" size=40 maxlength=150>
-
<P align="left"><strong class="maintext">Your Testimonial:</strong><br>
-
<textarea name="comments" cols=75 rows=5 wrap=virtual id="comments"></textarea>
-
<P align="left"><input type="submit" name="submit" value="Add Testimonial">
-
</p>
-
</form>
-
my db for the comment is
comments text should I use varchar instead?
Any help would be great.
damon
10 2973
first thing to notice $_POST[name] should be $_POST["name"], otherwise you get a couple of notices.
second, you’re wide open to SQL Injection. (which is the reason for your error)
it is careless, not to treat user input. the least you should do is using mysql_real_escape_string().
third, variable testing - if ((!$_POST[company]) || (!$_POST[fname]) || (!$_POST[fname])) {
-
// should be better
-
if (!isset($_POST["company"], $_POST["fname"], $_POST["fname"])) {
Thanks Dormilich...
I hope this will help I'm new to PHP.
damon
I'm still getting the error and I not to clear about the mysql_real_escape_string().
Where do I place it and what does it look like.
This is not a class assignment. I using a book PHP, MySQL and Apache all in one, by Julie C. Meloni.
There was an example and I redesigned it.
Here is my updated code: -
<?php
-
//check for required fields from the form
-
if (!isset($_POST["company"], $_POST["fname"], $_POST["comments"])) {
-
header("Location: addtestimonial.html");
-
exit;
-
}
-
-
//connect to server and select database
-
$conn = mysql_connect("localhost", "nomad", "nomad") or die(mysql_error());
-
mysql_select_db("dwdesign", $conn) or die(mysql_error());
-
-
//create and issue the first query
-
$add_testimo = "insert into testimo values ('', '$_POST[company]', now(), '$_POST[fname]', '$_POST[comments]')";
-
-
mysql_query($add_testimo,$conn) or die(mysql_error());
-
-
//get the id of the last query
-
$testimo_id = mysql_insert_id();
-
-
-
//create nice message for user
-
$display_block = "<P>The <strong>$topic_title</strong> testimonial has been created. <br>
-
You wrote: <br>
-
$_POST[comments], <br>
-
$_POST[company], <br>
-
$_POST[fname],<P>
-
Thank you for your business and your time. If you need any upgrades
-
please ket ne know.</p>";
-
?>
-
<html>
-
<head>
-
<title>New Testimonial Added</title>
-
</head>
-
<body>
-
<h1>Testimonial Added</h1>
-
<?php echo $display_block; ?>
-
</body>
-
</html>
-
-
Also in my table I have a field called
comments which is a text data type
I did not know how to assign a single quote ("'") amongst that values.
Once again any help would be great.
damo
I using a book PHP, MySQL and Apache all in one, by Julie C. Meloni.
it’s a poor book, if it doesn’t mention SQL Injection.
how to use mysql_real_escape_string() is mentioned in the manual (ref. to the given link), there are also examples given.
Still at a lost I read it twice I even did a google search on the info.
Really could use some help.
I have no ideal where to place the code.
is if within the php code or is it with then the db using a SQL query?
thanks
damon
since it’s a PHP function, it is to be applied in the PHP code, just like in the examples. - $query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'",
-
mysql_real_escape_string($user),
-
mysql_real_escape_string($password));
-
$result = mysql_query($query);
did you notice that this is the example from the manual?
Yes...
Thanks for the help I will be back for more help
soon
Sign in to post your reply or Sign up for a free account.
Similar topics
by: Craig Ringer |
last post by:
Hi folks
I'm a bit of a newbie here, though I've tried to appropriately research
this issue before posting. I've found a lot of questions, a few answers
that don't really answer quite what I'm...
|
by: Mark S |
last post by:
I have a db maintenance plan which is set to backup (then truncate hopefully)
the transaction log. In order to backup a transaction log the db must be in
single user mode so the maint. plan fails. ...
|
by: Greg |
last post by:
I keep getting an error when I have a tick mark in a text value that I am
searching for in my XPath Query.
Example:
<Authors>
<Author LastName="O'Donnel">
<Author LastName="Smith">...
|
by: M P |
last post by:
Hi!
I am looking for a way that I can trap the single quotation mark. If an
encoder uses single quotation mark on a textbox field, it always give me an
error because I use single quotes on the...
|
by: Water Cooler v2 |
last post by:
Questions:
1. Can there be more than a single script block in a given HEAD tag?
2. Can there be more than a single script block in a given BODY tag?
To test, I tried the following code. None...
|
by: Mark Woodward |
last post by:
Hi all,
I'm trying to validate text in a HTML input field.
How do I *allow* a single quote?
// catch any nasty characters (eg !@#$%^&*()/\)
$match = '/^+$/';
$valid_srch = preg_match($match,...
|
by: davek |
last post by:
(posted to: php.general, comp.lang.php, alt.php, alt.php.sql)
I have a form where registered users on my site can edit their login
details. For some reason, the script is inserting an extraneous...
|
by: Justin Fancy |
last post by:
Hi everyone,
I need to replace all instances of a double quote(") with two single
quotes('') in a text file. I already have some replacements of strings
going on, but I tried this one, but the...
|
by: iaminsik |
last post by:
Hi, I made a function prototype :
<head>
<script type="text/javascript">
function test (value) { alert (value); }
</script>
</head>
Now, I hope to call it with quoted string like this :...
|
by: BadMan! |
last post by:
Hi all,
I'm trying to use sqlloader to import a database with multiple
different tables which has been exported to one single plain text
file. No fixed lenght. Let's say database.txt is...
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
| |