By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
424,952 Members | 1,937 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 424,952 IT Pros & Developers. It's quick & easy.

PHP and MYSQL

P: 1
I am trying to make a form post into a table.

However I am only getting "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'P','4','PD','DIS','Q','Recon','PP','SIV','Retail' )' at line 1"

PHP Code;
Expand|Select|Wrap|Line Numbers
  1. <form action="addstockdata.php" method="post">
  2.          <input class="textField" name="regNum" type="text" dir="ltr" value="Reg Number"  onfocus="this.value=''" size="7" maxlength="7" onblur="this.value=this.value.toUpperCase()" />
  3.          <input name="pp" class="textField" type="text" dir="ltr" value="PP"  onfocus="this.value=''" size="7" maxlength="7" />
  4.          <input name="siv" type="text" class="textField" dir="ltr" value="SIV"  onfocus="this.value=''" size="7" maxlength="7" />
  5.          <input name="rp" type="text" dir="ltr" class="textField" value="Retail"  onfocus="this.value=''" size="7" maxlength="7" /> <br />
  6.          <input name="make" type="text" dir="ltr" value="Make" class="textField" onfocus="this.value=''" size="15" maxlength="15" onblur="this.value=this.value.toUpperCase()" />
  7.          <input name="model" type="text" dir="ltr" value="Model" class="textField" onfocus="this.value=''" size="15" maxlength="15" onblur="this.value=this.value.toUpperCase()" />
  8.          <input name="engineSize" type="text" dir="ltr" value="Engine Size" class="textField" onfocus="this.value=''" size="4" maxlength="4" />
  9.          <input name="colour" type="text" dir="ltr" value="Colour"  onfocus="this.value=''" class="textField" size="15" maxlength="15" onblur="this.value=this.value.toUpperCase()"  /> 
  10.          <input name="year" type="text" dir="ltr" value="Year"  onfocus="this.value=''" size="4" maxlength="4" class="textField" />
  11.          <input name="dis" type="text" dir="ltr" value="DIS"  onfocus="this.value=''" size="4" maxlength="4" class="textField" />
  12.          <input name="recon" type="text" dir="ltr" value="Recon"  onfocus="this.value=''" size="6" maxlength="6" class="textField" />
  13.          <input name="pd" type="text" dir="ltr" value="PD"  onfocus="this.value=''" size="6" maxlength="6" class="textField" />
  14.          <select name="doors">
  15.          <option value="2">2 Doors</option>
  16.          <option value="3">3 Doors</option>
  17.          <option value="4">4 Doors</option>
  18.          <option value="5">5 Doors</option>
  19.          <option value="E">Estate</option>
  20.          </select>
  21.          <select name="gearbox">
  22.          <option value="4">4 Gears</option>
  23.          <option value="5">5 Gears</option>
  24.          <option value="6">6 Gears</option>
  25.          <option value="A">Automatic</option>
  26.          <option value="S">Semi-Automatic</option>
  27.          </select>
  28.          <select name="fuel">
  29.          <option value="P">Petrol</option>
  30.          <option value="D">Diesel</option>
  31.          </select>
  32.          <select name="vat">
  33.          <option value="Q">Qualify</option>
  34.          <option value="M">Margin</option>
  35.          </select>
  36.          <input name="spec" type="text" size="20" maxlength="20" value="Spec"  onfocus="this.value=''" />
  37.          <input type="submit" />
  38.          </form>
Post Code;
Expand|Select|Wrap|Line Numbers
  1. <?php
  2.  
  3. mysql_connect("localhost:3306","root","") or die ("Unable to connect to MySQL server."); 
  4. $db = mysql_select_db("test") or die ("Unable to select requested database."); 
  5.  $make=$_POST['make']; 
  6.  $model=$_POST['model']; 
  7.  $reg=$_POST['regNum']; 
  8.  $pp=$_POST['pp']; 
  9.  $siv=$_POST['siv']; 
  10.  $cc=$_POST['engineSize']; 
  11.  $colour=$_POST['colour'];  
  12.  $year=$_POST['spec']; 
  13.  $door=$_POST['doors']; 
  14.  $fuel=$_POST['fuel']; 
  15.  $gearbox=$_POST['gearbox']; 
  16.  $pd=$_POST['pd']; 
  17.  $dis=$_POST['dis']; 
  18.  $vat=$_POST['vat']; 
  19.  $recon=$_POST['recon']; 
  20.  $rp=$_POST['rp'];   
  21.  $spec=$_POST['spec'];
  22.  
  23.  mysql_query( "INSERT INTO stock( reg, year, make, model, spec, cc, colour, door, fuel, gearbox, pd, dis, vat, recon, pp, siv, rp) VALUES ('$reg','$year','$make','$model','$spec','$cc','$colour','$door,'$fuel','$gearbox','$pd','$dis','$vat','$recon','$pp','$siv','$rp')"); 
  24.  echo mysql_error();
  25.  mysql_close()
  26.  ?> 
Please Help

Thanks in Advance
Dec 11 '11 #1
Share this Question
Share on Google+
4 Replies


Rabbit
Expert Mod 10K+
P: 12,347
You're missing a quote after your $door variable.
Dec 11 '11 #2

P: 78
Expand|Select|Wrap|Line Numbers
  1. mysql_query("INSERT INTO stock(reg,year,make,model,spec,cc,colour,door,fuel,gearbox,pd,dis,vat,recon,pp,siv,rp) VALUES ('$reg','$year','$make','$model','$spec','$cc','$colour','$door','$fuel','$gearbox','$pd','$dis','$vat','$recon','$pp','$siv','$rp')");
  2.  
Dec 12 '11 #3

P: 1
You should consider to sanitize the input.

I use something like this:

Funktion to clean input:
Expand|Select|Wrap|Line Numbers
  1. function form ($data) { // Prevents SQL Injection
  2.    global $db_connect;
  3.    $data = ereg_replace("[\'\")(;|`,<>]", "", $data);
  4.    $data = mysql_real_escape_string(trim($data), $db_connect);
  5.    return stripslashes($data);
  6. }
Handling the input:
Expand|Select|Wrap|Line Numbers
  1. $first_name    = form ($_POST['first_name']);
  2. $last_name     = form ($_POST['last_name']);
  3. $title         = form ($_POST['title']);
  4. $email        = form ($_POST['email']);
  5. $phone         = form ($_POST['phone']);
  6. $username     = form ($_POST['username']);
  7. $password     = form ($_POST['password']);
Saving it to the db:
Expand|Select|Wrap|Line Numbers
  1. $q =     "INSERT INTO user";
  2. $q .= " SET USER_ID    = ''";    
  3. $q .= ", FIRST_NAME     = '".$first_name."'";    
  4. $q .= ", LAST_NAME     = '".$last_name."'";    
  5. $q .= ", TITLE        = '".$title."'";
  6. $q .= ", EMAIL         = '".$email."'";    
  7. $q .= ", PHONE        = '".$phone."'";    
  8. $q .= ", USER_NAME    = '".$username."'";    
  9. $q .= ", PASSWORD     = '".md5 ($password)."'";    
  10. mysql_query($q);
  11. print mysql_error();
By using this syntax it is a little easyer to exclude empty variables. E.g.:
Expand|Select|Wrap|Line Numbers
  1. if (!empty ($phone)) $q .= ", PHONE        = '".$phone."'";
to make the submit as short as possible.
Dec 15 '11 #4

Dormilich
Expert Mod 5K+
P: 8,639
Funktion to clean input:
Expand|Select|Wrap|Line Numbers
  1. function form ($data) { // Prevents SQL Injection
  2.    global $db_connect;
  3.    $data = ereg_replace("[\'\")(;|`,<>]", "", $data);
  4.    $data = mysql_real_escape_string(trim($data), $db_connect);
  5.    return stripslashes($data);
  6. }
highly susceptible to SQL injection! stripslashes() is just removing the slashes you added in mysql_real_escape_string()!

besides that:
- mysql functions are outdated, use PDO or MySQLi instead
- globals are always a bad idea
- $db_connect ain't used
- ereg functions are deprecated (use preg functions instead)

note: Prepared Statements (via PDO/MySQLi) are absolutely immune to SQL injections
Dec 15 '11 #5

Post your reply

Sign in to post your reply or Sign up for a free account.