0

I have a HTML form. After submit the form it's show following error message:

Error Message:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL 
server version for the right syntax to use near 'm ok. ', 'point of interest', 
'91354857', '6546564654', '2 Person', '25', 'engl' at line 1

Mysql Query:

$insert = mysql_query("INSERT INTO host_signup VALUES('', '$uname', '$f_name', 
'$pr_lname', '$email', '$hashpass', '$title', '$country', '$city', '$state', 
'$postalcode', '$address', '$final_neighbor', '$landline', '$mobileph', '$capacity', 
'$age', '$language', '$final_interest', '$news', '$ip', '$dof', '0' )");

Actually it's show the error message when I put stripslashes() in the variable But without stripslashes() it's show backslashes.

For example: 

$address = $_POST['address'];       
$address = stripslashes($address);
Improve this question
4
  • Do any of the variables have single quotes in them? Note: Your query is subject to SQL Injection attacks. Commented Mar 30, 2013 at 3:57
  • Do all of your columns take strings? If the db is in strict mode it will reject numbers surrounded by quotes for int columns. Commented Mar 30, 2013 at 3:58
  • For avoiding this kind of silly errors start using prepared statement in mysqli OR PDO. Commented Mar 30, 2013 at 4:02
  • @Sepster Mysql Columns is ok. Commented Mar 30, 2013 at 4:03

3 Answers 3

Reset to default
1

You need to escape your sql values before putting them in a query. looks like one of your strings had a ' and mysql cut that? I'm guessing that 'm ok. ' is the end of "i'm ok.".

That string should be i\'m ok..

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

run $address = addslashes($address) before you put those variables in your query.
@AlexMojum use addslashes
0

You need to use addslashes.

addslashes — Quote string with slashes

Official Document

Example

<?php
  $str = "Is your name O'reilly?";
  // Outputs: Is your name O\'reilly?
  echo addslashes($str);
?>
Improve this answer

Comments

0

You should use mysql_real_escape_string() -- not addslashes(), as suggested by others

The addslashes() documentation concurs:

It's highly recommended to use DBMS specific escape function (e.g. mysqli_real_escape_string() for MySQL or pg_escape_string() for PostgreSQL), but if the DBMS you're using doesn't have an escape function and the DBMS uses \ to escape special chars, you can use this function.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.