2

I have a simple form that inserts data in a table on my server. I have set up a special user to handle this, with insert permissions only. I'm getting connection and syntax errors.

Here's my form:

<form id="form1" name="form1" method="post" action="mailform.php" onsubmit="return validateForm();">

    <input type="text" id="First" maxlength="100" autocorrect placeholder="First name" />
    <input type="text" id="Last" maxlength="100" autocorrect placeholder="Last name" />
    <input type="text" id="Email" maxlength="100" autocorrect placeholder="Email address" />
    <select name="SalesPerson">
        <option value="SP1">SP1</option>
        <option value="SP2">SP2</option>
        <option value="SP3">SP3</option>
        </select>
    <select name="Show">
        <option value="Show1">Show1</option>
        <option value="Show2">Show2</option>
        </select>

        <button type="submit" id="submit" class="oneup">Submit</button>

</form>

and over at mailform.php we have:

<?php

    $name = "xxx_xxx";
    $name = mysql_real_escape_string($name);
    $SQL = "SELECT * FROM users WHERE username = '$name'";

$con = mysql_connect("localhost","xxx_xxx","xxxxxxxxx");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db("xxx_x", $con);

$sql="INSERT INTO email_signup (First, Last, Email, SalesPerson, Show)
VALUES
('$_POST[First]','$_POST[Last]','$_POST[Email]','$_POST[SalesPerson]','$_POST[Show]')";

if (!mysql_query($sql,$con))
  {
  die('Error: ' . mysql_error());
  }

mysql_close($con)
?>

And here's the errors -

Warning: mysql_real_escape_string() [<a href='function.mysql-real-escape-string'>function.mysql-real-escape-string</a>]: Access denied for user 'xxx'@'localhost' (using password: NO) in <b>.../mailform.php</b> on line 28

Warning: mysql_real_escape_string() [<a href='function.mysql-real-escape-string'>function.mysql-real-escape-string</a>]: A link to the server could not be established in <b>.../mailform.php</b> on line 28 Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Show) VALUES ('','','','SP1','Show1')' at line 1

Any idea why I'm getting connection issues? I have an almost identical form set up in another place that works just fine.

Improve this question
5
  • WARNING - your code is very susceptible to sql injection attacks. Commented Feb 20, 2012 at 19:41
  • You have to be connected to the database to use mysql_real_escape_string : php.net/manual/pl/function.mysql-real-escape-string.php look at first note. Commented Feb 20, 2012 at 19:44
  • @Daneil A. White yes, I have another bit of code that protects against that by filtering out susceptible characters. Commented Feb 20, 2012 at 19:45
  • @blackessej I don't want to prolong the discussion about SQL injection, but it is probably best to follow conventional methods to prevent injection. Character stripping is fine, if you want to do it, but not really an appropriate substitute for tried and tested escape methods used in the proper manner. Commented Feb 20, 2012 at 19:51
  • @SimonMayer appreciate the input, and will take it into consideration. Thanks. Commented Feb 20, 2012 at 20:06

3 Answers 3

Reset to default
2

Make your connection first, then run mysql_real_escape_string(), then your query. mysql_real_escape_string() actually connects to the db to let it escape your string. If you don't have a connectin it wont work

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

Try putting the connection first.

$con = mysql_connect("localhost","xxx_xxx","xxxxxxxxx");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }


 $name = "xxx_xxx";
    $name = mysql_real_escape_string($name);
    $SQL = "SELECT * FROM users WHERE username = '$name'";
Improve this answer

Comments

0

Note: This answer does not attempt to address a major SQL injection vulnerability. For a more in-depth discussion, read the comments beneath the question.

Show is a reserved word

Use

$sql="INSERT INTO email_signup (`First`, `Last`, `Email`, `SalesPerson`, `Show`)
VALUES
('$_POST[First]','$_POST[Last]','$_POST[Email]','$_POST[SalesPerson]','$_POST[Show]')";
Improve this answer

2 Comments

But if you use like this your site vulnerable for sql injections. So Always sanitize the user inputs.
@amilaishere, that's true. The answer solves the issue with a reserved word; there was already a discussion above (on the question), relating to SQL injection. I will edit this answer to direct people to that discussion.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.