1

I am trying to post data to my database using the following code:

 <?php
if(isset($_POST['add']))
{
$dbhost = 'internal-db';
$dbuser = 'support';
$dbpass = 'sgh';
$db = "mpc";
$conn = mysql_connect($dbhost, $dbuser, $dbpass);
if(! $conn )
{
  die('Could not connect: ' . mysql_error());
}

$firstname = $_POST['firstname'];
$surname = $_POST['surname'];
$email = $_POST['email'];
$phone = $_POST['phone'];
$country = $_POST['country'];
$message = $_POST['message'];
$callback = $_POST['callback'];

$sql = "INSERT INTO enquiries 
       (firstname, surname, email, phone, country, message, callback)
       VALUES('$firstname','$surname', $email, $phone, $country, $message, $callback)";

mysql_select_db($db);
$retval = mysql_query( $sql, $conn );
if(! $retval )
{
  die('Could not enter data: ' . mysql_error());
}
echo "Entered data successfully\n";
mysql_close($conn);
}
else
{
?>

When I try to post the form I revieve the following error:

Could not enter data: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' , , , )' at line 3

Can't work out what is wrong in the code. Can you help???? Am I using deprecated code??

Improve this question
1
  • 1
    Think: what would happen of some of your variables were empty? Now think, what would happen if a variable would be '); DROP table enquiries; --? Don't construct SQL statement for strings, use prepared statements and check your user input! Commented Mar 13, 2011 at 15:27

3 Answers 3

Reset to default
1

The variables in your query are empty ($email, $phone, $country, $message, $call). Try to do var_dump of the variables before the query and see if they have some value. Also you need to wrap them with quotes like '$var' when they are strings, such as a mail.

Also, for the love of god, sanitize the input. See here:

What are the best PHP input sanitizing functions?

How can I prevent SQL injection in PHP?

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

You have to put the single quote around the string columns even if they are blank or contain value.

$sql = "INSERT INTO enquiries 
       (firstname, surname, email, phone, country, message, callback)
       VALUES('$firstname','$surname', '$email', '$phone', '$country', '$message', '$callback')";

Do not forgot to use mysql_real_escape_string on the data.

Improve this answer

Comments

0

You haven't encapsulated your fields in quotes. E-mail address (amongst others) without quotes will make your INSERT statement invalid.

Besides that, you should always escape the input, because the input can contain invalid characters, or worse, it can contain malicious code that may destroy your data!

So:

if (array_key_exists($_POST, 'email')) {
  $tmpemail = (string)$_POST['email']; 
  // Optional additional checks for pattern matches go here..
  // if all tests succeed, escape special characters and assign value:
  $email = mysql_real_escape_string($tmpemail);
}
// Similar checks for other values

if ((isset($email) && isset($fielda) && isset($fieldb) ... )
{
  $query = "
      INSERT INTO YourTable(fielda, fieldb, email, ...)
      VALUES('valuea', 'valueb', '$email', ...)";
}
else
{
  // Some values missing. Handle appropriately.
}
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.