3

I am simply trying to insert these objects into a table with php. 

$sql = 'INSERT INTO table VALUES( '.$active.' , '.$id.' , '.$time.' , '.$url.' ,"some string" )';

The url in the above code is: http://www.youtube.com/watch?v=sAYc3gGjYW8

When I leave the url column empty it works, when I put an url in it then it doesnt work and I get the following error.

"Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '://www.youtube.com/watch?v=sAYc3gGjYW8 ,"some string" )' at line 1."

QUESTION:

Why does the url not insert just like a normal string?

Is there some sort of function I need to perform on the url_string before it is accepted by MySQL?

PS - the url column is currently VARCHAR(256).

Any help appreciated guys...

Improve this question
0

5 Answers 5

Reset to default
7

You're not escaping your inputs. mysqli_real_escape_string() is your friend.

Remember all input is evil. Validate and sanitize, otherwise you're going to be subject to a whole host of nastiness, from data that's out of bounds (124 char long strings when the field is varchar(10), for example) to opening your code up to SQL injection exploits.

Example:

$safe_url = mysqli_real_escape_string($database_connection_object, $url);

Also, you might want to save yourself some keystrokes, change that string to a double quoted one and interpolate the variables - i.e. "blah blah $some_var foo foo" is the same as 'blah blah ' . $some_var . ' foo foo'

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

3

While I completely agree with the mysql_real_escape_string() comments, it looks like you forgot to wrap the URL in quotes just like any other string should be.

$sql = 'INSERT INTO table VALUES( '.$active.' , '.$id.' , '.$time.' , "'.$url.'" ,"some string" )';

You can tell by looking at the MySQL error:

://www.youtube.com/watch?v=sAYc3gGjYW8 ,"some string" )

There is no quote at the end of the URL :)

Improve this answer

Comments

2

You need to escape your input. Have a look at mysql_real_escape_string or mysqli_real_escape_string. You might also want to look at a database abstraction layer like PDO.

Assuming you're using the mysql_* procedural functions, and after you've connected to the database, your script should look like this:

$sql = 'INSERT INTO table VALUES( '.$active.' , '.$id.' , '.$time.' , "'.mysql_real_escape_string($url).'" ,"some string" )';

I would also strongly recommend escaping the other values as well:

$sql = 'INSERT INTO table VALUES( "'.mysql_real_escape_string($active).'" , "'.mysql_real_escape_string($id).'" , "'.mysql_real_escape_string($time).'" , "'.mysql_real_escape_string($url).'" ,"some string" )';

unless they are SQL expressions or you have previously escaped them.

Improve this answer

Comments

1

Make sure you've escaped all of the inputs into the DB using something like mysql_real_escape_string($string). It'll stop you being open to SQL injection attacks and make sure strings are being read correctly.

Improve this answer

Comments

-1

$id = $_GET['id'];$name = $_GET['name'];$lat = $_GET['lat'];$long = $_GET['long']; $query = mysql_query("INSERT INTO dbname.tablename (id,name,lat,long) VALUES ('".$id."','".$name."','".$lat."','".$long."')");

Improve this answer

1 Comment

it works just add ('id','name','lat','long') make quotation mark like this;press same time altgr and comma later press space button

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.