...

View Full Version : error in mySQL



jarv
05-15-2008, 04:56 PM
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''this is my test text')' at line 3


in my database I added a TEXT field for a textarea box in a form

why doesn't it work?!

Brandoe85
05-15-2008, 04:58 PM
Our psychic powers are running low today, please post the relevant code. My guess is you have an error in your sql syntax......

Quotes are probably a problem, too.

jarv
05-15-2008, 05:14 PM
<?php
include_once('config.php');

$sql="INSERT INTO assessment (Assessor, page, Dateadded, Assessment)
VALUES
('$_POST[Assessor]','$_POST[page]','$_POST[Dateadded]'),'$_POST[Assessment]')";

if (!mysql_query($sql,$link))
{
die('Error: ' . mysql_error());
}
echo "assessment added";
echo '<br>';
echo '<a href="post.php">Add new</a>' . '<br>';
echo '<a href="display.php">Assessments</a>';

mysql_close($link)

?>

hammer65
05-15-2008, 05:37 PM
You have an extra parenthesis and comma after one of your values. You are also not escaping any of the values in your query. Don't ever put data from user input directly into string queries in that way. It is a huge security hole.

_Aerospace_Eng_
05-15-2008, 07:38 PM
Going along with what hammer said try this

<?php
include_once('config.php');
$Assessor = mysql_real_escape_string(stripslashes($_POST['Assessor']));
$page = mysql_real_escape_string(stripslashes($_POST['page']));
$Dateadded = mysql_real_escape_string(stripslashes($_POST['Dateadded']));
$Assessment = mysql_real_escape_string(stripslashes($_POST['Assessment']));
$sql = "INSERT INTO assessment (Assessor, page, Dateadded, Assessment) VALUES ('$Assessor','$page','$Dateadded','$Assessment')";
$result = mysql_query($sql,$link) or die('Error: ' . mysql_error() . '<br>SQL: ' . $sql);
echo 'assessment added<br>';
echo '<a href="post.php">Add new</a><br>';
echo '<a href="display.php">Assessments</a>';
mysql_close($link);
?>
I use stripslashes on the data because magic_quotes_gpc might be on but I'm too lazy to check for it. mysql_real_escape_string will help prevent mysql injection.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum