Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 5 of 5
  1. #1
    New Coder
    Join Date
    Jan 2012
    Location
    Hastings, East Sussex, UK
    Posts
    34
    Thanks
    21
    Thanked 0 Times in 0 Posts

    Problem with INSERT!

    I am trying to INSERT data into a database which has been POSTED via a html script. The posts have worked have echoed and get the right data.

    The error is saying that there is a syntax error, but I have checked brackets, quotes etc and can't spot anything wrong!

    Can anyone see something I am missing?
    Code:
    <?php
    include('loc_feedback_connect.php');
    doDB2();
    echo $_POST["title"];
    echo $_POST["firstname"];
    echo $_POST["lastname"];
    echo $_POST["email"];
    echo $_POST["comments"];
    $fback_sql = "INSERT INTO (feedback title, firstname, lastname, email, comments)
    VALUES ('".$_POST["title"]."','".$_POST["firstname"]."','".$_POST["lastname"]."','".$_POST["email"]."','".$_POST["comments"]."')";
    $fback_res = mysqli_query($mysqli, $fback_sql) or die(mysqli_error($mysqli));
    $header = "From: webmaster@1066cards4u.co.uk" . "\r\n";
    $to = ('".$_POST["email"]."');
    $subject = "Feedback";
    $txt = "Thank you for your feedback.  \nWe will read your comments and email you again as to our actions";
    mail($to, $subject, $txt, $header);
    mail("webmaster@1066cards4u.co.uk", "Posting", "A feedback posting has been sent");
    mysqli_close(mysqli);
    mysqli_free_result($fback_res);
    ?>

  • #2
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,980
    Thanks
    4
    Thanked 2,659 Times in 2,628 Posts
    This is invalid: INSERT INTO (feedback title, .... Perhaps you mean INSERT INTO feedback (title, ...?

    Noticed you are using mysqli. You should used prepared statements to save the trouble from needing to run through a real_escape_string. As is, this is open to SQL Injection.

  • #3
    New Coder
    Join Date
    Nov 2012
    Location
    United Kingdom
    Posts
    39
    Thanks
    3
    Thanked 1 Time in 1 Post
    Quote Originally Posted by Fou-Lu View Post
    This is invalid: INSERT INTO (feedback title, .... Perhaps you mean INSERT INTO feedback (title, ...?

    Noticed you are using mysqli. You should used prepared statements to save the trouble from needing to run through a real_escape_string. As is, this is open to SQL Injection.
    Yes, i also recommend you use:
    PHP Code:
    $name mysql_real_escape_string$_POST['name'] ); 

  • #4
    Supreme Master coder! Old Pedant's Avatar
    Join Date
    Feb 2009
    Posts
    25,020
    Thanks
    75
    Thanked 4,323 Times in 4,289 Posts
    Ummm...Clawed: FouLu is saying that *IF* he uses prepared statements then he will not *NEED* to use mysql_real_escape_string.

    Which is not only correct, but much better than mysql_real_escape_string.

    If you don't know about prepared statements, then time to read up on them.
    An optimist sees the glass as half full.
    A pessimist sees the glass as half empty.
    A realist drinks it no matter how much there is.

  • #5
    New Coder
    Join Date
    Nov 2012
    Location
    United Kingdom
    Posts
    39
    Thanks
    3
    Thanked 1 Time in 1 Post
    Quote Originally Posted by Old Pedant View Post
    Ummm...Clawed: FouLu is saying that *IF* he uses prepared statements then he will not *NEED* to use mysql_real_escape_string.

    Which is not only correct, but much better than mysql_real_escape_string.

    If you don't know about prepared statements, then time to read up on them.
    Oh, i didn't realise he was using MySQLi


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •