Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 3 of 3
  1. #1
    New to the CF scene
    Join Date
    Feb 2012
    Posts
    1
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Problem while using variables in Mysql query

    I have been trying to get my insert query working properly but it won't work, When i replace the variables with actual text tho it works
    eg, mysql_query("INSERT INTO friend (id, user, comment, date, avatar) VALUES ('', 'Name', 'This is a comment', '', 'Op')");

    But if i then do it the normal way like this it doesn't work even if i have the variables set to a specific string such as: $username = 'bob';

    mysql_query("INSERT INTO $friend (id, user, comment, date, avatar) VALUES (''," . $username . ", " . $newComment . ", " . $date . ", " . $status . ")");

    I really don't know what else to try?

    Code:
    <?php session_start();
    	$username = $_SESSION['user'];
    	$friend = $_COOKIE['friend'];
    	$newComment = $_POST['profileComment'];
    	$date = date('y-m-d h:i');
    	$status = $_COOKIE['status'];
    	$commentPost = $_POST['ProfileCommentSubmit'];
    	
    	
    	if($commentPost)
    	{ 
    		if(strlen($newComment)>4)
    		{
    			if(strlen($newComment)<501)
    			{
    				mysql_connect('localhost','root','D00134152');
    				mysql_select_db('minecraft_profile_comments');
    				mysql_query("INSERT INTO $friend (id, user, comment, date, avatar) VALUES ('', $username, $newComment, $date, $status)");
    				setcookie('note','* Comment successfully posted',time()+3600,'/');
    				header('Location: ../notification.php');
    			}
    			else
    			{
    				setcookie('note','* Comment is too long',time()+3600,'/');
    				header('Locate: ../notification.php');
    			}
    		}
    		else
    		{
    			setcookie('note','* Comment is too short',time()+3600,'/');
    			header('Locate: ../notification.php');
    		}
    	}
    	else
    	{
    		header('Locate: ../forum.php');
    	}
    ?>

  • #2
    New Coder
    Join Date
    Sep 2011
    Posts
    80
    Thanks
    0
    Thanked 13 Times in 12 Posts
    Quote Originally Posted by Cirx08 View Post
    I have been trying to get my insert query working properly but it won't work, When i replace the variables with actual text tho it works
    eg, mysql_query("INSERT INTO friend (id, user, comment, date, avatar) VALUES ('', 'Name', 'This is a comment', '', 'Op')");

    But if i then do it the normal way like this it doesn't work even if i have the variables set to a specific string such as: $username = 'bob';

    mysql_query("INSERT INTO $friend (id, user, comment, date, avatar) VALUES (''," . $username . ", " . $newComment . ", " . $date . ", " . $status . ")");

    I really don't know what else to try?

    Code:
    <?php session_start();
    	$username = $_SESSION['user'];
    	$friend = $_COOKIE['friend'];
    	$newComment = $_POST['profileComment'];
    	$date = date('y-m-d h:i');
    	$status = $_COOKIE['status'];
    	$commentPost = $_POST['ProfileCommentSubmit'];
    	
    	
    	if($commentPost)
    	{ 
    		if(strlen($newComment)>4)
    		{
    			if(strlen($newComment)<501)
    			{
    				mysql_connect('localhost','root','D00134152');
    				mysql_select_db('minecraft_profile_comments');
    				mysql_query("INSERT INTO $friend (id, user, comment, date, avatar) VALUES ('', $username, $newComment, $date, $status)");
    				setcookie('note','* Comment successfully posted',time()+3600,'/');
    				header('Location: ../notification.php');
    			}
    			else
    			{
    				setcookie('note','* Comment is too long',time()+3600,'/');
    				header('Locate: ../notification.php');
    			}
    		}
    		else
    		{
    			setcookie('note','* Comment is too short',time()+3600,'/');
    			header('Locate: ../notification.php');
    		}
    	}
    	else
    	{
    		header('Locate: ../forum.php');
    	}
    ?>

    you need to wrap your variables in single quotes for the MYSQL query:

    PHP Code:
    ('''$username''$newComment''$date''$status'
    Also you should look at sanatizing your user input, that statement is ripe for a bit of SQL injection!

    Look at prepared statements.

  • #3
    Regular Coder
    Join Date
    Jan 2012
    Posts
    134
    Thanks
    0
    Thanked 32 Times in 32 Posts
    mysql_real_escape_string() is the function you're looking for to sanitize your inputs.

    If you insert user data into your database, you *must* use that function or any user could steal your data or even delete your entire database.


  •  

    Tags for this Thread

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •