CodingForums.com

CodingForums.com (http://www.codingforums.com/index.php)
-   MySQL (http://www.codingforums.com/forumdisplay.php?f=7)
-   -   Problem with INSERT! (http://www.codingforums.com/showthread.php?t=284305)

rockyhudson 12-17-2012 09:31 PM
Problem with INSERT!
 
I am trying to INSERT data into a database which has been POSTED via a html script. The posts have worked have echoed and get the right data.

The error is saying that there is a syntax error, but I have checked brackets, quotes etc and can't spot anything wrong!

Can anyone see something I am missing?
Code:
<?php
include('loc_feedback_connect.php');
doDB2();
echo $_POST["title"];
echo $_POST["firstname"];
echo $_POST["lastname"];
echo $_POST["email"];
echo $_POST["comments"];
$fback_sql = "INSERT INTO (feedback title, firstname, lastname, email, comments)
VALUES ('".$_POST["title"]."','".$_POST["firstname"]."','".$_POST["lastname"]."','".$_POST["email"]."','".$_POST["comments"]."')";
$fback_res = mysqli_query($mysqli, $fback_sql) or die(mysqli_error($mysqli));
$header = "From: webmaster@1066cards4u.co.uk" . "\r\n";
$to = ('".$_POST["email"]."');
$subject = "Feedback";
$txt = "Thank you for your feedback.  \nWe will read your comments and email you again as to our actions";
mail($to, $subject, $txt, $header);
mail("webmaster@1066cards4u.co.uk", "Posting", "A feedback posting has been sent");
mysqli_close(mysqli);
mysqli_free_result($fback_res);
?>

Fou-Lu 12-17-2012 09:43 PM
This is invalid: INSERT INTO (feedback title, .... Perhaps you mean INSERT INTO feedback (title, ...?

Noticed you are using mysqli. You should used prepared statements to save the trouble from needing to run through a real_escape_string. As is, this is open to SQL Injection.

Clawed 12-22-2012 08:29 AM
Quote:
Originally Posted by Fou-Lu (Post 1300643)
This is invalid: INSERT INTO (feedback title, .... Perhaps you mean INSERT INTO feedback (title, ...?

Noticed you are using mysqli. You should used prepared statements to save the trouble from needing to run through a real_escape_string. As is, this is open to SQL Injection.
Yes, i also recommend you use:
PHP Code:
$name mysql_real_escape_string$_POST['name'] ); 

Old Pedant 12-22-2012 04:56 PM
Ummm...Clawed: FouLu is saying that *IF* he uses prepared statements then he will not *NEED* to use mysql_real_escape_string.

Which is not only correct, but much better than mysql_real_escape_string.

If you don't know about prepared statements, then time to read up on them.

Clawed 12-29-2012 02:51 PM
Quote:
Originally Posted by Old Pedant (Post 1301710)
Ummm...Clawed: FouLu is saying that *IF* he uses prepared statements then he will not *NEED* to use mysql_real_escape_string.

Which is not only correct, but much better than mysql_real_escape_string.

If you don't know about prepared statements, then time to read up on them.
Oh, i didn't realise he was using MySQLi


All times are GMT +1. The time now is 11:43 PM.

Powered by vBulletin®
Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.