Problem with INSERT!

rockyhudson · 12-17-2012, 09:31 PM

I am trying to INSERT data into a database which has been POSTED via a html script. The posts have worked have echoed and get the right data.

The error is saying that there is a syntax error, but I have checked brackets, quotes etc and can't spot anything wrong!

Can anyone see something I am missing?

Code:

<?php
include('loc_feedback_connect.php');
doDB2();
echo $_POST["title"];
echo $_POST["firstname"];
echo $_POST["lastname"];
echo $_POST["email"];
echo $_POST["comments"];
$fback_sql = "INSERT INTO (feedback title, firstname, lastname, email, comments)
VALUES ('".$_POST["title"]."','".$_POST["firstname"]."','".$_POST["lastname"]."','".$_POST["email"]."','".$_POST["comments"]."')";
$fback_res = mysqli_query($mysqli, $fback_sql) or die(mysqli_error($mysqli));
$header = "From: webmaster@1066cards4u.co.uk" . "\r\n";
$to = ('".$_POST["email"]."');
$subject = "Feedback";
$txt = "Thank you for your feedback.  \nWe will read your comments and email you again as to our actions";
mail($to, $subject, $txt, $header);
mail("webmaster@1066cards4u.co.uk", "Posting", "A feedback posting has been sent");
mysqli_close(mysqli);
mysqli_free_result($fback_res);
?>

Fou-Lu · 12-17-2012, 09:43 PM

This is invalid: INSERT INTO (feedback title, .... Perhaps you mean INSERT INTO feedback (title, ...?

Noticed you are using mysqli. You should used prepared statements to save the trouble from needing to run through a real_escape_string. As is, this is open to SQL Injection.

Clawed · 12-22-2012, 08:29 AM

Quote:

Originally Posted by Fou-Lu

This is invalid: INSERT INTO (feedback title, .... Perhaps you mean INSERT INTO feedback (title, ...?

Noticed you are using mysqli. You should used prepared statements to save the trouble from needing to run through a real_escape_string. As is, this is open to SQL Injection.

Yes, i also recommend you use:

PHP Code:


			
$name = mysql_real_escape_string( $_POST['name'] );

Old Pedant · 12-22-2012, 04:56 PM

Ummm...Clawed: FouLu is saying that *IF* he uses prepared statements then he will not *NEED* to use mysql_real_escape_string.

Which is not only correct, but much better than mysql_real_escape_string.

If you don't know about prepared statements, then time to read up on them.

Clawed · 12-29-2012, 02:51 PM

Quote:

Originally Posted by Old Pedant

Ummm...Clawed: FouLu is saying that *IF* he uses prepared statements then he will not *NEED* to use mysql_real_escape_string.

Which is not only correct, but much better than mysql_real_escape_string.

If you don't know about prepared statements, then time to read up on them.

Oh, i didn't realise he was using MySQLi