Results 1 to 2 of 2

Thread: SQL Error

Hybrid View

  1. 08-13-2011, 11:32 AM #1
    Nuke547
    Nuke547 is offline Junior Member
    Join Date
    Aug 2011
    Posts
    1

    Default SQL Error

    I dont know what im doing wrong.

    PHP Code:
    $name $_POST[name];
    $gt $_POST[gt];
    $email $_POST[email];
    $game $_POST[game];
    $day $_POST[dd];
    $ip $_SERVER[REMOTE_ADDR];
    mysql_select_db("nuke547_orders"$con);


    INSERT INTO `nuke547_orders`.`order` (`id` ,`name` ,`gt` ,`email` ,`game` ,`day` ,`ip`)
    VALUES (NULL ,  '$name',  '$gt',  '$email',  '$game',  '$day',  '$ip'); 
    My error is:

    PHP Code:
    Parse errorsyntax errorunexpected T_STRING in /home/nuke547/public_html/order.php on line 18 
    Line 18 is the insert line
    Reply With Quote Reply With Quote
  2. 11-16-2011, 04:05 AM #2
    mhfadams
    mhfadams is offline Junior Member
    Join Date
    Nov 2011
    Posts
    2

    Default

    Hi!
    The deal is that the "INSERT INTO" command is a database (mysql) command, and php knows nothing of it. What you need to do is wrap all of that into a php string and run it through the mysql_query() function. I also follow the extra step of sending the input values through a cleaner function to make sure you don't get hackers (or funny text) from wreaking havok in your database.

    First, the simple correction (line 18 should read):
    mysql_query("INSERT INTO `nuke547_orders`.`order` (`id` ,`name` ,`gt` ,`email` ,`game` ,`day` ,`ip`) VALUES (NULL , '$name', '$gt', '$email', '$game', '$day', '$ip');");

    The best way:
    $sql = sprintf("INSERT INTO `nuke547_orders`.`order` (`id` ,`name` ,`gt` ,`email` ,`game` ,`day` ,`ip`) VALUES (NULL , '%s', '%s', '%s', '%s', '%s', '%s');",
    mysql_real_escape_string($name),
    mysql_real_escape_string($gt),
    mysql_real_escape_string($email),
    mysql_real_escape_string($game),
    mysql_real_escape_string($day),
    mysql_real_escape_string($ip) );
    mysql_query($sql);

    Notes:
    (1) as you can see, you can put line breaks inside the sprintf() function to make it more readable;
    (2) you can, according to your style, do the mysql_real_escape_string() part up where you assigned the temporary variables, or you can dispense with the temporaries and put the $_POST[so-and-so] stuff directly in the mysql_real_escape_string()'s;
    (3) you can avoid dumping ugly errors to the web page by pre-pending the at symbol to the mysql_query() like this @mysql_query("something") (which step silences the php error) and then get the SQL error directly with mysql_error() and do what you like with it (such as error_log(mysql_error() ); );


    I hope that helps.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules