Member Avatar for prawin@123

Hi a new bee to php,
Can any one help me,
i AM creating a login form which consists of name address and email id , what is the problem i have here is when entering datas into address field , it throws error as errorYou have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '2009-Mar-19',now() )' at line 1 .

I am some how identified the error . it didnt throws for all datas . it throws error for ex: my name is prawin alais 'tiger'. ie for ' '

and my address field code is as below
Address&nbsp;*&nbsp;</td><td><TEXTAREA ROWS="6" COLS="23" name="comp_add" title="Enter Your Addss"><?php echo $cadd; ?></textarea>.
and another important information to u :
this is my structure of php my admin

field :project_desc
type:varchar
length:255

should i need to change any thing in the structure to overcome error?

  • 3 Contributors
  • 12 Replies
  • 107 Views
  • 7 Hours Discussion Span
  • Latest Post Latest Post by prawin@123
Member Avatar for cwarn23

In case you didn't know that is a mysql syntax error used inside the mysql_query() function. So could you post what you placed inside the mysql_query() function(s) that this error relates to. It is really just the string/text inside that function that we need. Thats where the real error is.

Member Avatar for prawin@123

Hi cwarn23,
Thanks for u reply.
but i am unable to understand what u r tying to say.
Any u xplain me a lot.

Member Avatar for prawin@123

and my code is

$cadd=$_POST['comp_add'];
if ($cadd == "" )
 {
		$isInsert = false;
		echo  "Enter Address ";
}
if ($isInsert == true)
		{		
$sql="insert into  tbl_customer(comp_name,comp_add,
comp_pnum,comp_email,comp_fnum,select_loc) values('$cname','$cadd','$cpnum','$email','$cfnum','$select')";
	if(!mysql_query($sql,$con)){
						die('error' .mysql_error());
						  }
mysql_close($con);
}
Member Avatar for ahmksssv

Hi cwarn23,
Thanks for u reply.
but i am unable to understand what u r tying to say.
Any u xplain me a lot.

@Prawin: May be its single quotes problme or string problem..
can u send ur Sql Query....
Try to echo ur query..

Member Avatar for cwarn23

Well ya sent the nessecary code plus extra and so try replacing the $sql variable with the following:

$sql='INSERT INTO  tbl_customer(comp_name,comp_add,comp_pnum,comp_email,comp_fnum,select_loc) values("'.mysql_real_escape_string($cname).'","'.mysql_real_escape_string($cadd).'","'.mysql_real_escape_string($cpnum).'","'.mysql_real_escape_string($email).'","'.mysql_real_escape_string($cfnum).'","'.mysql_real_escape_string($select).'")';

That should prevent any strings from escaping and should help prevent mysql injections.

Member Avatar for prawin@123

I think its single quotes problem

$cadd=$_POST['comp_add'];
if ($cadd == "" )
 {
		$isInsert = false;
		echo  "Enter Address ";
}
if ($isInsert == true)
		{		
$sql="insert into  tbl_customer(comp_name,comp_add,
comp_pnum,comp_email,comp_fnum,select_loc) values('$cname','$cadd','$cpnum','$email','$cfnum','$select')";
	if(!mysql_query($sql,$con)){
						die('error' .mysql_error());
						  }
mysql_close($con);
}

i want u remember that i works good for all datas which i given and it is stored well in database except for the data with ' and ', for ex if i give the quote as my name is prawin alais 'kumar'

Member Avatar for cwarn23

So you say its a single quotes problem. What about if any one of those variables contained a single quote or even a double quote? The only thing to do about that would be the script in my previous post. As your script stands, it is open to mysql injections and can easily be bugged up with an injected quote (which is probably happening). That is why I suggest the script I presented in my previous post.

Member Avatar for prawin@123

Hi cwarn 23 ,
As u told , i changed the step by step so that it works good for ".mysql_real_escape_string($proname).",".mysql_real_escape_string($custname)."

when i am trying to change the code to ".mysql_real_escape_string($statusdesc).",
which is a multiline text are ie

<td width="80">Project Status&nbsp;&nbsp;</td><td><TEXTAREA ROWS="6" COLS="40" name="pro_desc"><?php echo"$statusdesc";?></textarea></td>

throws the error as errorUnknown column 'ghgjhjty' in 'field list' 

if($isInsert){
$sql="insert into tbl_projectstatus(project_name,cust_name,project_desc,date,time) values(".mysql_real_escape_string($proname).",".mysql_real_escape_string($custname).",".mysql_real_escape_string($statusdesc).", '$date',now() )";        

			if(!mysql_query($sql,$con)){
										die('error' .mysql_error());
									  }

can u tell me what it is meant

Member Avatar for cwarn23

It appears it is mixing the column names with the values somehow. So there are two options one the board of what I can see and they are, try to copy and past the following code to see if it works:

if($isInsert){
$sql="INSERT INTO tbl_projectstatus (project_name,cust_name,project_desc,date,time) VALUES ('".mysql_real_escape_string($proname)."','".mysql_real_escape_string($custname)."','".mysql_real_escape_string($statusdesc)."', '$date',".now()." )";        

			if(!mysql_query($sql,$con)){
										die('error' .mysql_error());
									  }

If the above code doesn't work, I would suggest doing the insert query a much easier way like the following:

if($isInsert){
$sql="INSERT INTO tbl_projectstatus SET project_name='".mysql_real_escape_string($proname)."', cust_name='".mysql_real_escape_string($custname)."', project_desc='".mysql_real_escape_string($statusdesc)."', date='".$date."', time='".mysql_real_escape_string(now())."'";        

			if(!mysql_query($sql,$con)){
										die('error' .mysql_error());
									  }

The second code box is how I usually do it as it is simple and easy.

Member Avatar for prawin@123

So you say its a single quotes problem. What about if any one of those variables contained a single quote or even a double quote? The only thing to do about that would be the script in my previous post. As your script stands, it is open to mysql injections and can easily be bugged up with an injected quote (which is probably happening). That is why I suggest the script I presented in my previous post.

Thank u

cwarn23

It finally works for me, its a simple modification from ur solution , Any way i am very much glad that ur solution and tips regarding sql injection attack . I need some more tips regarding sql injection .
Again Thank u very much

Member Avatar for cwarn23

Information about Mysql injections-
Well the thing that makes mysql injections are 2 main factors. One as you have discovered is if there is a quotation mark in the variable and you place that in the mysql query then an error is reported as the quotation mark messes up the mysql query. So what mysql_real_escape_string does about that is put a slash to the left of the quotation mark (forget if it uses forward slash or backslash) and that prevents the quotation mark from escaping the query.
Now for the nasty injections. Believe it or not, mysql has a regex syntax like preg_match where if a user can enter data into the database (mainly for Select parameter) then the user can use that regex to make unwanted matches or unwanted inserts. An example is when not using mysql_real_escape_string, to pass by a security system such as a login pannel, all the user needs to do is place a % symbol in the username and password and that will match all entries in the database because the % symbol is a wildcard. There are probably many other things they can do that I don't know about since I never use the mysql version of regex but to make it safe its best to allways use mysql_real_escape_string().

Member Avatar for prawin@123

Thanks cwarn23,
Its a nice post given by u abt mysql injections ,

Please keep in touch,
Bye

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.