Visitor Messages?

Question

Aser Gado 0 Junior Poster in Training

13 Years Ago

I am creating a visitor messages system on a member's profile, here is my code so far..

I am using it as an include in the profile page, here is the error I get:

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ')' at line 3

<?php
session_start();
include("database.php");
$uid = $_GET['Id'];
$pid = $_SESSION['Id'];
?>

<html>
<body>
<form method="POST" >
      <p>
      <b>Post Something: </b>
      <textarea name="message" rows="10" cols="30">
      "Write something here..."
      </textarea></p>
      <p><input type="submit" value="Submit" name="B1"></p>
    </form>
    
    </body>
    </html>
    
    <?php

    $message = $_POST['message'];
    $insert="INSERT INTO wall_posts (user, poster, message)
VALUES
($uid,$pid,$message)";

if (!mysql_query($insert))
  {
  die('Error: ' . mysql_error());
  }
header("location:member.php");

mysql_close($con)

?>

php

5 Contributors
8 Replies
111 Views
2 Days Discussion Span
Latest Post 13 Years Ago Latest Post by diafol

kekkaishi 18 Junior Poster

13 Years Ago

It seems that the error lies in your database.php file. So, perhaps you could include the source of that file.

Kraai 56 Senior Poster

13 Years Ago

I'm no expert with php etc, but I do know that the error message refers to a caracter in your code, not read by the databse, confusing it. Sometimes, it is a " that needs to be single like ' or the other way around.

Looking at your code, the " at the end of this, seems to be out of place, and may be the cause of your issue:

($uid,$pid,$message)";

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

Aser Gado 0 Junior Poster in Training · Answer 1 · 2011-03-05T14:59:14+00:00

Aser Gado 0 Junior Poster in Training

13 Years Ago

The database.php is fine, I use it in all pages.

Aser Gado 0 Junior Poster in Training · Answer 2 · 2011-03-05T15:27:34+00:00

Aser Gado 0 Junior Poster in Training

13 Years Ago

Nope, not the solution :(

Shanti C 106 Posting Virtuoso · Answer 3 · 2011-03-05T16:02:18+00:00

check this:

,'$message')";

for varchar field you need to send string in between single quotes.

Kraai 56 Senior Poster Featured Poster · Answer 4 · 2011-03-05T16:02:30+00:00

I am looking at that line again, should the values not have ' at beginning and end?

Like this

('$uid,$pid,$message')";

Oh boy, you must excuse me if this was not helpfull, as I am also learning this stuff, and may not know what I'm talking about. Rather leave this to be answered by someone who knows better, if I am wrong with above suggestion.

kekkaishi 18 Junior Poster · Answer 5 · 2011-03-06T10:06:05+00:00

I am looking at that line again, should the values not have ' at beginning and end?
Like this
('$uid,$pid,$message')";
Oh boy, you must excuse me if this was not helpfull, as I am also learning this stuff, and may not know what I'm talking about. Rather leave this to be answered by someone who knows better, if I am wrong with above suggestion.

I dont think. As shanti said, only varachar (or text) characters needs to be enclosed in quotes. So, in this case, as shanti, it can be assumed that user and poster are int fields (since $uid and $pid can be assumed as being ids and hence ints). So, only $message needs to be enclosed with single quotes.

..($uid,$pid,'$message')";

Note that if user or poster is varchar, they also need to be enclosed with single quotes.

diafol · Answer 6 · 2011-03-06T18:57:44+00:00

$insert = "INSERT INTO `wall_posts` SET `user` = $uid, `poster` = $pid, `message` = '$message'";

Personally, I prefer the SET syntax as opposed to the VALUES syntax. Shouldn't make a difference though. Placing all you values within single quotes won't affect integers, if that's what they are. Check the datatypes of user and poster, just in case they're not string-based.

You're also using unsanitized data from form and querystring. THEY MUST BE CLEANED!

e.g.

$uid = mysql_real_escape_string($_GET['id']); 
$message = mysql_real_escape_string($_POST['message']);

Otherwise if you have an apostrophe in the message, it'll break the SQL.

Although you can't protect form values any better than querystring data, it would be advisable to place the user id into a hidden field. I'd go as far as checking that the user id actually exists before inserting anything. Another reason for this is that the querystring can be deleted so that it kills the script dead as $_GET wouldn't exist.