|
|
Posted by Hilarion on 10/10/89 11:34
>>There's a comma before the closing bracket. I would say that's your
>>error. echo mysql_error() after running the query and see what happens.
>>Or alternatively echo out the sql string and paste it into the mysql
>>console or phpMyAdmin etc.
>
> caught the comma after installing the echo mysql_error(); line and now
> have:
> "You have an error in your SQL syntax; check the manual that
> corresponds to your MySQL server version for the right syntax to use
> near 'x 2" x .25', 'no notes')' at line 1" unless I remove the
> measurements from the uhmwsize field which were 60' x 2" x .25"*
>
> after blanking that field, the error came back to a more simple
> "Column count doesn't match value count at row 1" which now makes me
> wonder... Setting id as an integer when establishing the database,
> what numerical entry should I enter into that?
>
>>One other thing, where do all those values come from? Directly from the
>>form with no escaping? If so, you need to read up on the topic of sql
>>injection.
>
> I use two forms to enter the data and until now, it's worked very well
> (so far with fields of 12 or less). One form is the user input, the
> second does the query and insert while echoing the values to the
> screen of what the user just entered into the database.
>
>>And one other thing... I personally believe you are better to write your
>>insert query in the form:
>>
>>INSERT INTO tablename (fieldname1, fieldname2, ... ) VALUES ('value1',
>>'value2', ...)
>
> I've done it this way too - kind of got away from it which may have
> been bad however, went back to it for this error solving and it made
> no difference in the outcome or error.
You definitely have to read about value escaping and SQL injection.
One (or more) of the values you are placing in your query contains
apostrophe sign. This makes query which looks like that:
$qry = "INSERT INTO tablename VALUES ( '$some_value' )"
look like that (for $some_value == "John's deep"):
INSERT INTO tablename VALUES 'John's deep'
The apostrophe contained in the value is recognized as the string value
terminator. This causes syntax error in this case. If the user notices
that he's values break the script, then he can realize that your
script is vulnerable to SQL injection and enter value which will
make $some_value == "'; DROP TABLE tablename;" which in turn will make
the query look like this:
INSERT INTO tablename VALUES ''; DROP TABLE tablename;
which will make the insert and drop the table.
Again, as Chris suggested: read about SQL injection and start using
functions like "mysql_real_escape_string".
Hilarion
Navigation:
[Reply to this message]
|