Posted by Brendan Gillatt on 07/01/07 18:08

On Sun, 01 Jul 2007 08:26:10 -0400, Todd Michels <todd@nalamail.com>
wrote:

>Hi all,
>
>I am trying to send data from a form and insert it into a MSSQL DB.
>
>When I submit the data I get: Warning: mssql_query()
>[function.mssql-query]: message: The name "Todd" is not permitted in
>this context. Valid expressions are constants, constant expressions, and
>(in some contexts) variables. Column names are not permitted. (severity
>15) in "Myfile"
>
>If I don't use the POST data and write the query explicitly, it works.
>
>Any help is appreciated.
>
>Thanks,
>Todd
>
>WinXP SP2
>MSSQL Express 2005
>IIS 5.1
>PHP 5.2.1
>
>It's a basic form:
>
><body>
><form id="form1" name="form1" method="post" action="flextest.php">
> <label>User Name
> <input name="username" type="text" id="username" />
> </label>
> <label>Email Address
> <input name="emailaddress" type="text" id="emailaddress" />
> </label>
> <p>
> <input type="submit" name="Submit" value="Submit" />
> </p>
></form>
></body>
>
>And here is the MSSQL insert:
>
>if( $_POST["emailaddress"] AND $_POST["username"])
>{
> //add the user
> $Query = sprintf('INSERT INTO users (username, emailaddress)
>VALUES (%s, %s)', $_POST["username"], $_POST["emailaddress"]);
>
> $Result = mssql_query($Query);
>}

You could try doing $_POST[username] (remove the quotes) and seeing if
that makes a difference.

NB: Your code could have a SQL injection exploit if you Magic Quotes
is turned off on your PHP.
--
Brendan Gillatt
www.brendangillatt.co.uk
GPG: 0x6E265E61

[Back to original message]