Posted by Gordon Burditt on 10/21/49 11:40

>I'm a but of a newbie and I'd appreciate some help with a MySQL issue
>I'm having. I'm trying to insert some data into MySQL from a POST form
>but the query breaks whenever a user fails to fill out a value. Here's

Then don't submit the query if the user fails to fill in a value.
Give the user an error message. Or if it's legitimate and you
want to insert a null value, replace the unset value with the
word null (for integers where you're not enclosing the value in
quotes).

You're also begging for a SQL injection attack here. And
happens if $_POST['name'] is:
Beethoven's 5th symphony
which will also cause SQL errors?

If you take input from the browser (which includes anything from
$_GET, $_POST, $_REQUEST, or $_COOKIE) and put it into SQL
without at a minimum quoting it first (e.g. with addslashes()
or mysql_escape_string()), you're in trouble. If user input
(especially a single or double quote as part of the input)
can cause SQL errors, you're in trouble.

>the PHP code that breaks when the $_POST[opus] variable is left blank:
>
>mysql_query("INSERT INTO piece VALUES (NULL, '$_POST[composer]',
>$_POST[opus], $_POST[year], '$_POST[name]' , '$_POST[work_type]',
>$_COOKIE[user_cookie])") or die(mysql_error());
>
>Here's my error message:
>
>"You have an error in your SQL syntax. Check the manual that
>corresponds to your MySQL server version for the right syntax to use
>near '1865,'Symphony No. 2 in B-flat Major','1',15)' at line 1"

Gordon L. Burditt

[Back to original message]