MySQL database not posting content at all times

Question

I have a simple blog created using php/mysql. When I create a post, the sql doesn't always insert the posted content from the blog post.

$blogTitle = $_POST[blogTitle];
$blogText = $_POST[blogText];
$blogTags = $_POST[blogTags];
$today = date("F j Y");
$createPostSQL = mysqli_query($con,"INSERT INTO blog_data (blog_title, blog_text, blog_date, blog_tags, popularity) VALUES ('$blogTitle', '$blogText', $today, '$blogTags', 10)");
if (!mysqli_query($con,$createPostSQL))
  {
  die('Error: ' . mysqli_error($con));
  }
echo "1 record added";
  }

I'm receiving the following mysqli_error which I can't make sense of.

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '16 2013, 'test', 10)' at line 1

Before anyone states some of the obvious solutions, let me state the following

The connection to the database is fine.
The information is being received by a POST from another page, which is also working fine.
Besides the mysql_error stated above, the page is not receiving any other obvious errors.

Look up PDO. Your code is very broken, and *extremely* vulnerable to SQL injection. I assume that it's broken because somebody entered a `'` in one of the fields. — user229044, Sep 16 '13 at 03:53
I've simply entered the text "Test" in every field and the insert still didn't work. — Josh, Sep 16 '13 at 03:55
You're building invalid SQL. Examine the string containing your SQL statement and see what it contains, and then *throw out this code* and look up PDO. The code you've written is unsalvageable. It is based on fundamentally insecure methodologies. You are giving the entire world unfiltered write access to your database. — user229044, Sep 16 '13 at 03:57
why not use NOW() instead date and as Meagar pointed, using(Abusing) Mysqli/PDO isnt do magic you need to properly escape all request and Prepared statements would be way to go check this http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php/14110189#14110189 — NullPoiиteя, Sep 16 '13 at 03:58

score 0 · Answer 1 · answered Sep 16 '13 at 04:33

There are an infinite number of ways in which your code could fail, because there are an infinite number of invalid inputs that could be used in building the SQL string that you're sending to the database.

In this particular instance, it's probably the date format that's causing MySQL to fail. MySQL wants dates either quoted with internal dashes ( 'YYYY-MM-DD' ) or unquoted without any delimiters at all ( YYYYMMDD ).

Furthermore, any text input that contains a single quote will cause the SQL you generate to be invalid. There are also other characters and strings (double-dash for comments, escaping characters) that could render your SQL invalid.

But the biggest problem of all is that a malicious user could insert something into one of those text inputs which makes the resulting SQL statement both valid and destructive (like deleting your blog posts table, or something similar). To avoid that scenario, learn how to use parameterized SQL statements rather than building the SQL dynamically as a text string.

MySQL database not posting content at all times

1 Answers1