-3

So I have a php script that is supposed to insert all of the stuff that comes in through the form into a database. What I have done is stored all the values in an array and then I am attempting to implode them while inserting into a table just so I can handle them all at once.

However I keep getting this error and I do not know why:

Error: Unknown column 'test' in 'field list'

What seems like is happening is the implode function is giving off the actual values that are entered in the form (rather than the column names) and the the insert function is trying to insert them in the columns, when really this should not be happening because $profileCols is just an array of strings that represent the column names.

Could somebody help me out, here is where you can find the form and error.

<?php
$profile = $_POST["profile"];
$requestedAmount = $_POST["requestedAmount"];
$currentBalance = $_POST["currentBalance"];
$creditScore = $_POST["creditScore"];
$timeInBusiness = $_POST["timeInBusiness"];
$avgMonthly = $_POST["avgMonthly"];
$noBankDeposits = $_POST["noBankDeposits"];
$avgBalance = $_POST["avgBalance"];
$monthlyNSF = $_POST["monthlyNSF"];
$industryType = $_POST["industryType"];
$endingBalance = $_POST["endingBalance"];

$profileValues = array("$profile", "$requestedAmount", "$currentBalance",       "$creditScore", "$timeInBusiness", "$avgMonthly", "$noBankDeposits", "$avgBalance", "$monthlyNSF", "$industryType", "$endingBalance");

 $profileCols = array('profile', 'requestedAmount', 'currentBalance', 'creditScore', 'timeInBusiness', 'avgMonthly', 'noBankDeposits', 'avgBalance', 'monthlyNSF', 'industryType', 'endingBalance');

if (isset($profileValues))
{
$entry = 'INSERT INTO profileBuilder (' . implode(",", $profileCols) .') VALUES (' . implode (",", $profileValues) . ')';
} else {
echo "failure buddy!";
}

if (!mysqli_query($con,$entry))
{
die('Error: ' . mysqli_error($con));
}
echo "1 record added";

mysqli_close($con);
?>
Marc Delisle
  • 8,879
  • 3
  • 29
  • 29
Philip
  • 569
  • 2
  • 5
  • 27
  • 3
    There is no column `test` in any of the code you've provided. You're also wide open to SQL injection. – Kermit Oct 09 '13 at 20:44
  • You are vulnerable to SQL injection: http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php – Lorenz Oct 09 '13 at 20:48
  • thats what i am saying, im not trying to put test into a column! test would be what i am entering into a form – Philip Oct 09 '13 at 20:48
  • 1
    This is seriously dangerous. Something as simple as a `)` in any of your input fields will cause your query to fail. It would be so easy to insert a 'drop tables' statement in here... What's worse is that you've published the code and the web address. Excuse me - the temptation to be malicious is almost overwhelming. –  Oct 09 '13 at 20:50
  • It thinks test is a column because it is text and not quoted. – AbraCadaver Oct 09 '13 at 20:50
  • plesase don't hack my site! ...How do i edit this stop hackers! – Philip Oct 09 '13 at 20:51
  • 1
    Read [this post](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?lq=1), understand it, and then look at your code again. –  Oct 09 '13 at 21:02
  • just wondering why i would get -4 votes on this post, it is a legitamate question – Philip Oct 10 '13 at 06:02

1 Answers1

0

You need to check / escape all the data going in to the query. Use mysqli_real_escape_string(). You may be able to use it with array_map() / array_walk() on the $_POST vars. If any of your values are text then they need to be quoted:

VALUES (\'' . implode ("','", $profileValues) . '\')';
AbraCadaver
  • 78,200
  • 7
  • 66
  • 87
  • does that really matter as the way my code is written right now I think it would be alright – Philip Oct 09 '13 at 20:54
  • You've edited some quotes into your code, but where you've put them means that the column list will fail, and your entire value list will be treated as a single value, unless someone includes a single quote in their text, in which case it will fail with a syntax error (if you are lucky). –  Oct 09 '13 at 21:00
  • @ Mike W: Is that directed to Philip? – AbraCadaver Oct 09 '13 at 21:04