So I have an incredibly simple HTML survey form that I created that only has one select drop down input and one text input field. The text input only shows up if the select field is on the "other" option. So that is all well and good, I have JavaScript handling all of it and it works great.
Now the problem appears when I try POST the form values to the PHP file and then insert the values into my database table. I have been receiving this error every time I try to submit the form:
Error: INSERT INTO survey (select, other) VALUES ('flyer','')
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' other) VALUES ('flyer','')' at line 1
Because of the odd single quote that seems to cut off the first part of sql string, I am lead to believe I am somehow SQL injecting myself on my form POST or my PHP validation. I have gone through the code many times searching for weird quotes, have re-written the form completely from scratch, triple checked the table and row names from my database, and even grabbed a SQL string that I know works other places changed it to work here. Unfortunately I always get the same error, so I would greatly appreciate any insight or help you all can lend me.
My HTML Form:
<form action="includes/survey.php" method="POST" id="hear_form">
<label for="hear_select">How did you here about us?</label>
<br>
<select id="hear_select" name="hear_select">
<option value='flyer'>
Flyer left on door
</option>
<option value='email'>
Email from Troop
</option>
<option value='sodo'>
SODO News
</option>
<option value='conway'>
Conway News
</option>
<option value='southwest'>
Southwest Orlando Bulletin
</option>
<option value='winter'>
Winter Park Observer
</option>
<option value='baldwin'>
Baldwin Park Living
</option>
<option value='facebook'>
Facebook
</option>
<option value='neighborhood'>
Neighborhood posting
</option>
<option value='other'>
Other
</option>
</select>
<label id="otherlabel" for="other_type">Where else did you hear about us?</label>
<input id="other_type" type="text" name="other_type" maxlength="200" value="">
<input type="submit" value="Submit" id="hear_submit">
</form>
My PHP:
require_once 'db_con.php';
require_once 'functions.php';
$selectErr = "";
$otherErr = "";
//validating inputs
if ($_SERVER["REQUEST_METHOD"] == "POST"){
if (empty($_POST["hear_select"])){
$selectErr = "* An answer is required";
$valid = false;
}else{
$select = test_input($_POST["hear_select"]);
$valid = true;
}
if (empty($_POST["other_type"])) {
$other = test_input($_POST["other_type"]);
$valid = true;
}else{
if((strlen($_POST["other_type"]) < 200)){
$other = test_input($_POST["other_type"]);
$valid = true;
}else{
$otherErr = "* An answer must have less than 200 characters";
$valid = false;
}
}
if($selectErr != '' || $otherErr != ''){
$valid = false;
}
if($valid){
var_dump($_POST);
//inserting variables into the database
$sql = "INSERT INTO survey (select, other) VALUES ('$select','$other')";
//checking if all worked, if it did redirect page top next step
if ($mysqli->query($sql) === TRUE) {
header( 'Location: index.php' ) ;
} else {
echo "Error: " . $sql . "<br>" . $mysqli->error;
}
$mysqli->close();
exit;
}
}
function test_input($data) {
$data = trim($data);
$data = str_replace('"', "", $data);
$data = str_replace("'", "", $data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;
}
