1

If a value like this value : 's-Gravenhage will submit into my database

Then the form is not submitted and i see a error:

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's-Gravenhage',, '', '', '', '', '0', '0', '0', '', '', '', '', '19.05.' at line 2

Other values without : - and ' are no problems!

I think it is because the ' and -

How can i fix this in phpmyadmin?

So this is the send.php (for a action form)

$link = mysql_connect (DB_HOST, DB_USER, DB_PASSWORD); 

if (!$link) { 
die('Could not connect: ' . mysql_error()); 
} 

$db_selected = mysql_select_db(DB_NAME, $link); 

if (!$db_selected) { 
die('Can\'t use ' . DB_NAME . ': ' . mysql_error()); 
} 



$value = $_POST['firstname']; 
$value2 = $_POST['lastname']; 
$value3 = $_POST['city']; 


$sql = "INSERT INTO orders (firstname, lastname, city)
VALUES ('$value', '$value2', '$value3'')";



if (!mysql_query($sql)) { 
die('Error: ' . mysql_error());
Marc Delisle
  • 8,879
  • 3
  • 29
  • 29
DesignStudios
  • 181
  • 3
  • 15

1 Answers1

0

See revised code below. Each input needs to be sanitised before being used in the query. This is also for security reasons. Read more about that here https://www.owasp.org/index.php/SQL_Injection

$link = mysql_connect (DB_HOST, DB_USER, DB_PASSWORD); 

if (!$link) { 
    die('Could not connect: ' . mysql_error()); 
} 

$db_selected = mysql_select_db(DB_NAME, $link); 

if (!$db_selected) { 
    die('Can\'t use ' . DB_NAME . ': ' . mysql_error()); 
} 

$value = mysql_real_escape_string($_POST['firstname']); 
$value2 = mysql_real_escape_string($_POST['lastname']); 
$value3 = mysql_real_escape_string($_POST['city']); 

$sql = "INSERT INTO orders (firstname, lastname, city) VALUES ('$value', '$value2', '$value3')";

if (!mysql_query($sql)) { 
    die('Error: ' . mysql_error());
}
GeorgeQ
  • 1,382
  • 10
  • 8