0

Currently, my query (in my PHP script) is 

mysql_query('INSERT INTO julian.guestbook (name, message, email, date) VALUES ("Julian Davis", ".'$newmsg.'", ".'$newmail'.", NOW());');

and it returns an error. A moment ago (before I jumped through that hoop with the variables) (and yes! I made sure to sanitize them!), it returns a broken page. Even with error reporting on, it won't report an error. If you just pass the name of the variables, it will submit

mysql> SELECT * FROM julian.guestbook;
+--------------+---------+----------+---------------------+
| name         | message | email    | date                |
+--------------+---------+----------+---------------------+
| Julian Davis | $newmsg | $newmail | 2015-09-18 17:53:50 |
+--------------+---------+----------+---------------------+

but I want my (sanitized) data from my HTML form earlier in these boxes. I can't seem to get PHP to pass these strings along without messing something up in MySQL and not telling me anything it's doing.

J. Davis
  • 31
  • 1
  • 1
    [Your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Jay Blanchard Sep 18 '15 at 18:05
  • 1
    If you can, you should [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). They are [officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) [statements](http://php.net/manual/en/pdo.prepared-statements.php) instead, and consider using PDO, [it's really not hard](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Sep 18 '15 at 18:05
  • @JayBlanchard No, I didn't show it in my snippet but I sanitized the data before I sent it to this script. – J. Davis Sep 18 '15 at 18:07
  • No amount of sanitizing will be as good as using a prepared statement. – Jay Blanchard Sep 18 '15 at 18:07

1 Answers1

3

The . that you used for concatenating needs to be outside the string.

mysql_query('INSERT INTO julian.guestbook (name, message, email, date) VALUES ("Julian Davis", "' . $newmsg . '", "' . $newmail . '", NOW());');
Jay Blanchard
  • 34,243
  • 16
  • 77
  • 119
samlev
  • 5,852
  • 1
  • 26
  • 38