-3

I have this SQL query:

mysql_query("INSERT INTO Messages (MessBody,Subject,Date,StaffID,AppID) 
            VALUES ('Your application's status has been changed to ".$_POST['offer']."','Application Status Changed',NOW(),".$_SESSION['StaffUser'].",".$_SESSION['AppID'].")");

The variable $_POST['offer'] is not working. I think is the way I append it in the text. I tried several different ways but none is working. If I replace the variable with text, then the record will be added into the database though.

I know is something silly, but I can't figure it out. I'm a bit confused, to be honest when to use single quotes and when double, so that might be another reason, why I can't figure it out.

Bobys
  • 677
  • 1
  • 14
  • 37
  • 1
    In strings, escape single quotes with another single quote. E.g. `'Your application''s status...'`. – jarlh Jan 10 '17 at 10:08
  • 1
    Before doing anything else, you should sort out a couple of major issues: 1. **Don't** use the **deprecated and insecure** `mysql_*`-functions. They are deprecated since PHP 5.5 and completely removed in PHP 7. Use MySQLi or PDO instead. 2. **You are wide open to [SQL Injections](http://php.net/manual/en/security.database.sql-injection.php)** and should really use [Prepared Statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) instead of concatenating your queries, which can be used if you use the above mentioned MySQLi or PDO. – M. Eriksson Jan 10 '17 at 10:08
  • 1
    **don't** use `mysql`-functions, they are deprecated and in PHP7, **removed**. use `mysqli` or `PDO` instead, and use **parameterized queries** to protect yourself from **SQL-injection**, which your code is vulnerable to, and prevent all of those pesky little quote-related errors... – Franz Gleichmann Jan 10 '17 at 10:09
  • First off, read the manual on strings. It explains how single and double quote strings differ. Secondly, this code is terrible and will lead to disaster. a) You're using an outdated mysql interface library which has been removed from current versions of PHP, b) you're inserting user-supplied values directly into an SQL string. That will make your application vulnerable to SQL injection. – GordonM Jan 10 '17 at 10:10
  • The main problem in your code is an involuntary SQL injection you're inflicting yourself. If you address that, not only will your code work but you'll also be safe for intentional injections by third parties. – Álvaro González Jan 10 '17 at 10:11
  • Duplicate question also not up to date with MySQL (Try to study mysqli) – Naveed Ramzan Jan 10 '17 at 10:13

1 Answers1

0

You have single quote missing at various places. try using below query

mysql_query("INSERT INTO Messages (MessBody,Subject,Date,StaffID,AppID) 
        VALUES ('Your application\'s status has been changed to ".mysql_real_escape_string($_POST['offer'])."','Application Status Changed',NOW(),'".mysql_real_escape_string($_SESSION['StaffUser'])."','".mysql_real_escape_string($_SESSION['AppID'])."')");
Bhavik
  • 495
  • 2
  • 10
  • This query can still crash (`$_POST` can contain anything, including more single quotes). And, honestly, wasting so much effort in querying MySQL using the library that makes it harder is kind of masochistic. – Álvaro González Jan 10 '17 at 10:17
  • i have updated my query and wrapped the variables inside mysql_real_escape_string – Bhavik Jan 10 '17 at 10:19
  • Still a bad example. `mysql_real_escape_string()` isn't as secure as you would think. The `mysql_*`-functions are both insecure and deprecated and should not be used at all. – M. Eriksson Jan 10 '17 at 10:48