0

I've been trying to figure out what have I done wrong in a piece of code I'm working on, but with no luck. It's surely something stupid here or there, and I really need your help.

Please see the code below:

require_once('inc\dbh.php');
include_once('inc\functions.php');

session_start();
if(!isset($_SESSION['user'])){
header("location:index.php");
}

$error = false;

if($_SERVER['REQUEST_METHOD'] == "POST") {
$title = sqlinjection($_POST['title']);
$details = sqlinjection($_POST['details']);
$date = strftime("%B %d, %Y"); //date
$time = strftime("%X"); //time
$owner = $_SESSION['user'];
$public = $_POST['public'];

// basic title validation
if (empty($title)) {
    $error = true;
    $titleerror = "<li>Please enter a board title.</li>";
} else if (strlen($title) < 5) {
    $error = true;
    $titleerror = "<li>Title must have atleat 5 characters.</li>";
} 

// basic details validation
if (empty($details)) {
    $error = true;
    $detailserror = "<li>Please enter a board detail.</li>";
} else if (strlen($details) < 55) {
    $error = true;
    $detailserror = "<li>Details must have atleat 55 characters.</li>";
}

// basic public validation
if (empty($public)) {
    $error = true;
    $publicerror = "<li>Please choose your board's privacy.</li>";
} 

// if there's no error, continue to add board
if( !$error ) {

    $query = "INSERT INTO boards('board_title', 'board_details', 'board_date_posted', 'board_time_posted', 'board_public') VALUES ('$title','$details',$date','$time','$public')";
    $res = mysql_query($query);

    if ($res) {
        $errMSG = "Successfully added.";
        unset($title);
        unset($details);
        unset($public);
    } else {
        $errMSG = "Something went wrong, try again later..."; 
    }

}

}

The problem: Whenever I execute the insert into query, I keep getting the "Something went wrong, try again later..."

Khaled
  • 154
  • 2
  • 8
  • 'board_title' is a string, not a column name – Strawberry Apr 19 '17 at 13:57
  • Wrap off `quotes` from `column` name instead use `backtick` – Saty Apr 19 '17 at 13:57
  • You can see the error (if any) when you add or die(mysql_error()); after mysql_query(). – Luchezar Apr 19 '17 at 13:58
  • And STOP using PHP's mysql_ API. – Strawberry Apr 19 '17 at 13:59
  • A prepared statement being a better/safer method, would have avoided this question. It would also avoid you from an sql injection, seeing you're using the mysql_ api and your `sqlinjection()` most likely isn't helping you much, even if it did contain `mysql_real_escape_string()`. See the following Q&A about it [PHP: Is mysql_real_escape_string sufficient for cleaning user input?](http://stackoverflow.com/questions/2353666/php-is-mysql-real-escape-string-sufficient-for-cleaning-user-input) – Funk Forty Niner Apr 19 '17 at 13:59
  • Thanks for the comments. I'll take a look at the posted linked, and find better ways to escape the strings.Your help was appreciated. – Khaled Apr 19 '17 at 14:25

0 Answers0