0

Hei.. I can't wrap my head around it what the problem here might be.

 if (!$vote['vid'] and $rq['submitpoll'] and $rq['answer'] and $rq['pid']){
 $my->my_query ("INSERT INTO ".TBL_PF."votes (pid, aid, ip) VALUES (".$rq['pid'].", ".$rq['answer'].", ".ip2long($_SERVER['REMOTE_ADDR']).")");
 $vote['vid'] = true;

the error I get is

INSERT INTO qwerty_votes (pid, aid, ip) VALUES (1, 10, )

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ')' at line 1

maybe someone can enlighten me?

Thank you so much!

Minh Bui
  • 1,032
  • 8
  • 18
Siimo Vendt
  • 1
  • 3
    The value for `ip` is empty – Wondercricket Aug 14 '17 at 16:06
  • 4
    Your code is vulnerable to SQL injection. Please read https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php – Björn Tantau Aug 14 '17 at 16:08
  • 1
    it should get it from $_SERVER['REMOTE_ADDR'] but it does not – Siimo Vendt Aug 14 '17 at 16:09
  • How are you running this code? Perhaps https://stackoverflow.com/questions/5362690/remote-addr-empty-not-included-in-server-array is relevant – chris85 Aug 14 '17 at 16:12
  • 2
    If you use prepared statements and parameter binding ([PDO](https://secure.php.net/manual/en/pdo.prepared-statements.php) or [mysqli](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php)), that would fix your quoting issue, and also prevent any SQL injection issues down the road. However, that will not fix the fact that you aren't getting a valid IP. If you're accessing this in a browser, create a new file with the contents ` – aynber Aug 14 '17 at 16:15

0 Answers0