Save MySQL query in database as log

Question

I am using a logbook to track all user interaction. When trying to save the search of an page to my MySQL database I get this error: You have an error in your SQL syntax; is MySQL seeing this as extra columns now?

$sql_lgb = "INSERT INTO logboek
                (
                    omschrijving,
                    zoek,
                    sort,
                    soort,
                    user_id
                )
                VALUES
                (
                    '".$omschrijving."',
                    '".$zoek_opdr."',
                    '".$sort_name."',
                    'pagina bezocht',
                    '".$_SESSION['user_id']."'
                )
            ";

// resultaat van query
if(!$res_lgb = mysqli_query($mysqli, $sql_lgb)) { include('includes/error_database.php'); die; }

This is the output of the query:

INSERT INTO logboek ( omschrijving, zoek, sort, soort, user_id ) VALUES ( 'Pagina Manuals bezocht', ' (bedrijf LIKE 'torza' OR bedrijf LIKE 'thure' OR bedrijf LIKE 'mb' ) AND (naam LIKE '%%') ', 'naam', 'pagina bezocht', '1' )

Possible duplicate of [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) — Progman, Dec 29 '17 at 13:48

score 0 · Answer 1 · answered Dec 29 '17 at 10:29

0

The values you are sending to the database has multiple quotations ' in "zoek" value.

To avoid such errors you need to escape them \'.

Or even better use PDO with prepared statements.

answered Dec 29 '17 at 10:29

ino

2,345
1
15
27

Save MySQL query in database as log

1 Answers1