-1

In my project I am using some text box to take some input from user. But when a user insert some special characters like (',",;) it occur a error.I want to insert data in database whatever user want to insert. All special character allow. I don't understand how to solve this problem.

You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'b'),'',UPPER('a,c'),'',UPPER('b's'),'','1',0)' at line 1

my html code(quesadd.php)

<tr>
<td><label>QUESTION</label></td>
<td><input class="form-control" name="txtquestionname"></td>
<td></td>
</tr>
<tr>
<td><label>ANSWER</label></td>
<td><input class="form-control" name="txtanswername"></td>
<td></td>
</tr>

my insert query code(quesadddb.php)

$quesname = $_POST['txtquestionname'];

$ansname = $_POST['txtanswername'];

$s="INSERT INTO questioninfo (questionname, answername) VALUES (UPPER('$quesname'),UPPER('$ansname'))";
mysqli_query($conn,$s) or die(mysqli_error($conn));

Data send from quesadd.php to quesadddb.php by post method from form.

halfer
  • 19,824
  • 17
  • 99
  • 186
Arpan Sarkar
  • 9
  • 4
  • what do you get when you print the statement? and its better to use prepared statements to avoid such errors – Masivuye Cokile Feb 20 '18 at 08:46
  • Try this maybe (I am not sure you need the ' ' around your php var) : `$s="INSERT INTO questioninfo (questionname, answername) VALUES (UPPER(' ".$quesname." '),UPPER(' ".$ansname." '))";`, but you should make a prepare query, it's dangerous for SQL injection to add data like this – Mickaël Leger Feb 20 '18 at 08:46
  • print exactly input type but not insert in mysql database – Arpan Sarkar Feb 20 '18 at 09:19

1 Answers1

2

Please use prepared statements when introducing variables to your queries. For a more detailed explanation check here.

Try this:

$stmt = $mysqli->prepare("INSERT INTO questioninfo (questionname, answername) VALUES (UPPER(?), UPPER(?))");
$stmt->bind_param('ss', $quesname, $ansname);  
$stmt->execute();
lloiacono
  • 4,714
  • 2
  • 30
  • 46
  • why the downvote? is something wrong with my answer? – lloiacono Feb 20 '18 at 08:53
  • 1. The code is just an example on how to use prepared statements to avoid sql injection. 2. Without more details on what the OP wants to do is hard to provide working code, besides the idea is not to do the work for him just guide in the right direction. 3. He is doing uppercase for a reason, if the OP doesnt need it then he can clarify what is the intent here – lloiacono Feb 20 '18 at 08:55
  • 1
    @YourCommonSense it would be better to tell the poster why is this code won't work.. you can't just say people's answers are useless without a reason – Masivuye Cokile Feb 20 '18 at 08:57
  • If you cannot answer without more details you MUST NOT answer in the first place. Request more details in the comments and then answer only after getting the idea on what is this question about. – Your Common Sense Feb 20 '18 at 09:00
  • @YourCommonSense why would my code not work? If the OP doesn't want or cant provide more details we should be able to answer regardless. And IMO is important to warn people for SQL injection, providing an example is a great way to help – lloiacono Feb 20 '18 at 09:03
  • You have a strange idea on the answers. Consult the help section or ask on meta if it won't convince you, whether you should answer in the question's general direction having no clear idea on what was asked. Or whether your answer should be on the important but irrelevant matter. – Your Common Sense Feb 20 '18 at 09:05
  • @YourCommonSense ok, will do, thank you. Just out of curiosity can you please point out why my code would not work? – lloiacono Feb 20 '18 at 09:06
  • Just out of curiosity, don't you have a handy testing environment where you could quickly test your code? it would take less than 60 seconds to test this snippet against an existing database and your own eyes' evidence is much more convincing than someone's opinion over internet, which you can simply deny – Your Common Sense Feb 20 '18 at 09:15
  • Should I delete my answer to avoid confusion so everyone can go straight to the one you suggested: https://stackoverflow.com/questions/47412210/mysqli-insert-error-incorrect-syntax ? – lloiacono Feb 20 '18 at 09:22