1

I am trying to post data to my database using the following code:

 <?php
if(isset($_POST['add']))
{
$dbhost = 'internal-db';
$dbuser = 'support';
$dbpass = 'sgh';
$db = "mpc";
$conn = mysql_connect($dbhost, $dbuser, $dbpass);
if(! $conn )
{
  die('Could not connect: ' . mysql_error());
}

$firstname = $_POST['firstname'];
$surname = $_POST['surname'];
$email = $_POST['email'];
$phone = $_POST['phone'];
$country = $_POST['country'];
$message = $_POST['message'];
$callback = $_POST['callback'];

$sql = "INSERT INTO enquiries 
       (firstname, surname, email, phone, country, message, callback)
       VALUES('$firstname','$surname', $email, $phone, $country, $message, $callback)";

mysql_select_db($db);
$retval = mysql_query( $sql, $conn );
if(! $retval )
{
  die('Could not enter data: ' . mysql_error());
}
echo "Entered data successfully\n";
mysql_close($conn);
}
else
{
?>

When I try to post the form I revieve the following error:

Could not enter data: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' , , , )' at line 3

Can't work out what is wrong in the code. Can you help???? Am I using deprecated code??

user342391
  • 7,569
  • 23
  • 66
  • 88
  • 1
    Think: what would happen of some of your variables were empty? Now think, what would happen if a variable would be `'); DROP table enquiries; --`? Don't construct SQL statement for strings, use prepared statements and check your user input! – Konerak Mar 13 '11 at 15:27

3 Answers3

1

The variables in your query are empty ($email, $phone, $country, $message, $call). Try to do var_dump of the variables before the query and see if they have some value. Also you need to wrap them with quotes like '$var' when they are strings, such as a mail.

Also, for the love of god, sanitize the input. See here:

What are the best PHP input sanitizing functions?

How can I prevent SQL injection in PHP?

Community
  • 1
  • 1
amosrivera
  • 26,114
  • 9
  • 67
  • 76
0

You have to put the single quote around the string columns even if they are blank or contain value.

$sql = "INSERT INTO enquiries 
       (firstname, surname, email, phone, country, message, callback)
       VALUES('$firstname','$surname', '$email', '$phone', '$country', '$message', '$callback')";

Do not forgot to use mysql_real_escape_string on the data.

Shakti Singh
  • 84,385
  • 21
  • 134
  • 153
0

You haven't encapsulated your fields in quotes. E-mail address (amongst others) without quotes will make your INSERT statement invalid.

Besides that, you should always escape the input, because the input can contain invalid characters, or worse, it can contain malicious code that may destroy your data!

So:

if (array_key_exists($_POST, 'email')) {
  $tmpemail = (string)$_POST['email']; 
  // Optional additional checks for pattern matches go here..
  // if all tests succeed, escape special characters and assign value:
  $email = mysql_real_escape_string($tmpemail);
}
// Similar checks for other values

if ((isset($email) && isset($fielda) && isset($fieldb) ... )
{
  $query = "
      INSERT INTO YourTable(fielda, fieldb, email, ...)
      VALUES('valuea', 'valueb', '$email', ...)";
}
else
{
  // Some values missing. Handle appropriately.
}
GolezTrol
  • 114,394
  • 18
  • 182
  • 210