-1

I have an error on insert value mysql. Please see my PHP code 

<?php
    $ali = $_POST['ali'];

    $con = @mysqli_connect('localhost', 'root', '', 'mohammad');

    if (!$con) {
        echo "Error: " . mysqli_connect_error();
        exit();
    }

    $insertinto_ic_add = "INSERT INTO sq (text) VALUES ('" . $ali . "')";
    mysqli_query($con, $insertinto_ic_add) or die("database error:" . mysqli_error($con));

?>
<form action="" method="post">
    <input name="ali">
</form>

I input the values " n't " and an error occurs:

database error:You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 't')' at line 2

Vhndaree
  • 594
  • 1
  • 6
  • 20
mohammad mahdavi
  • 3
  • 5
  • 3
    Your code is open to [SQL injection](https://stackoverflow.com/q/332365/2469308) related attacks. Even [`real_escape_string`](https://stackoverflow.com/a/12118602/2469308) cannot secure it completely. Please learn to use [Prepared Statements](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Madhur Bhaiya Nov 18 '18 at 06:54
  • yes ' this code is exmple – mohammad mahdavi Nov 18 '18 at 07:03
  • Possible duplicate of [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Progman Nov 18 '18 at 10:13
  • my friends, i have problem into mysql NO sql injection, please see my example – mohammad mahdavi Nov 18 '18 at 13:20

1 Answers1

0

I agree that this is not showing SQL injection. But the prevention for such is the same as the fix for your problem. You must escape certain characters (in particular the apostrophe) in the text.

Notice that the error message even points to the apostrophe.

If you echoed the statement, you would see

INSERT INTO sq (text) 
VALUES ('blah blah don't do this')

Observe the three apostrophes, and think how confused the parser will be.

Better code would be something like

$mali = $con->real_escape_string($ali);
$insertinto_ic_add = "INSERT INTO sq (text) 
         VALUES ('" . $mali . "')";
Rick James
  • 135,179
  • 13
  • 127
  • 222