0

This shelter's website I've recently taken over has a form that inserts into a database. But it's been reported that it is only saving some of the submissions, not all, to the database. I can't find anything consistent between the submissions that have failed (the visitors emailed their info in).

Things I've tried and other notes:

  1. I thought it might be a char limit on a column but I confirmed they're all TEXT types and max submission was 3 sentences.
  2. I checked for reserved words and didn't see any being used
  3. Form does sometimes save just fine. Estimate about 1 in 5 fail.
  4. I went thru all other posts on this site noting this error but none of the accepted solutions fixed the problem for me
  5. I can recreate the error every time I try to resubmit one of the submissions that failed but I can also submit my own with test values and it saves to the database just fine.
  6. I researched the possibility of a column rejecting a special character like an apostrophe but came up with nothing solid. There is nothing unique about the data being submitted outside of a couple fields being 3 sentences long.
  7. The form submits to a php file with the code noted below. It's not on the form page itself.

This is the error that comes up when it does fail: Error adding application: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near

Here's my code:

$link = mysqli_connect('localhost', 'oursite_main', 'password');
if (!$link)
{
  die('Could not connect to database:' .mysql_error());
}


if (!mysqli_select_db($link, 'oursite_application'))
{
  $output = 'unable to locate the application database.';
  include 'output.html.php';
  exit();
}

$age = implode(', ',$_POST['age']);
  
$sql = "INSERT INTO adoption (name,address,city,phone,email,dog,sex,age,details,setting,home,permission,wkhours,time,family,pets,livestock,ydsize,fencing,livingqtrs,vet,activities,experience,whybc,greatdog, lookingfor,shelter,ifyes,helpfulinfo,status,year) VALUES('$_POST[name]', '$_POST[address]' , '$_POST[city]' , '$_POST[phone]' , '$_POST[email]'  ,'$_POST[dog]' , '$_POST[sex]' , '$age' , '$_POST[details]' , '$_POST[setting]' , '$_POST[home]' , '$_POST[permission]' , '$_POST[wkhours]' , '$_POST[time]' , '$_POST[family]' , '$_POST[pets]' , '$_POST[livestock]' , '$_POST[ydsize]' , '$_POST[fencing]' , '$_POST[livingqtrs]' , '$_POST[vet]' , '$_POST[activities]' , '$_POST[experience]' , '$_POST[whybc]' , '$_POST[greatdog]' , '$_POST[lookingfor]' , '$_POST[shelter]' , '$_POST[ifyes]' , '$_POST[helpfulinfo]' , '$_POST[status]', '$_POST[year]')";
CinderGirl
  • 35
  • 6
  • that sql is vulnerable to sql injection and it is likely that punctuation characters are causing errors. Use prepared statements instead and I'd be tempted to bet the omissions disappear – Professor Abronsius Feb 16 '19 at 14:11
  • SQL Injections would. This code is as dangerous as possible. Fix this and you solve two problems at once. – John Conde Feb 16 '19 at 14:12

0 Answers0