SQL syntax error, connection issues simple form PHP

Question

I have a simple form that inserts data in a table on my server. I have set up a special user to handle this, with insert permissions only. I'm getting connection and syntax errors.

Here's my form:

<form id="form1" name="form1" method="post" action="mailform.php" onsubmit="return validateForm();">

    <input type="text" id="First" maxlength="100" autocorrect placeholder="First name" />
    <input type="text" id="Last" maxlength="100" autocorrect placeholder="Last name" />
    <input type="text" id="Email" maxlength="100" autocorrect placeholder="Email address" />
    <select name="SalesPerson">
        <option value="SP1">SP1</option>
        <option value="SP2">SP2</option>
        <option value="SP3">SP3</option>
        </select>
    <select name="Show">
        <option value="Show1">Show1</option>
        <option value="Show2">Show2</option>
        </select>

        <button type="submit" id="submit" class="oneup">Submit</button>

</form>

and over at mailform.php we have:

<?php

    $name = "xxx_xxx";
    $name = mysql_real_escape_string($name);
    $SQL = "SELECT * FROM users WHERE username = '$name'";

$con = mysql_connect("localhost","xxx_xxx","xxxxxxxxx");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db("xxx_x", $con);

$sql="INSERT INTO email_signup (First, Last, Email, SalesPerson, Show)
VALUES
('$_POST[First]','$_POST[Last]','$_POST[Email]','$_POST[SalesPerson]','$_POST[Show]')";

if (!mysql_query($sql,$con))
  {
  die('Error: ' . mysql_error());
  }

mysql_close($con)
?>

And here's the errors -

Warning: mysql_real_escape_string() [<a href='function.mysql-real-escape-string'>function.mysql-real-escape-string</a>]: Access denied for user 'xxx'@'localhost' (using password: NO) in <b>.../mailform.php</b> on line 28

Warning: mysql_real_escape_string() [<a href='function.mysql-real-escape-string'>function.mysql-real-escape-string</a>]: A link to the server could not be established in <b>.../mailform.php</b> on line 28 Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Show) VALUES ('','','','SP1','Show1')' at line 1

Any idea why I'm getting connection issues? I have an almost identical form set up in another place that works just fine.

**WARNING** - your code is very susceptible to sql injection attacks. — Daniel A. White, Feb 20 '12 at 19:41
You have to be connected to the database to use `mysql_real_escape_string` : http://www.php.net/manual/pl/function.mysql-real-escape-string.php look at first note. — Bartosz Grzybowski, Feb 20 '12 at 19:44
@Daneil A. White yes, I have another bit of code that protects against that by filtering out susceptible characters. — blackessej, Feb 20 '12 at 19:45
@blackessej I don't want to prolong the discussion about SQL injection, but it is probably best to follow conventional methods to prevent injection. Character stripping is fine, if you want to do it, but not really an appropriate substitute for tried and tested escape methods used in the proper manner. — SimonMayer, Feb 20 '12 at 19:51
@SimonMayer appreciate the input, and will take it into consideration. Thanks. — blackessej, Feb 20 '12 at 20:06

score 2 · Accepted Answer · answered Feb 20 '12 at 19:44

2

Make your connection first, then run mysql_real_escape_string(), then your query. mysql_real_escape_string() actually connects to the db to let it escape your string. If you don't have a connectin it wont work

answered Feb 20 '12 at 19:44

Ray

40,256
21
101
138

score 1 · Answer 2 · answered Feb 20 '12 at 19:43

Try putting the connection first.

$con = mysql_connect("localhost","xxx_xxx","xxxxxxxxx");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }


 $name = "xxx_xxx";
    $name = mysql_real_escape_string($name);
    $SQL = "SELECT * FROM users WHERE username = '$name'";

SimonMayer · Answer 3 · 2013-11-25T10:12:51.690

0

Note: This answer does not attempt to address a major SQL injection vulnerability. For a more in-depth discussion, read the comments beneath the question.

Show is a reserved word

Use

$sql="INSERT INTO email_signup (`First`, `Last`, `Email`, `SalesPerson`, `Show`)
VALUES
('$_POST[First]','$_POST[Last]','$_POST[Email]','$_POST[SalesPerson]','$_POST[Show]')";

edited Nov 25 '13 at 10:12

answered Feb 20 '12 at 19:45

SimonMayer

4,719
4
33
45

But if you use like this your site vulnerable for sql injections. So Always sanitize the user inputs. – amilaishere Nov 25 '13 at 05:15
@amilaishere, that's true. The answer solves the issue with a reserved word; there was already a discussion above (on the question), relating to SQL injection. I will edit this answer to direct people to that discussion. – SimonMayer Nov 25 '13 at 10:10

SQL syntax error, connection issues simple form PHP

3 Answers3