Hi a new bee to php,
Can any one help me,
i AM creating a login form which consists of name address and email id , what is the problem i have here is when entering datas into address field , it throws error as errorYou have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '2009-Mar-19',now() )' at line 1 .

I am some how identified the error . it didnt throws for all datas . it throws error for ex: my name is prawin alais 'tiger'. ie for ' '

and my address field code is as below
Address&nbsp;*&nbsp;</td><td><TEXTAREA ROWS="6" COLS="23" name="comp_add" title="Enter Your Addss"><?php echo $cadd; ?></textarea>.
and another important information to u :
this is my structure of php my admin

field :project_desc
type:varchar
length:255

should i need to change any thing in the structure to overcome error?

In case you didn't know that is a mysql syntax error used inside the mysql_query() function. So could you post what you placed inside the mysql_query() function(s) that this error relates to. It is really just the string/text inside that function that we need. Thats where the real error is.

Hi cwarn23,
Thanks for u reply.
but i am unable to understand what u r tying to say.
Any u xplain me a lot.

and my code is

$cadd=$_POST['comp_add'];
if ($cadd == "" )
 {
		$isInsert = false;
		echo  "Enter Address ";
}
if ($isInsert == true)
		{		
$sql="insert into  tbl_customer(comp_name,comp_add,
comp_pnum,comp_email,comp_fnum,select_loc) values('$cname','$cadd','$cpnum','$email','$cfnum','$select')";
	if(!mysql_query($sql,$con)){
						die('error' .mysql_error());
						  }
mysql_close($con);
}

Hi cwarn23,
Thanks for u reply.
but i am unable to understand what u r tying to say.
Any u xplain me a lot.

@Prawin: May be its single quotes problme or string problem..
can u send ur Sql Query....
Try to echo ur query..

Well ya sent the nessecary code plus extra and so try replacing the $sql variable with the following:

$sql='INSERT INTO  tbl_customer(comp_name,comp_add,comp_pnum,comp_email,comp_fnum,select_loc) values("'.mysql_real_escape_string($cname).'","'.mysql_real_escape_string($cadd).'","'.mysql_real_escape_string($cpnum).'","'.mysql_real_escape_string($email).'","'.mysql_real_escape_string($cfnum).'","'.mysql_real_escape_string($select).'")';

That should prevent any strings from escaping and should help prevent mysql injections.

I think its single quotes problem

$cadd=$_POST['comp_add'];
if ($cadd == "" )
 {
		$isInsert = false;
		echo  "Enter Address ";
}
if ($isInsert == true)
		{		
$sql="insert into  tbl_customer(comp_name,comp_add,
comp_pnum,comp_email,comp_fnum,select_loc) values('$cname','$cadd','$cpnum','$email','$cfnum','$select')";
	if(!mysql_query($sql,$con)){
						die('error' .mysql_error());
						  }
mysql_close($con);
}

i want u remember that i works good for all datas which i given and it is stored well in database except for the data with ' and ', for ex if i give the quote as my name is prawin alais 'kumar'

So you say its a single quotes problem. What about if any one of those variables contained a single quote or even a double quote? The only thing to do about that would be the script in my previous post. As your script stands, it is open to mysql injections and can easily be bugged up with an injected quote (which is probably happening). That is why I suggest the script I presented in my previous post.

Hi cwarn 23 ,
As u told , i changed the step by step so that it works good for ".mysql_real_escape_string($proname).",".mysql_real_escape_string($custname)."

when i am trying to change the code to ".mysql_real_escape_string($statusdesc).",
which is a multiline text are ie

<td width="80">Project Status&nbsp;&nbsp;</td><td><TEXTAREA ROWS="6" COLS="40" name="pro_desc"><?php echo"$statusdesc";?></textarea></td>

throws the error as errorUnknown column 'ghgjhjty' in 'field list'

if($isInsert){
$sql="insert into tbl_projectstatus(project_name,cust_name,project_desc,date,time) values(".mysql_real_escape_string($proname).",".mysql_real_escape_string($custname).",".mysql_real_escape_string($statusdesc).", '$date',now() )";        

			if(!mysql_query($sql,$con)){
										die('error' .mysql_error());
									  }

can u tell me what it is meant

It appears it is mixing the column names with the values somehow. So there are two options one the board of what I can see and they are, try to copy and past the following code to see if it works:

if($isInsert){
$sql="INSERT INTO tbl_projectstatus (project_name,cust_name,project_desc,date,time) VALUES ('".mysql_real_escape_string($proname)."','".mysql_real_escape_string($custname)."','".mysql_real_escape_string($statusdesc)."', '$date',".now()." )";        

			if(!mysql_query($sql,$con)){
										die('error' .mysql_error());
									  }

If the above code doesn't work, I would suggest doing the insert query a much easier way like the following:

if($isInsert){
$sql="INSERT INTO tbl_projectstatus SET project_name='".mysql_real_escape_string($proname)."', cust_name='".mysql_real_escape_string($custname)."', project_desc='".mysql_real_escape_string($statusdesc)."', date='".$date."', time='".mysql_real_escape_string(now())."'";        

			if(!mysql_query($sql,$con)){
										die('error' .mysql_error());
									  }

The second code box is how I usually do it as it is simple and easy.

So you say its a single quotes problem. What about if any one of those variables contained a single quote or even a double quote? The only thing to do about that would be the script in my previous post. As your script stands, it is open to mysql injections and can easily be bugged up with an injected quote (which is probably happening). That is why I suggest the script I presented in my previous post.

Thank u

cwarn23

It finally works for me, its a simple modification from ur solution , Any way i am very much glad that ur solution and tips regarding sql injection attack . I need some more tips regarding sql injection .
Again Thank u very much

Information about Mysql injections-
Well the thing that makes mysql injections are 2 main factors. One as you have discovered is if there is a quotation mark in the variable and you place that in the mysql query then an error is reported as the quotation mark messes up the mysql query. So what mysql_real_escape_string does about that is put a slash to the left of the quotation mark (forget if it uses forward slash or backslash) and that prevents the quotation mark from escaping the query.
Now for the nasty injections. Believe it or not, mysql has a regex syntax like preg_match where if a user can enter data into the database (mainly for Select parameter) then the user can use that regex to make unwanted matches or unwanted inserts. An example is when not using mysql_real_escape_string, to pass by a security system such as a login pannel, all the user needs to do is place a % symbol in the username and password and that will match all entries in the database because the % symbol is a wildcard. There are probably many other things they can do that I don't know about since I never use the mysql version of regex but to make it safe its best to allways use mysql_real_escape_string().

Thanks cwarn23,
Its a nice post given by u abt mysql injections ,

Please keep in touch,
Bye

This article has been dead for over six months. Start a new discussion instead.