I am creating a visitor messages system on a member's profile, here is my code so far..

I am using it as an include in the profile page, here is the error I get:

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ')' at line 3
<?php
session_start();
include("database.php");
$uid = $_GET['Id'];
$pid = $_SESSION['Id'];
?>

<html>
<body>
<form method="POST" >
      <p>
      <b>Post Something: </b>
      <textarea name="message" rows="10" cols="30">
      "Write something here..."
      </textarea></p>
      <p><input type="submit" value="Submit" name="B1"></p>
    </form>
    
    </body>
    </html>
    
    <?php

    $message = $_POST['message'];
    $insert="INSERT INTO wall_posts (user, poster, message)
VALUES
($uid,$pid,$message)";

if (!mysql_query($insert))
  {
  die('Error: ' . mysql_error());
  }
header("location:member.php");

mysql_close($con)

?>

Recommended Answers

It seems that the error lies in your database.php file. So, perhaps you could include the source of that file.

Jump to Post

I'm no expert with php etc, but I do know that the error message refers to a caracter in your code, not read by the databse, confusing it. Sometimes, it is a " that needs to be single like ' or the other way around.

Looking at your code, …

Jump to Post

All 8 Replies

It seems that the error lies in your database.php file. So, perhaps you could include the source of that file.

The database.php is fine, I use it in all pages.

I'm no expert with php etc, but I do know that the error message refers to a caracter in your code, not read by the databse, confusing it. Sometimes, it is a " that needs to be single like ' or the other way around.

Looking at your code, the " at the end of this, seems to be out of place, and may be the cause of your issue:

($uid,$pid,$message)";

Nope, not the solution :(

check this:

,'$message')";

for varchar field you need to send string in between single quotes.

I am looking at that line again, should the values not have ' at beginning and end?

Like this

('$uid,$pid,$message')";

Oh boy, you must excuse me if this was not helpfull, as I am also learning this stuff, and may not know what I'm talking about. Rather leave this to be answered by someone who knows better, if I am wrong with above suggestion.

I am looking at that line again, should the values not have ' at beginning and end?

Like this

('$uid,$pid,$message')";

Oh boy, you must excuse me if this was not helpfull, as I am also learning this stuff, and may not know what I'm talking about. Rather leave this to be answered by someone who knows better, if I am wrong with above suggestion.

I dont think. As shanti said, only varachar (or text) characters needs to be enclosed in quotes. So, in this case, as shanti, it can be assumed that user and poster are int fields (since $uid and $pid can be assumed as being ids and hence ints). So, only $message needs to be enclosed with single quotes.

..($uid,$pid,'$message')";

Note that if user or poster is varchar, they also need to be enclosed with single quotes.

Member Avatar
$insert = "INSERT INTO `wall_posts` SET `user` = $uid, `poster` = $pid, `message` = '$message'";

Personally, I prefer the SET syntax as opposed to the VALUES syntax. Shouldn't make a difference though. Placing all you values within single quotes won't affect integers, if that's what they are. Check the datatypes of user and poster, just in case they're not string-based.

You're also using unsanitized data from form and querystring. THEY MUST BE CLEANED!

e.g.

$uid = mysql_real_escape_string($_GET['id']); 
$message = mysql_real_escape_string($_POST['message']);

Otherwise if you have an apostrophe in the message, it'll break the SQL.

Although you can't protect form values any better than querystring data, it would be advisable to place the user id into a hidden field. I'd go as far as checking that the user id actually exists before inserting anything. Another reason for this is that the querystring can be deleted so that it kills the script dead as $_GET wouldn't exist.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of 1.20 million developers, IT pros, digital marketers, and technology enthusiasts learning and sharing knowledge.