0

I am creating a visitor messages system on a member's profile, here is my code so far..

I am using it as an include in the profile page, here is the error I get:

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ')' at line 3
<?php
session_start();
include("database.php");
$uid = $_GET['Id'];
$pid = $_SESSION['Id'];
?>

<html>
<body>
<form method="POST" >
      <p>
      <b>Post Something: </b>
      <textarea name="message" rows="10" cols="30">
      "Write something here..."
      </textarea></p>
      <p><input type="submit" value="Submit" name="B1"></p>
    </form>
    
    </body>
    </html>
    
    <?php

    $message = $_POST['message'];
    $insert="INSERT INTO wall_posts (user, poster, message)
VALUES
($uid,$pid,$message)";

if (!mysql_query($insert))
  {
  die('Error: ' . mysql_error());
  }
header("location:member.php");

mysql_close($con)

?>
5
Contributors
8
Replies
9
Views
6 Years
Discussion Span
Last Post by diafol
0

It seems that the error lies in your database.php file. So, perhaps you could include the source of that file.

0

I'm no expert with php etc, but I do know that the error message refers to a caracter in your code, not read by the databse, confusing it. Sometimes, it is a " that needs to be single like ' or the other way around.

Looking at your code, the " at the end of this, seems to be out of place, and may be the cause of your issue:

($uid,$pid,$message)";
0

I am looking at that line again, should the values not have ' at beginning and end?

Like this

('$uid,$pid,$message')";

Oh boy, you must excuse me if this was not helpfull, as I am also learning this stuff, and may not know what I'm talking about. Rather leave this to be answered by someone who knows better, if I am wrong with above suggestion.

0

I am looking at that line again, should the values not have ' at beginning and end?

Like this

('$uid,$pid,$message')";

Oh boy, you must excuse me if this was not helpfull, as I am also learning this stuff, and may not know what I'm talking about. Rather leave this to be answered by someone who knows better, if I am wrong with above suggestion.

I dont think. As shanti said, only varachar (or text) characters needs to be enclosed in quotes. So, in this case, as shanti, it can be assumed that user and poster are int fields (since $uid and $pid can be assumed as being ids and hence ints). So, only $message needs to be enclosed with single quotes.

..($uid,$pid,'$message')";

Note that if user or poster is varchar, they also need to be enclosed with single quotes.

0
$insert = "INSERT INTO `wall_posts` SET `user` = $uid, `poster` = $pid, `message` = '$message'";

Personally, I prefer the SET syntax as opposed to the VALUES syntax. Shouldn't make a difference though. Placing all you values within single quotes won't affect integers, if that's what they are. Check the datatypes of user and poster, just in case they're not string-based.

You're also using unsanitized data from form and querystring. THEY MUST BE CLEANED!

e.g.

$uid = mysql_real_escape_string($_GET['id']); 
$message = mysql_real_escape_string($_POST['message']);

Otherwise if you have an apostrophe in the message, it'll break the SQL.

Although you can't protect form values any better than querystring data, it would be advisable to place the user id into a hidden field. I'd go as far as checking that the user id actually exists before inserting anything. Another reason for this is that the querystring can be deleted so that it kills the script dead as $_GET wouldn't exist.

Edited by diafol: n/a

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.