Insert row to MySQL Table using PHP Form -
i user able insert "bid" mysql table using php form - demo, not live purpose. following error message,
error: have error in sql syntax; check manual corresponds mysql server version right syntax use near ''90','2011-07-13'' @ line 3 (line 3 refers tag?) figure doesnt form inputs being "text" type, no idea how fix - advice welcome, form & php code below;
<form action="insert.php" method="post"> <div><label for="commodity">commodity</label><input type="text" name="commodity"/></div> <div><label for="region">region</label><input type="text" name="region"/></div> <div><label for="member">member</label><input type="text" name="member" /></div> <div><label for="size">size</label><input type="int" name="size" /></div> <div><label for="price">post bid</label><input type="decimal" name="price" /></div> <div><label for="posted">date posted</label><input type="text" name="posted"/></div> <p><label for="submit">submit bid</label><input type="submit" /></p> </form>
& php
<?php $con = mysql_connect("localhost","",""); if (!$con) { die('could not connect: ' . mysql_error()); } mysql_select_db("palegall_newtrader", $con); $sql="insert `buy` (commodity, region, member, size, price, posted) values ('$_post[commodity]','$_post[region]','$_post[member]','$_post[size]','$_post[price]','$_post[posted]'"; if (!mysql_query($sql,$con)) { die('error: ' . mysql_error()); } echo "1 record added"; mysql_close($con) ?>
many in advance, scotia
you're vulnerable sql injection, , post contains '
, causing syntax error. try following:
$commodity = mysql_real_escape_string($_post['commodity']); $region = mysql_real_escape_string($_post['region']); etc... $sql = "insert ... values ('$commodity', '$region', etc...)";
the escape function ensure sql metacharacters in data escaped, can't "break" query. never ever directly insert user-provided data sql query, if it's simple script ever use. habit of escaping (or better yet, using pdo prepared statements), because @ point, you'll burned if don't.
Comments
Post a Comment