Jump to content

Can't do an INSERT via a web query. Syntax???

RRT

By RRT
in PostgreSQL

Recommended Posts

RRT Newbie

RRT

Posted
Posted

I can't do an INSERT via a web query. Can you look at my syntax and see if I have a typo below?:

 

-------------------------------------

 

<?php

$CID = $_POST['CID'];

$ImageFile = $_POST['ImageFile'];

$ItemTitle = $_POST['ItemTitle'];

$ItemNo = $_POST['ItemNo'];

$Barcode = $_POST['Barcode'];

$Description = $_POST['Description'];

$Dept = $_POST['Dept'];

$Price = $_POST['Price'];

$Quantity = $_POST['Quantity'];

$Shipping = $_POST['Shipping'];

 

.

.

.

 

$query = 'INSERT INTO inventory (cid, image_pic, item_title, item_no, barcode, description, dept, price, quantity, ship_rate) VALUES ('$CID','$ImageFile','$ItemTitle','$ItemNo', '$Barcode','$Description','$Dept','$Price','$Quantity','$Shipping')';

 

 

-------------------------------------

 

This is what I get back when I try to submit the query (Line 20 is the query line posted above.):

 

Parse error: syntax error, unexpected T_VARIABLE in /perform_insert.php on line 20

requinix Prolific Member

requinix

Posted
Posted

I wouldn't call it a typo because it was probably intentional.

 

You can't use raw 's inside a '-quoted string. PHP thinks you're ending the string and starting something else.

 

Read me

 

Also, you're vulnerable to SQL injection. That's very bad. Google it and learn to use mysql_real_escape_string.

RRT Newbie

RRT

Posted
  • Author
Posted

Thanks for the info about the SQL injection, I will take that into account.

 

So you are suggesting that I change my code to something like this, right?:

=======================

 

$query = sprintf("INSERT INTO inventory VALUES ('%s','%s','%s','%s', '%s','%s','%s','%s','%s','%s')";,

                  mysql_real_escape_string($CID),

mysql_real_escape_string($ImageFile),

mysql_real_escape_string($ItemTitle),

mysql_real_escape_string($ItemNo),

mysql_real_escape_string($Barcode),

mysql_real_escape_string($Description),

mysql_real_escape_string($Dept),

mysql_real_escape_string($Price),

mysql_real_escape_string($Quantity),

                  mysql_real_escape_string($Shipping));

mysql_query($query);

 

 

=======================

 

 

requinix Prolific Member

requinix

Posted
Posted

That will work just as well, but only after you fix the syntax error.

 

Are $CID and $ItemNo and such numbers? You shouldn't be treating them as strings. Guessing,

$query = sprintf("INSERT INTO inventory VALUES (%d, '%s', '%s', %d, '%s', '%s', '%s', %f, %d, %f)",
$CID,
mysql_real_escape_string($ImageFile),
mysql_real_escape_string($ItemTitle),
$ItemNo,
mysql_real_escape_string($Barcode),
mysql_real_escape_string($Description),
mysql_real_escape_string($Dept),
$Price, $Quantity, $Shipping);
mysql_query($query);

RRT Newbie

RRT

Posted
  • Author
Posted

That did it!  THANKS!!!  I had to use "pg_escape_string" instead of "mysql_real_escape_string" since I am using postgres, but other than that its similar.  Besides string data, do they make  escape methods for  other types of data, such as integers, floats, etc?  Maybe those types aren't suseptable  to exploit? That would make sense to me, as commands aren't numbers but strings of words.

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.