We Keep Coding

Preparing HTML Form Input for SQL Database using PHP [duplicate]

This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 3 years ago.
I'm currently testing a html form which sends the data through php to the sql database. The problem I'm facing is special characters break the form and don't update the database. I haven't tested all the special characters but mainly ` and ' are the culprits. I've tried mysql_escape_string, preg_replace and add_slashes with no success. What am I missing?
$description = preg_replace('/[^A-Za-z0-9\ %&$=+*?()!.-]/', ' ', $_POST['description']);
$description = preg_replace("/[\n\r]/"," ",$description);
// Items Insert
foreach ($item as $index=>$value) {
$sqlItems .= "
INSERT INTO quote_items (quote_id, item, description, amount, gst)
VALUES ('$last_id', '$item[$index]', '$description[$index]', '$amount[$index]', '$gst[$index]');
";
}
Thanks in advance!

you can try this (a little dirty) but it should allow those 2 characters to be saved
$sqlItems .= '
INSERT INTO `quote_items` (quote_id, item, description, amount, gst)
VALUES ("'.$last_id.'", "'.$item[$index].'", "'.$description[$index].'", "'.$amount[$index].'", "'.$gst[$index].'");
';
EDIT: sorry had the quotes reversed

Can you post you DB call?
Those two characters in particular look like they would conflict in a DB call.
The ` is usually wrapped a table or column name
and the ' is usually wrapped around values.
Both of these would cause a problem but without code its hard to say

PHP Insert into MySQL Apostrophe [duplicate]

This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 9 years ago.
I see that this question has been asked a fair amount of times, but I'm a little confused by the responses. I was hoping that somebody could please take a look at the code below and help me with how to insert text, that contains an apostrophe, into a MySQL database. The two things that are likely to contain apostrophes are full_desc and meta_desc. Thanks!
Also, I realize that this is prone to MySQL Injection, so any pointers on securing it will also be greatly appreciated. Thanks again!
<?php
$con=mysqli_connect("mysql.legfly.com","username","password","database");
// Check connection
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
//sql
$sql="INSERT INTO races (event_name, event_date ,start_time, entry_fee, sanctioned,location, address, city, state, zipcode, country, sport, special_info, distance, race_url, reg_url, print_url, event_phone, event_email, meta_desc, full_desc, course_info, directions, other_info, perma_url, perma_year)
VALUES
('$_POST[event_name]','$_POST[event_date]','$_POST[start_time]','$_POST[entry_fee]','$_POST[sanctioned]','$_POST[location]','$_POST[address]','$_POST[city]','$_POST[state]','$_POST[zipcode]','$_POST[country]','$_POST[sport]','$_POST[special_info]','$_POST[distance]','$_POST[race_url]','$_POST[reg_url]','$_POST[print_url]','$_POST[event_phone]','$_POST[event_email]','$_POST[meta_desc]','$_POST[full_desc]','$_POST[course_info]','$_POST[directions]','$_POST[other_info]','$_POST[perma_url]','$_POST[perma_year]')";
if (!mysqli_query($con,$sql))
{
die('Error: ' . mysqli_error($con));
}
echo "Your race is added!";
mysqli_close($con); ?>
Thanks again!

If you add a back-slash before the apostrophe, it will escape it so it's treated as text rather than as part of the query.
E.g. INSERT INTO tablename (id,text) VALUES ('0','This row\'s the first')
It's only an example for how apostrophes can still be inserted. For a more programmed approach, mysqli_real_escape_string/mysql_real_escape_string does the trick on strings before you use them in a query.

PHP $mysqli->prepare error with strange syntax when table name is "check" [duplicate]

This question already has an answer here:
Syntax error due to using a reserved word as a table or column name in MySQL
(1 answer)
Closed 8 years ago.
this call fails with error :
mysqli_report(MYSQLI_REPORT_ALL);
$stmt = $mysqli->prepare("INSERT INTO check VALUES (?,?,?,?,?,?)");
error i get :
Uncaught exception 'mysqli_sql_exception' with message 'You have an
error in your SQL syntax; check the manual that corresponds to your
MySQL server version for the right syntax to use near 'check VALUES
(?,?,?,?,?,?)' at line 1'
I have a table named "check" with right amount of fields
if i change table name to checkSomething it works ...
any idea ?

check is a reserved keyword. To use it as table name, you have to escape it with backticks like this: `check` :
$stmt = $mysqli->prepare("INSERT INTO `check` VALUES (?,?,?,?,?,?)");

Check is a reserved word in MySQL. You need to either surround it in backticks like this:
$mysqli->prepare("INSERT INTO `check` VALUES (?,?,?,?,?,?)");
Or much better, rename it to something that you don't need to constantly have a special case for.
$mysqli->prepare("INSERT INTO checks VALUES (?,?,?,?,?,?)");

Unknown error in my SQL syntax [duplicate]

This question already has an answer here:
Syntax error due to using a reserved word as a table or column name in MySQL
(1 answer)
Closed 8 years ago.
Hopefully someone can help me out. All I am trying to do is insert a record into a database, but I keep getting the message
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'order (pid,uid,projecttitle,username,amount,odate) values (,,'','',,'6-2' at line 1` on my page.
Here is the main part of the code. I would be grateful for anyone that can help me out.
<?
extract($_REQUEST);
//print_r($_REQUEST);
//query fetch user & project info
//$queryorder="select * from project p where p.pid='".$id."'";
$queryorder="select * from users u,project p where p.pid='".$id."' and u.uid='".$_SESSION['key']."'";
$resultorder=executequery($queryorder,$link);
$rowo=mysql_fetch_assoc($resultorder);
//print_r($rowo);
//get today date
$createddate=date("n-j-Y");
//order
$order="insert into order (pid,uid,projecttitle,username,amount,odate)
values (".$rowo['pid'].",".$rowo['uid'].",'".$rowo['projectname']."','".$rowo['username']."',".$rowo['price'].",'".$createddate."')";
mysql_query($order) or die(mysql_error());
//end of insert order query
?>
<? //headtag.php conatain all javascript & css files
include('headtag.php');
?>
<body>

ORDER is a mysql keyword. Try this:
INSERT INTO `order` ...

order is a keyword. You need to escape it with backticks.
insert into `order` (pid,uid,projecttitle,username,amount,odate)...

You must supply a value for each column.
(,,'','',,'6-2'
You obviously have no values for pid, uid and amount.

Try this: (you are supplying empty values to that query)
$order="insert into order (pid,uid,projecttitle,username,amount,odate)
values (".(int)$rowo['pid'].",". (int)$rowo['uid'].",'".$rowo['projectname']."','".$rowo['username']."',". (float)$rowo['price'].",'".$createddate."')";
mysql_query($order) or die(mysql_error());
The second thing that will cause mysql syntax error is the table name - order is a reserved keyword in mysql, so you need to quote it. The beginning of the query will then be:
INSERT INTO `order` (...

MySQL Syntax Error; "check the manual that corresponds to your MySQL server version.." [duplicate]

This question already has an answer here:
Syntax error due to using a reserved word as a table or column name in MySQL
(1 answer)
Closed 8 years ago.
I've been looking all over the internet for a solution to the following error;
"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'primary, username, password, password2) VALUES (null, 'hello', 'hello', 'hello')' at line 1"
I have no idea what is going on.. I know you will ask what my code is so here:
$con = mysql_connect("localhost","root","*****");
if (!$con)
{
die('Server overload, please try again' . mysql_error());
}
mysql_select_db("users", $con);
$sql = "INSERT INTO details (primary, username, password, password2) VALUES (null, '$_POST[username]', '$_POST[password]', '$_POST[password2]')";
if (!mysql_query($sql,$con))
{
die('Error: Server overload, try again' . mysql_error());
}
echo "You have signed up successfully!";
mysql_close($con);
I've been trying to figure it out for around 4/5 hours now and have had no success.
Thanks,
Lawrence

primary is a reserved keyword, in SQL, which means that you should either :
rename that column -- would be a good idea, to avoid that kind od situation
or use backticks arround that name
Here what the query would look like in the second case :
INSERT INTO details (`primary`, `username`, `password`, `password2`)
VALUES (null, 'hello', 'hello', 'hello')
Note : and you should escape your values, using mysql_real_escape_string, to avoid SQL Injections !

Try not to name your tables or columns with relitively common names like primary and details.
While they may not be reserved words in the flavor of SQL you are currently using, you never know when you might be supporting other types (Postgres, Oracle, etc.).
You can also use this handy-dandy reserved word checker.
Followup Question:
I would like to know who wrote the error statement you are getting, which essentially says RTM? Hilarious. I'm going to use that in my next try catch. :)

Primary is a reserved word. What is the table definition?
http://dev.mysql.com/doc/refman/5.1/en/reserved-words.html

I'd rename that first column to something else: "primary" is a reserved word in MySQL:
http://dev.mysql.com/doc/refman/5.0/en/reserved-words.html