Here is the code that I have:


Here is the error I am receiving:


Is there a semicolon I missed somewhere? What is wrong?

ok well first, im not what youd call any good at php and i dont no anything about mysql... but... there isnt 13 lines of code, lol

but, just looking at it with the semicolons, do you need to put a semicolon after the bracket where it ends with "ip)"

does a semicolon need to go there maybe possibly probably not? LOL

just thought id say, although i can guarantee im wrong

Try That. You'd forgotten to put quotation marks around the query, and had forgotten to end the parentheses (You only ended the VALUES set)

You forgot the quotation marks in your query and i recommend to cast your data to the correct type of your table columns.

Best regards,

Cast the data to the correct type of your table columns? What does that mean?

This mean to force a variable to be evaluated as a certain type, for example, if one of your table column is an integer -tinyint, smallint, int, longint- you can force that your submited data evaluates as an integer by casting it:


The casts allowed are:

• (int), (integer) - cast to integer
• (bool), (boolean) - cast to boolean
• (float), (double), (real) - cast to float
• (string) - cast to string
• (array) - cast to array
• (object) - cast to object

For string variables you can achieve the same behavior simply by enclosing it in double quotes, and also is recommended that you use the mysql_real_escape_string for security reasons.

For a complete explanation check the Type Casting and the mysql_real_escape_string() sections of the manual at the php website.

Best regards,

As I am not sure what will happen if you try to cast a non-numeric string into an integer (i.e. whether it will produce an error or return zero), I would advise you to use intval instead. It will always return an integer - number zero if the input is invalid

Yeah, these are difficult query strings to get working. Anytime your values are from an array (in this case, the $_POST superglobal) and you use a non-numeric key, you'll have trouble since you'll have so many quotes that'll be impossible to escaped.

Here is how I usually get it to work:

That is how I usually write such queries but I guess you could do it linear like this:


I prefer the column form since it is easier to see everything at once.

Notice how I used the concatenation character "period" to put string and non-string values together. There is also a concatenation function in MySQL that you can use.

Remember, there are three quotes you can use in queries:
(`)(')(")
The slanted single quote is good inside of MySQL queries but don't affect PHP so you could, I believe, also do it like this:


Or in linear form:


Just remember, you should use the single quotes around your array key name if it isn't a numeric value. You can't escape the single quotes that you use for the array key either. You can, I suppose, escape the single quote used in the query since PHP would as a result ignore it but it would then be available for MySQL to see. like so:


The only method I am sure will work, is the first one I showed you. You might give the others a try sometime. I don't feel like writing a whole script just to test each option.

However, I do have another concern with your script!
Your script is attempting to directly input any data from your form to your database. This is not a very good method. If the user has a malicious intent, they could inject code into your database creating a serious security risk to your website. Prior to insertion into the database, you really should screen the data.

For example, you could convert HTML Entities into something a little less problematic if it contains malicious code:


In your case, this suggestion actually makes your query a lot easier to write.

Hope this helps,
vujsa

So if I use the variables in the script immediately above, what will happen to the HTML entities when they are inserted into the MySQL database?

Basically, < and > become &lt; and &gt;

You can use html_entity_decode() to revert back to actual HTML tags. It is something to consider doing I think.
But, if you are expecting HTML in one of the input fields, then you could skip the htmlentities() function and just insert the data. But, you should investigate some security protocols for this as well. What hackers tend to do is use the eval() function along with a long string which is actually an include(), require, or file_get_contents() command to load script from their server to manipulate your database or file system.
This usually results in an upload to your website where they can show their hacker friends what they did but they could run a database query to add an Admin account for their username, add a file system program to you system which allows them to browse and manipulate your files which could result in total deletion or replacement.

they usually look something like this:

In this case, it just says vujsa but it could have been malicious.

vujsa