Solved

Unusual syntax error towards mysql

Posted on 2007-03-30
7
266 Views
Last Modified: 2008-02-20
Not sure why I am getting this since it has nothing to do with the page it is talking about.  The error I get is:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'll Use Us Again and Again!', 'Basic' )' at line 3

That line on the page it is referring to is:

if ($_SERVER['REQUEST_METHOD'] == "POST") {
0
Comment
Question by:pingeyeg
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 24

Expert Comment

by:glcummins
ID: 18823908
Can you provide a few lines before and after that point in your script? Additionally, are you including any files (like MySQL connection details) around that point?
0
 
LVL 1

Author Comment

by:pingeyeg
ID: 18823923
This is my sql statement:

$result = mysql_query("INSERT INTO tblAdspace( providerID, strProviderservice, strCompanyname, strOwner, strAddress, strTown, strZipcode, strPhone, str2ndphone, strMobile, strPager, strFax, strEmail, strWebsite, strInbusiness_since, strLicense, strInsured, strBonded, strHours, str24houremerg, strServicesoffered, strOtherservices, strServicearea, strFreeestimate, strWorkguaranteed, strProvidertagline, strAd_size)
VALUES ('',
'$strProviderservice', '$strCompanyname', '$strOwner', '$strAddress', '$strTown', '$strZipcode', '$strPhone', '$str2ndphone', '$strMobile', '$strPager', '$strFax', '$strEmail', '$strWebsite', '$strInbusiness_since', '$strLicense', '$strInsured', '$strBonded', '$strHours', '$str24houremerg', '$strServicesoffered', '$strOtherservices', '$strServicearea', '$strFreeestimate', '$strWorkguaranteed', '$strProvidertagline', '$strAd_size')") or die(mysql_error());

addslashes($strServicesoffered);
addslashes($strOtherservices);
addslashes($strProvidertagline);

The lines before and after my last post are:

<?php

if ($_SERVER['REQUEST_METHOD'] == "POST") {

            $strProviderservice = $_REQUEST['strProviderservice'];
            $strCompanyname = $_REQUEST['strCompanyname'];
            $strOwner = $_REQUEST['strOwner'];
            $strAddress = $_REQUEST['strAddress'];
            $strTown = $_REQUEST['strTown'];
            $strZipcode = $_REQUEST['strZipcode'];
            $strPhone = $_REQUEST['strPhone'];
            $str2ndphone = $_REQUEST['str2ndphone'];
            $strMobile = $_REQUEST['strMobile'];
            $strPager = $_REQUEST['strPager'];
            $strFax = $_REQUEST['strFax'];
            $strEmail = $_REQUEST['strEmail'];
            $strWebsite = $_REQUEST['strWebsite'];
            $strLicense = $_REQUEST['strLicense'];
            $strInsured = $_REQUEST['strInsured'];
            $strBonded = $_REQUEST['strBonded'];
            $strHours = $_REQUEST['strHours'];
            $str24houremerg = $_REQUEST['str24houremerg'];
            $strOtherservices = $_REQUEST['strOtherservices'];
            $strServicearea = $_REQUEST['strServicearea'];
            $strInbusiness_since = $_REQUEST['strInbusiness_since'];
            $strServicesoffered = $_REQUEST['strServicesoffered'];
            $strFreeestimate = $_REQUEST['strFreeestimate'];
            $strWorkguaranteed = $_REQUEST['strWorkguaranteed'];
            $strProvidertagline = $_REQUEST['strProvidertagline'];
            $strAd_size = $_REQUEST['strAd_size'];
0
 
LVL 24

Accepted Solution

by:
glcummins earned 400 total points
ID: 18823960
Each of your input fields needs to be escaped. It looks like the string contained in '$strProvdertagline' contains a single quote, which interferes with the proper quoting of the SQL query.

Try adding 'addslashes()' around each of the $_REQUESTs:

            $strProviderservice = addslashes($_REQUEST['strProviderservice']);
            $strCompanyname = addslashes($_REQUEST['strCompanyname']);
            $strOwner = addslashes($_REQUEST['strOwner']);
            $strAddress = addslashes($_REQUEST['strAddress']);
            $strTown = addslashes($_REQUEST['strTown']);
            $strZipcode = addslashes($_REQUEST['strZipcode']);
            $strPhone = addslashes($_REQUEST['strPhone']);
            $str2ndphone = addslashes($_REQUEST['str2ndphone']);
            $strMobile = addslashes($_REQUEST['strMobile']);
            $strPager = addslashes($_REQUEST['strPager']);
            $strFax = addslashes($_REQUEST['strFax']);
            $strEmail = addslashes($_REQUEST['strEmail']);
            $strWebsite = addslashes($_REQUEST['strWebsite']);
            $strLicense = addslashes($_REQUEST['strLicense']);
            $strInsured = addslashes($_REQUEST['strInsured']);
            $strBonded = addslashes($_REQUEST['strBonded']);
            $strHours = addslashes($_REQUEST['strHours']);
            $str24houremerg = addslashes($_REQUEST['str24houremerg']);
            $strOtherservices = addslashes($_REQUEST['strOtherservices']);
            $strServicearea = addslashes($_REQUEST['strServicearea']);
            $strInbusiness_since = addslashes($_REQUEST['strInbusiness_since']);
            $strServicesoffered = addslashes($_REQUEST['strServicesoffered']);
            $strFreeestimate = addslashes($_REQUEST['strFreeestimate']);
            $strWorkguaranteed = addslashes($_REQUEST['strWorkguaranteed']);
            $strProvidertagline = addslashes($_REQUEST['strProvidertagline']);
            $strAd_size = addslashes($_REQUEST['strAd_size']);
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 27

Assisted Solution

by:Cornelia Yoder
Cornelia Yoder earned 100 total points
ID: 18823962
One of your variables has a quote mark in it:

the right syntax to use near 'll Use Us Again and Again!', 'Basic' )' at line 3

probably something like ...   I'll Use Us ...

0
 
LVL 24

Expert Comment

by:glcummins
ID: 18823998
When you receive user input to be stored in a database, you should always check the input before processing it. User input can contain problematic or even malicious characters and strings that may damage your data or compromise the security of your application.

For more information on this topic, take a look at http://www.digitalpropulsion.org/Programming/SQL_Injections_in_PHP_with_MySQL
0
 
LVL 1

Author Comment

by:pingeyeg
ID: 18824007
That made a lot of since, but I am still getting that same error after putting those in.
0
 
LVL 24

Expert Comment

by:glcummins
ID: 18824046
So that we can see the query that is being attempted, can you make the following change in your code:

$query = "INSERT INTO tblAdspace( providerID, strProviderservice, strCompanyname, strOwner, strAddress, strTown, strZipcode, strPhone, str2ndphone, strMobile, strPager, strFax, strEmail, strWebsite, strInbusiness_since, strLicense, strInsured, strBonded, strHours, str24houremerg, strServicesoffered, strOtherservices, strServicearea, strFreeestimate, strWorkguaranteed, strProvidertagline, strAd_size)
VALUES ('',
'$strProviderservice', '$strCompanyname', '$strOwner', '$strAddress', '$strTown', '$strZipcode', '$strPhone', '$str2ndphone', '$strMobile', '$strPager', '$strFax', '$strEmail', '$strWebsite', '$strInbusiness_since', '$strLicense', '$strInsured', '$strBonded', '$strHours', '$str24houremerg', '$strServicesoffered', '$strOtherservices', '$strServicearea', '$strFreeestimate', '$strWorkguaranteed', '$strProvidertagline', '$strAd_size')"

$result = mysql_query($query) or die("The following query failed:<br />$query<br />The MySQL error was: " . mysql_error());
0

Featured Post

Why Off-Site Backups Are The Only Way To Go

You are probably backing up your data—but how and where? Ransomware is on the rise and there are variants that specifically target backups. Read on to discover why off-site is the way to go.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Foreword (July, 2015) Since I first wrote this article, years ago, a great many more people have begun using the internet.  They are coming online from every part of the globe, learning, reading, shopping and spending money at an ever-increasing ra…
Developers of all skill levels should learn to use current best practices when developing websites. However many developers, new and old, fall into the trap of using deprecated features because this is what so many tutorials and books tell them to u…
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question