Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 275
  • Last Modified:

Unusual syntax error towards mysql

Not sure why I am getting this since it has nothing to do with the page it is talking about.  The error I get is:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'll Use Us Again and Again!', 'Basic' )' at line 3

That line on the page it is referring to is:

if ($_SERVER['REQUEST_METHOD'] == "POST") {
0
pingeyeg
Asked:
pingeyeg
  • 4
  • 2
2 Solutions
 
glcumminsCommented:
Can you provide a few lines before and after that point in your script? Additionally, are you including any files (like MySQL connection details) around that point?
0
 
pingeyegAuthor Commented:
This is my sql statement:

$result = mysql_query("INSERT INTO tblAdspace( providerID, strProviderservice, strCompanyname, strOwner, strAddress, strTown, strZipcode, strPhone, str2ndphone, strMobile, strPager, strFax, strEmail, strWebsite, strInbusiness_since, strLicense, strInsured, strBonded, strHours, str24houremerg, strServicesoffered, strOtherservices, strServicearea, strFreeestimate, strWorkguaranteed, strProvidertagline, strAd_size)
VALUES ('',
'$strProviderservice', '$strCompanyname', '$strOwner', '$strAddress', '$strTown', '$strZipcode', '$strPhone', '$str2ndphone', '$strMobile', '$strPager', '$strFax', '$strEmail', '$strWebsite', '$strInbusiness_since', '$strLicense', '$strInsured', '$strBonded', '$strHours', '$str24houremerg', '$strServicesoffered', '$strOtherservices', '$strServicearea', '$strFreeestimate', '$strWorkguaranteed', '$strProvidertagline', '$strAd_size')") or die(mysql_error());

addslashes($strServicesoffered);
addslashes($strOtherservices);
addslashes($strProvidertagline);

The lines before and after my last post are:

<?php

if ($_SERVER['REQUEST_METHOD'] == "POST") {

            $strProviderservice = $_REQUEST['strProviderservice'];
            $strCompanyname = $_REQUEST['strCompanyname'];
            $strOwner = $_REQUEST['strOwner'];
            $strAddress = $_REQUEST['strAddress'];
            $strTown = $_REQUEST['strTown'];
            $strZipcode = $_REQUEST['strZipcode'];
            $strPhone = $_REQUEST['strPhone'];
            $str2ndphone = $_REQUEST['str2ndphone'];
            $strMobile = $_REQUEST['strMobile'];
            $strPager = $_REQUEST['strPager'];
            $strFax = $_REQUEST['strFax'];
            $strEmail = $_REQUEST['strEmail'];
            $strWebsite = $_REQUEST['strWebsite'];
            $strLicense = $_REQUEST['strLicense'];
            $strInsured = $_REQUEST['strInsured'];
            $strBonded = $_REQUEST['strBonded'];
            $strHours = $_REQUEST['strHours'];
            $str24houremerg = $_REQUEST['str24houremerg'];
            $strOtherservices = $_REQUEST['strOtherservices'];
            $strServicearea = $_REQUEST['strServicearea'];
            $strInbusiness_since = $_REQUEST['strInbusiness_since'];
            $strServicesoffered = $_REQUEST['strServicesoffered'];
            $strFreeestimate = $_REQUEST['strFreeestimate'];
            $strWorkguaranteed = $_REQUEST['strWorkguaranteed'];
            $strProvidertagline = $_REQUEST['strProvidertagline'];
            $strAd_size = $_REQUEST['strAd_size'];
0
 
glcumminsCommented:
Each of your input fields needs to be escaped. It looks like the string contained in '$strProvdertagline' contains a single quote, which interferes with the proper quoting of the SQL query.

Try adding 'addslashes()' around each of the $_REQUESTs:

            $strProviderservice = addslashes($_REQUEST['strProviderservice']);
            $strCompanyname = addslashes($_REQUEST['strCompanyname']);
            $strOwner = addslashes($_REQUEST['strOwner']);
            $strAddress = addslashes($_REQUEST['strAddress']);
            $strTown = addslashes($_REQUEST['strTown']);
            $strZipcode = addslashes($_REQUEST['strZipcode']);
            $strPhone = addslashes($_REQUEST['strPhone']);
            $str2ndphone = addslashes($_REQUEST['str2ndphone']);
            $strMobile = addslashes($_REQUEST['strMobile']);
            $strPager = addslashes($_REQUEST['strPager']);
            $strFax = addslashes($_REQUEST['strFax']);
            $strEmail = addslashes($_REQUEST['strEmail']);
            $strWebsite = addslashes($_REQUEST['strWebsite']);
            $strLicense = addslashes($_REQUEST['strLicense']);
            $strInsured = addslashes($_REQUEST['strInsured']);
            $strBonded = addslashes($_REQUEST['strBonded']);
            $strHours = addslashes($_REQUEST['strHours']);
            $str24houremerg = addslashes($_REQUEST['str24houremerg']);
            $strOtherservices = addslashes($_REQUEST['strOtherservices']);
            $strServicearea = addslashes($_REQUEST['strServicearea']);
            $strInbusiness_since = addslashes($_REQUEST['strInbusiness_since']);
            $strServicesoffered = addslashes($_REQUEST['strServicesoffered']);
            $strFreeestimate = addslashes($_REQUEST['strFreeestimate']);
            $strWorkguaranteed = addslashes($_REQUEST['strWorkguaranteed']);
            $strProvidertagline = addslashes($_REQUEST['strProvidertagline']);
            $strAd_size = addslashes($_REQUEST['strAd_size']);
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
Cornelia YoderArtistCommented:
One of your variables has a quote mark in it:

the right syntax to use near 'll Use Us Again and Again!', 'Basic' )' at line 3

probably something like ...   I'll Use Us ...

0
 
glcumminsCommented:
When you receive user input to be stored in a database, you should always check the input before processing it. User input can contain problematic or even malicious characters and strings that may damage your data or compromise the security of your application.

For more information on this topic, take a look at http://www.digitalpropulsion.org/Programming/SQL_Injections_in_PHP_with_MySQL
0
 
pingeyegAuthor Commented:
That made a lot of since, but I am still getting that same error after putting those in.
0
 
glcumminsCommented:
So that we can see the query that is being attempted, can you make the following change in your code:

$query = "INSERT INTO tblAdspace( providerID, strProviderservice, strCompanyname, strOwner, strAddress, strTown, strZipcode, strPhone, str2ndphone, strMobile, strPager, strFax, strEmail, strWebsite, strInbusiness_since, strLicense, strInsured, strBonded, strHours, str24houremerg, strServicesoffered, strOtherservices, strServicearea, strFreeestimate, strWorkguaranteed, strProvidertagline, strAd_size)
VALUES ('',
'$strProviderservice', '$strCompanyname', '$strOwner', '$strAddress', '$strTown', '$strZipcode', '$strPhone', '$str2ndphone', '$strMobile', '$strPager', '$strFax', '$strEmail', '$strWebsite', '$strInbusiness_since', '$strLicense', '$strInsured', '$strBonded', '$strHours', '$str24houremerg', '$strServicesoffered', '$strOtherservices', '$strServicearea', '$strFreeestimate', '$strWorkguaranteed', '$strProvidertagline', '$strAd_size')"

$result = mysql_query($query) or die("The following query failed:<br />$query<br />The MySQL error was: " . mysql_error());
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now