Solved

Unusual syntax error towards mysql

Posted on 2007-03-30
7
261 Views
Last Modified: 2008-02-20
Not sure why I am getting this since it has nothing to do with the page it is talking about.  The error I get is:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'll Use Us Again and Again!', 'Basic' )' at line 3

That line on the page it is referring to is:

if ($_SERVER['REQUEST_METHOD'] == "POST") {
0
Comment
Question by:pingeyeg
  • 4
  • 2
7 Comments
 
LVL 24

Expert Comment

by:glcummins
ID: 18823908
Can you provide a few lines before and after that point in your script? Additionally, are you including any files (like MySQL connection details) around that point?
0
 
LVL 1

Author Comment

by:pingeyeg
ID: 18823923
This is my sql statement:

$result = mysql_query("INSERT INTO tblAdspace( providerID, strProviderservice, strCompanyname, strOwner, strAddress, strTown, strZipcode, strPhone, str2ndphone, strMobile, strPager, strFax, strEmail, strWebsite, strInbusiness_since, strLicense, strInsured, strBonded, strHours, str24houremerg, strServicesoffered, strOtherservices, strServicearea, strFreeestimate, strWorkguaranteed, strProvidertagline, strAd_size)
VALUES ('',
'$strProviderservice', '$strCompanyname', '$strOwner', '$strAddress', '$strTown', '$strZipcode', '$strPhone', '$str2ndphone', '$strMobile', '$strPager', '$strFax', '$strEmail', '$strWebsite', '$strInbusiness_since', '$strLicense', '$strInsured', '$strBonded', '$strHours', '$str24houremerg', '$strServicesoffered', '$strOtherservices', '$strServicearea', '$strFreeestimate', '$strWorkguaranteed', '$strProvidertagline', '$strAd_size')") or die(mysql_error());

addslashes($strServicesoffered);
addslashes($strOtherservices);
addslashes($strProvidertagline);

The lines before and after my last post are:

<?php

if ($_SERVER['REQUEST_METHOD'] == "POST") {

            $strProviderservice = $_REQUEST['strProviderservice'];
            $strCompanyname = $_REQUEST['strCompanyname'];
            $strOwner = $_REQUEST['strOwner'];
            $strAddress = $_REQUEST['strAddress'];
            $strTown = $_REQUEST['strTown'];
            $strZipcode = $_REQUEST['strZipcode'];
            $strPhone = $_REQUEST['strPhone'];
            $str2ndphone = $_REQUEST['str2ndphone'];
            $strMobile = $_REQUEST['strMobile'];
            $strPager = $_REQUEST['strPager'];
            $strFax = $_REQUEST['strFax'];
            $strEmail = $_REQUEST['strEmail'];
            $strWebsite = $_REQUEST['strWebsite'];
            $strLicense = $_REQUEST['strLicense'];
            $strInsured = $_REQUEST['strInsured'];
            $strBonded = $_REQUEST['strBonded'];
            $strHours = $_REQUEST['strHours'];
            $str24houremerg = $_REQUEST['str24houremerg'];
            $strOtherservices = $_REQUEST['strOtherservices'];
            $strServicearea = $_REQUEST['strServicearea'];
            $strInbusiness_since = $_REQUEST['strInbusiness_since'];
            $strServicesoffered = $_REQUEST['strServicesoffered'];
            $strFreeestimate = $_REQUEST['strFreeestimate'];
            $strWorkguaranteed = $_REQUEST['strWorkguaranteed'];
            $strProvidertagline = $_REQUEST['strProvidertagline'];
            $strAd_size = $_REQUEST['strAd_size'];
0
 
LVL 24

Accepted Solution

by:
glcummins earned 400 total points
ID: 18823960
Each of your input fields needs to be escaped. It looks like the string contained in '$strProvdertagline' contains a single quote, which interferes with the proper quoting of the SQL query.

Try adding 'addslashes()' around each of the $_REQUESTs:

            $strProviderservice = addslashes($_REQUEST['strProviderservice']);
            $strCompanyname = addslashes($_REQUEST['strCompanyname']);
            $strOwner = addslashes($_REQUEST['strOwner']);
            $strAddress = addslashes($_REQUEST['strAddress']);
            $strTown = addslashes($_REQUEST['strTown']);
            $strZipcode = addslashes($_REQUEST['strZipcode']);
            $strPhone = addslashes($_REQUEST['strPhone']);
            $str2ndphone = addslashes($_REQUEST['str2ndphone']);
            $strMobile = addslashes($_REQUEST['strMobile']);
            $strPager = addslashes($_REQUEST['strPager']);
            $strFax = addslashes($_REQUEST['strFax']);
            $strEmail = addslashes($_REQUEST['strEmail']);
            $strWebsite = addslashes($_REQUEST['strWebsite']);
            $strLicense = addslashes($_REQUEST['strLicense']);
            $strInsured = addslashes($_REQUEST['strInsured']);
            $strBonded = addslashes($_REQUEST['strBonded']);
            $strHours = addslashes($_REQUEST['strHours']);
            $str24houremerg = addslashes($_REQUEST['str24houremerg']);
            $strOtherservices = addslashes($_REQUEST['strOtherservices']);
            $strServicearea = addslashes($_REQUEST['strServicearea']);
            $strInbusiness_since = addslashes($_REQUEST['strInbusiness_since']);
            $strServicesoffered = addslashes($_REQUEST['strServicesoffered']);
            $strFreeestimate = addslashes($_REQUEST['strFreeestimate']);
            $strWorkguaranteed = addslashes($_REQUEST['strWorkguaranteed']);
            $strProvidertagline = addslashes($_REQUEST['strProvidertagline']);
            $strAd_size = addslashes($_REQUEST['strAd_size']);
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 27

Assisted Solution

by:yodercm
yodercm earned 100 total points
ID: 18823962
One of your variables has a quote mark in it:

the right syntax to use near 'll Use Us Again and Again!', 'Basic' )' at line 3

probably something like ...   I'll Use Us ...

0
 
LVL 24

Expert Comment

by:glcummins
ID: 18823998
When you receive user input to be stored in a database, you should always check the input before processing it. User input can contain problematic or even malicious characters and strings that may damage your data or compromise the security of your application.

For more information on this topic, take a look at http://www.digitalpropulsion.org/Programming/SQL_Injections_in_PHP_with_MySQL
0
 
LVL 1

Author Comment

by:pingeyeg
ID: 18824007
That made a lot of since, but I am still getting that same error after putting those in.
0
 
LVL 24

Expert Comment

by:glcummins
ID: 18824046
So that we can see the query that is being attempted, can you make the following change in your code:

$query = "INSERT INTO tblAdspace( providerID, strProviderservice, strCompanyname, strOwner, strAddress, strTown, strZipcode, strPhone, str2ndphone, strMobile, strPager, strFax, strEmail, strWebsite, strInbusiness_since, strLicense, strInsured, strBonded, strHours, str24houremerg, strServicesoffered, strOtherservices, strServicearea, strFreeestimate, strWorkguaranteed, strProvidertagline, strAd_size)
VALUES ('',
'$strProviderservice', '$strCompanyname', '$strOwner', '$strAddress', '$strTown', '$strZipcode', '$strPhone', '$str2ndphone', '$strMobile', '$strPager', '$strFax', '$strEmail', '$strWebsite', '$strInbusiness_since', '$strLicense', '$strInsured', '$strBonded', '$strHours', '$str24houremerg', '$strServicesoffered', '$strOtherservices', '$strServicearea', '$strFreeestimate', '$strWorkguaranteed', '$strProvidertagline', '$strAd_size')"

$result = mysql_query($query) or die("The following query failed:<br />$query<br />The MySQL error was: " . mysql_error());
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Access Object's Property 9 22
converting numbers with php 3 31
PHP warning 4 30
datetime in sql 6 28
Deprecated and Headed for the Dustbin By now, you have probably heard that some PHP features, while convenient, can also cause PHP security problems.  This article discusses one of those, called register_globals.  It is a thing you do not want.  …
I imagine that there are some, like me, who require a way of getting currency exchange rates for implementation in web project from time to time, so I thought I would share a solution that I have developed for this purpose. It turns out that Yaho…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to dynamically set the form action using jQuery.

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now