Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Unusual syntax error towards mysql

Posted on 2007-03-30
7
Medium Priority
?
272 Views
Last Modified: 2008-02-20
Not sure why I am getting this since it has nothing to do with the page it is talking about.  The error I get is:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'll Use Us Again and Again!', 'Basic' )' at line 3

That line on the page it is referring to is:

if ($_SERVER['REQUEST_METHOD'] == "POST") {
0
Comment
Question by:pingeyeg
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 24

Expert Comment

by:glcummins
ID: 18823908
Can you provide a few lines before and after that point in your script? Additionally, are you including any files (like MySQL connection details) around that point?
0
 
LVL 1

Author Comment

by:pingeyeg
ID: 18823923
This is my sql statement:

$result = mysql_query("INSERT INTO tblAdspace( providerID, strProviderservice, strCompanyname, strOwner, strAddress, strTown, strZipcode, strPhone, str2ndphone, strMobile, strPager, strFax, strEmail, strWebsite, strInbusiness_since, strLicense, strInsured, strBonded, strHours, str24houremerg, strServicesoffered, strOtherservices, strServicearea, strFreeestimate, strWorkguaranteed, strProvidertagline, strAd_size)
VALUES ('',
'$strProviderservice', '$strCompanyname', '$strOwner', '$strAddress', '$strTown', '$strZipcode', '$strPhone', '$str2ndphone', '$strMobile', '$strPager', '$strFax', '$strEmail', '$strWebsite', '$strInbusiness_since', '$strLicense', '$strInsured', '$strBonded', '$strHours', '$str24houremerg', '$strServicesoffered', '$strOtherservices', '$strServicearea', '$strFreeestimate', '$strWorkguaranteed', '$strProvidertagline', '$strAd_size')") or die(mysql_error());

addslashes($strServicesoffered);
addslashes($strOtherservices);
addslashes($strProvidertagline);

The lines before and after my last post are:

<?php

if ($_SERVER['REQUEST_METHOD'] == "POST") {

            $strProviderservice = $_REQUEST['strProviderservice'];
            $strCompanyname = $_REQUEST['strCompanyname'];
            $strOwner = $_REQUEST['strOwner'];
            $strAddress = $_REQUEST['strAddress'];
            $strTown = $_REQUEST['strTown'];
            $strZipcode = $_REQUEST['strZipcode'];
            $strPhone = $_REQUEST['strPhone'];
            $str2ndphone = $_REQUEST['str2ndphone'];
            $strMobile = $_REQUEST['strMobile'];
            $strPager = $_REQUEST['strPager'];
            $strFax = $_REQUEST['strFax'];
            $strEmail = $_REQUEST['strEmail'];
            $strWebsite = $_REQUEST['strWebsite'];
            $strLicense = $_REQUEST['strLicense'];
            $strInsured = $_REQUEST['strInsured'];
            $strBonded = $_REQUEST['strBonded'];
            $strHours = $_REQUEST['strHours'];
            $str24houremerg = $_REQUEST['str24houremerg'];
            $strOtherservices = $_REQUEST['strOtherservices'];
            $strServicearea = $_REQUEST['strServicearea'];
            $strInbusiness_since = $_REQUEST['strInbusiness_since'];
            $strServicesoffered = $_REQUEST['strServicesoffered'];
            $strFreeestimate = $_REQUEST['strFreeestimate'];
            $strWorkguaranteed = $_REQUEST['strWorkguaranteed'];
            $strProvidertagline = $_REQUEST['strProvidertagline'];
            $strAd_size = $_REQUEST['strAd_size'];
0
 
LVL 24

Accepted Solution

by:
glcummins earned 1600 total points
ID: 18823960
Each of your input fields needs to be escaped. It looks like the string contained in '$strProvdertagline' contains a single quote, which interferes with the proper quoting of the SQL query.

Try adding 'addslashes()' around each of the $_REQUESTs:

            $strProviderservice = addslashes($_REQUEST['strProviderservice']);
            $strCompanyname = addslashes($_REQUEST['strCompanyname']);
            $strOwner = addslashes($_REQUEST['strOwner']);
            $strAddress = addslashes($_REQUEST['strAddress']);
            $strTown = addslashes($_REQUEST['strTown']);
            $strZipcode = addslashes($_REQUEST['strZipcode']);
            $strPhone = addslashes($_REQUEST['strPhone']);
            $str2ndphone = addslashes($_REQUEST['str2ndphone']);
            $strMobile = addslashes($_REQUEST['strMobile']);
            $strPager = addslashes($_REQUEST['strPager']);
            $strFax = addslashes($_REQUEST['strFax']);
            $strEmail = addslashes($_REQUEST['strEmail']);
            $strWebsite = addslashes($_REQUEST['strWebsite']);
            $strLicense = addslashes($_REQUEST['strLicense']);
            $strInsured = addslashes($_REQUEST['strInsured']);
            $strBonded = addslashes($_REQUEST['strBonded']);
            $strHours = addslashes($_REQUEST['strHours']);
            $str24houremerg = addslashes($_REQUEST['str24houremerg']);
            $strOtherservices = addslashes($_REQUEST['strOtherservices']);
            $strServicearea = addslashes($_REQUEST['strServicearea']);
            $strInbusiness_since = addslashes($_REQUEST['strInbusiness_since']);
            $strServicesoffered = addslashes($_REQUEST['strServicesoffered']);
            $strFreeestimate = addslashes($_REQUEST['strFreeestimate']);
            $strWorkguaranteed = addslashes($_REQUEST['strWorkguaranteed']);
            $strProvidertagline = addslashes($_REQUEST['strProvidertagline']);
            $strAd_size = addslashes($_REQUEST['strAd_size']);
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 27

Assisted Solution

by:Cornelia Yoder
Cornelia Yoder earned 400 total points
ID: 18823962
One of your variables has a quote mark in it:

the right syntax to use near 'll Use Us Again and Again!', 'Basic' )' at line 3

probably something like ...   I'll Use Us ...

0
 
LVL 24

Expert Comment

by:glcummins
ID: 18823998
When you receive user input to be stored in a database, you should always check the input before processing it. User input can contain problematic or even malicious characters and strings that may damage your data or compromise the security of your application.

For more information on this topic, take a look at http://www.digitalpropulsion.org/Programming/SQL_Injections_in_PHP_with_MySQL
0
 
LVL 1

Author Comment

by:pingeyeg
ID: 18824007
That made a lot of since, but I am still getting that same error after putting those in.
0
 
LVL 24

Expert Comment

by:glcummins
ID: 18824046
So that we can see the query that is being attempted, can you make the following change in your code:

$query = "INSERT INTO tblAdspace( providerID, strProviderservice, strCompanyname, strOwner, strAddress, strTown, strZipcode, strPhone, str2ndphone, strMobile, strPager, strFax, strEmail, strWebsite, strInbusiness_since, strLicense, strInsured, strBonded, strHours, str24houremerg, strServicesoffered, strOtherservices, strServicearea, strFreeestimate, strWorkguaranteed, strProvidertagline, strAd_size)
VALUES ('',
'$strProviderservice', '$strCompanyname', '$strOwner', '$strAddress', '$strTown', '$strZipcode', '$strPhone', '$str2ndphone', '$strMobile', '$strPager', '$strFax', '$strEmail', '$strWebsite', '$strInbusiness_since', '$strLicense', '$strInsured', '$strBonded', '$strHours', '$str24houremerg', '$strServicesoffered', '$strOtherservices', '$strServicearea', '$strFreeestimate', '$strWorkguaranteed', '$strProvidertagline', '$strAd_size')"

$result = mysql_query($query) or die("The following query failed:<br />$query<br />The MySQL error was: " . mysql_error());
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article discusses four methods for overlaying images in a container on a web page
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
The viewer will learn how to count occurrences of each item in an array.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question