DS928
asked on
MySQL Error
I'm having a problem finding the error in this code. This is the error.
Database error: Invalid SQL: SELECT * FROM customer_order where orderId= Database error: Invalid SQL: INSERT INTO customer_order (RestId,streetnumber,stree tname,cros s,apt,city ,state,zip ,latestPro cessStatus ,summary,O rderDate,D eliveryTim e,PayStatu s, comments,OrderPolicyId,las tname,firs tname,phon e) VALUES (2,\"Street Number\",\"Street Name\",\"Cross Street\",\"Apt Number\",\"City\",\"State\ ",\"Zip Code\",\"pending\", \"no summery\", NOW(),\"8:00PM\",\"1\",\"\ ",\"1\",\" Last Name\",\"First Name\",\"212.222.2222\")
nMySQL Error: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near \'cross,apt,city,state,zip ,latestPro cessStatus ,summary,O rderDate,D eliveryTim e,PayS\' at line 1)
nSession halted.
nMySQL Error: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Database error: Invalid SQL: INSERT INTO customer_order' at line 1)
nSession halted.
Database error: Invalid SQL: SELECT * FROM customer_order where orderId= Database error: Invalid SQL: INSERT INTO customer_order (RestId,streetnumber,stree
nMySQL Error: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near \'cross,apt,city,state,zip
nSession halted.
nMySQL Error: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Database error: Invalid SQL: INSERT INTO customer_order' at line 1)
nSession halted.
$item1=$_POST['item1'];
$streetnumber=$_POST['streetnumber'];
$streetname=$_POST['streetname'];
$cross=$_POST['cross'];
$apt=$_POST['apt'];
$city=$_POST['city'];
$state=$_POST['state'];
$zip=$_POST['zip'];
$deliverytime=$_POST['deliverytime'];
$paystatus = ($_POST['paymethod'] == '')?'1':'2';
$comments = $_POST['comments'];
$OrderPolicyId = $_POST['ordertype'];
$lastname = $_POST['lastname'];
$firstname = $_POST['firstname'];
$phone = $_POST['phone'];
include ('includes/database.php');
$db = new Database;
$sql_insert_order='INSERT INTO customer_order (RestId,streetnumber,streetname,cross,apt,city,state,zip,latestProcessStatus,summary,OrderDate,DeliveryTime,PayStatus, comments,OrderPolicyId,lastname,firstname,phone)
VALUES (2,"'.$streetnumber.'","'.$streetname.'","'.$cross.'","'.$apt.'","'.$city.'","'.$state.'","'.$zip.'","pending", "no summery", NOW(),"'.$deliverytime.'","'.$paystatus.'","'.$comments.'","'.$OrderPolicyId.'","'.$lastname.'","'.$firstname.'","'.$phone.'")';
That's confusing. Your text and the code you posted are about two different things. How do you get a SELECT and an INSERT into the same error message?
ASKER
Sure is Dave. Found the problem. Had an extra field in there. "Pay Status"
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you Ray. So should I do this for each variable?
$item1=mysql_real_escape_s tring($_PO ST['item1' ]);
$item1=mysql_real_escape_s
Each variable would need to be cleaned - a better solution is to use PDO - for two reasons
1. The MySQL lib is about to become extinct
2. The PDO library allows for prepared statements which limits the risks of an injection attack.
You could also migrate to mysqli but you would still need to use mysqli_real_escape_string on your vars.
1. The MySQL lib is about to become extinct
2. The PDO library allows for prepared statements which limits the risks of an injection attack.
You could also migrate to mysqli but you would still need to use mysqli_real_escape_string on your vars.
You should follow the guidance on the PHP.net documentation for all PHP functions. In this case the documentation says, "This function must always (with few exceptions) be used to make data safe before sending a query to MySQL."
http://php.net/manual/en/function.mysql-real-escape-string.php
Information related to the removal of the MySQL extension is available in this article. It tells why the extension is being removed and what you must do to keep your scripts running.
https://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/PHP_Databases/A_11177-PHP-MySQL-Deprecated-as-of-PHP-5-5-0.html
http://php.net/manual/en/function.mysql-real-escape-string.php
Information related to the removal of the MySQL extension is available in this article. It tells why the extension is being removed and what you must do to keep your scripts running.
https://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/PHP_Databases/A_11177-PHP-MySQL-Deprecated-as-of-PHP-5-5-0.html
ASKER
Thank you.