asked on

MySQL Error

I'm having a problem finding the error in this code. This is the error.

Database error: Invalid SQL: SELECT * FROM customer_order where orderId= Database error: Invalid SQL: INSERT INTO customer_order (RestId,streetnumber,streetname,cross,apt,city,state,zip,latestProcessStatus,summary,OrderDate,DeliveryTime,PayStatus, comments,OrderPolicyId,lastname,firstname,phone) VALUES (2,\"Street Number\",\"Street Name\",\"Cross Street\",\"Apt Number\",\"City\",\"State\",\"Zip Code\",\"pending\", \"no summery\", NOW(),\"8:00PM\",\"1\",\"\",\"1\",\"Last Name\",\"First Name\",\"212.222.2222\")
nMySQL Error: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near \'cross,apt,city,state,zip,latestProcessStatus,summary,OrderDate,DeliveryTime,PayS\' at line 1)
nSession halted.
nMySQL Error: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Database error: Invalid SQL: INSERT INTO customer_order' at line 1)
nSession halted.

$item1=$_POST['item1'];
$streetnumber=$_POST['streetnumber'];
$streetname=$_POST['streetname'];
$cross=$_POST['cross'];
$apt=$_POST['apt'];
$city=$_POST['city'];
$state=$_POST['state'];
$zip=$_POST['zip'];
$deliverytime=$_POST['deliverytime'];
$paystatus = ($_POST['paymethod'] == '')?'1':'2';
$comments = $_POST['comments'];
$OrderPolicyId = $_POST['ordertype'];
$lastname = $_POST['lastname'];
$firstname = $_POST['firstname'];
$phone = $_POST['phone'];
include ('includes/database.php');
$db = new Database;

$sql_insert_order='INSERT INTO customer_order (RestId,streetnumber,streetname,cross,apt,city,state,zip,latestProcessStatus,summary,OrderDate,DeliveryTime,PayStatus, comments,OrderPolicyId,lastname,firstname,phone)
VALUES (2,"'.$streetnumber.'","'.$streetname.'","'.$cross.'","'.$apt.'","'.$city.'","'.$state.'","'.$zip.'","pending", "no summery", NOW(),"'.$deliverytime.'","'.$paystatus.'","'.$comments.'","'.$OrderPolicyId.'","'.$lastname.'","'.$firstname.'","'.$phone.'")';

Open in new window

Dave Baldwin

That's confusing. Your text and the code you posted are about two different things. How do you get a SELECT and an INSERT into the same error message?

DS928

ASKER

Sure is Dave. Found the problem. Had an extra field in there. "Pay Status"

ASKER CERTIFIED SOLUTION

Ray Paseur

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

DS928

ASKER

Thank you Ray. So should I do this for each variable?

$item1=mysql_real_escape_string($_POST['item1']);

Julian Hansen

Each variable would need to be cleaned - a better solution is to use PDO - for two reasons

1. The MySQL lib is about to become extinct
2. The PDO library allows for prepared statements which limits the risks of an injection attack.

You could also migrate to mysqli but you would still need to use mysqli_real_escape_string on your vars.

Ray Paseur

You should follow the guidance on the PHP.net documentation for all PHP functions. In this case the documentation says, "This function must always (with few exceptions) be used to make data safe before sending a query to MySQL."
http://php.net/manual/en/function.mysql-real-escape-string.php

Information related to the removal of the MySQL extension is available in this article. It tells why the extension is being removed and what you must do to keep your scripts running.
https://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/PHP_Databases/A_11177-PHP-MySQL-Deprecated-as-of-PHP-5-5-0.html

DS928

ASKER

Thank you.