MySQL Error

I'm having a problem finding the error in this code.  This is the error.

Database error: Invalid SQL: SELECT * FROM customer_order where orderId= Database error: Invalid SQL: INSERT INTO customer_order (RestId,streetnumber,streetname,cross,apt,city,state,zip,latestProcessStatus,summary,OrderDate,DeliveryTime,PayStatus, comments,OrderPolicyId,lastname,firstname,phone) VALUES (2,\"Street Number\",\"Street Name\",\"Cross Street\",\"Apt Number\",\"City\",\"State\",\"Zip Code\",\"pending\", \"no summery\", NOW(),\"8:00PM\",\"1\",\"\",\"1\",\"Last Name\",\"First Name\",\"212.222.2222\")
nMySQL Error: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near \'cross,apt,city,state,zip,latestProcessStatus,summary,OrderDate,DeliveryTime,PayS\' at line 1)
nSession halted.
nMySQL Error: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Database error: Invalid SQL: INSERT INTO customer_order' at line 1)
nSession halted.






$item1=$_POST['item1'];
$streetnumber=$_POST['streetnumber'];
$streetname=$_POST['streetname'];
$cross=$_POST['cross'];
$apt=$_POST['apt'];
$city=$_POST['city'];
$state=$_POST['state'];
$zip=$_POST['zip'];
$deliverytime=$_POST['deliverytime'];
$paystatus = ($_POST['paymethod'] == '')?'1':'2';
$comments = $_POST['comments'];
$OrderPolicyId = $_POST['ordertype'];
$lastname = $_POST['lastname'];
$firstname = $_POST['firstname'];
$phone = $_POST['phone'];
include ('includes/database.php');
$db = new Database;

$sql_insert_order='INSERT INTO customer_order (RestId,streetnumber,streetname,cross,apt,city,state,zip,latestProcessStatus,summary,OrderDate,DeliveryTime,PayStatus, comments,OrderPolicyId,lastname,firstname,phone)
VALUES (2,"'.$streetnumber.'","'.$streetname.'","'.$cross.'","'.$apt.'","'.$city.'","'.$state.'","'.$zip.'","pending", "no summery", NOW(),"'.$deliverytime.'","'.$paystatus.'","'.$comments.'","'.$OrderPolicyId.'","'.$lastname.'","'.$firstname.'","'.$phone.'")';

Open in new window

DS928Asked:
Who is Participating?
 
Ray PaseurConnect With a Mentor Commented:
Just for future reference, a statement like this does nothing but propagate a variable (and thus increases the likelihood that there will be a programming error).

$item1=$_POST['item1'];

It might make sense if you had this instead.

$item1=mysql_real_escape_string($_POST['item1']);

Good luck with the project, ~Ray
0
 
Dave BaldwinFixer of ProblemsCommented:
That's confusing.  Your text and the code you posted are about two different things.  How do you get a SELECT and an INSERT into the same error message?
0
 
DS928Author Commented:
Sure is Dave.  Found the problem.  Had an extra field in there.  "Pay Status"
0
Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

 
DS928Author Commented:
Thank you Ray.  So should I do this for each variable?

$item1=mysql_real_escape_string($_POST['item1']);
0
 
Julian HansenCommented:
Each variable would need to be cleaned - a better solution is to use PDO - for two reasons

1. The MySQL lib is about to become extinct
2. The PDO library allows for prepared statements which limits the risks of an injection attack.

You could also migrate to mysqli but you would still need to use mysqli_real_escape_string on your vars.
0
 
Ray PaseurCommented:
You should follow the guidance on the PHP.net documentation for all PHP functions.  In this case the documentation says, "This function must always (with few exceptions) be used to make data safe before sending a query to MySQL."
http://php.net/manual/en/function.mysql-real-escape-string.php

Information related to the removal of the MySQL extension is available in this article.  It tells why the extension is being removed and what you must do to keep your scripts running.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/PHP_Databases/A_11177-PHP-MySQL-Deprecated-as-of-PHP-5-5-0.html
0
 
DS928Author Commented:
Thank you.
0
All Courses

From novice to tech pro — start learning today.