-2

Hi I have a form with a text area on it which has descriptive text which will contain punctuation marks such as comma's etc.

on the PHP script I have used this

$description    = empty( $_POST['inputDescription'])? 'NULL': "'" .  mysql_real_escape_string($_POST['inputDescription']) . "'";

But I still get a syntax error when submitting the text which contains comma's which is this..

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's

any thoughts would be great I am pulling my hair out!

EDIT Lots of code (Sorry)

<?php
    session_start();
    include "includes/connection.php";

    $contact        = $_POST['inputName'];
    $company    = $_POST['inputCompany'];
    $region             = $_POST['inputRegion'];
    $address1   = $_POST['inputAddress1'];
    $address2   = empty( $_POST['inputAddress2'])? 'NULL'   : "'" . mysql_real_escape_string(  $_POST['inputAddress2']) . "'";
    $city               = $_POST['inputCity'];
    $county             = empty( $_POST['inputCounty'])? 'NULL' : "'" . mysql_real_escape_string(  $_POST['inputCounty']) . "'";
    $postcode   = $_POST['inputPostcode'];
    $email          = empty( $_POST['inputEmail'])? 'NULL'  : "'" . mysql_real_escape_string(  $_POST['inputEmail']) . "'";
    $telephone1 = $_POST['inputPhoneOne'];
    $telephone2 = empty( $_POST['inputPhoneTwo'])? 'NULL'   : "'" . mysql_real_escape_string(  $_POST['inputPhoneTwo']) . "'";
    $website        = empty( $_POST['inputWebsite'])? 'NULL'    : "'" . mysql_real_escape_string(  $_POST['inputWebsite']) . "'";
    $description    = empty( $_POST['inputDescription'])? 'NULL': "'" .  mysql_real_escape_string($_POST['inputDescription']) . "'";
    $userid             = $_POST['inputUserID'];

    if(
    $contact == '' || 
    $company == '' ||  
    $address1 == '' || 
    $address2 == '' || 
    $city == '' || 
    $county == '' || 
    $postcode == '' ||  
    $telephone1 == '' || 
    $telephone2 == '' || 
    $email == '' || 
    $website == '' || 
    $description == '' || 
    $region == '' ||  
    $userid == ''){
    $_SESSION['status'] = 'error';
    } else {
        mysql_query("INSERT INTO RegionalContacts
                (`bID`,`user_id`,`Name`,`Company`,`Address1`,`Address2`,`City`,`County`,`Postcode`,`Telephone1`,`Telephone2`,`eMail`,`Website`,`Description`,`Region`)
VALUES(NULL,'$userid','$contact','$company','$address1',$address2,'$city',$county,'$postcode','$telephone1',$telephone2,$email,$website,$description,'$region')") or die(mysql_error());
        $_SESSION['status'] = 'success';
    }
    header("location: regionalContacts.php");
?>
Justin Erswell
  • 688
  • 7
  • 42
  • 87

2 Answers2

0

Your insert statement looks like it has values that (I assume) are strings passed to it without quotes around them such as address2, county, telephone2, email, website and description. That would cause a syntax error.

piddl0r
  • 2,431
  • 2
  • 23
  • 35
  • thanks these are required fields i.e cannot be null so not escaped @piddl0r – Justin Erswell Sep 08 '11 at 12:04
  • I think you missed my point. In you INSERT statement you have strings that are not contained in quotes this will cause an syntax error, whether the field allows null or not – piddl0r Sep 08 '11 at 13:11
  • 'sepcial' chars won't cause a problem with the insert because you've already escaped them. – piddl0r Sep 08 '11 at 13:29
0

Some of the values in your INSERT-statement have quotes around them, others don't:

'$telephone1',$telephone2

Use prepared statements instead to avoid such mistakes…

feeela
  • 29,399
  • 7
  • 59
  • 71
  • Thanks, can anyone answer the question as to how if my description field has ' in how to submit this to MySQL with out errors based on the code above? – Justin Erswell Sep 08 '11 at 12:14
  • This was answered already: Use [prepared statements](http://php.net/manual/en/pdo.prepared-statements.php)! – feeela Sep 09 '11 at 10:18