Home/ Questions/Q 6836463
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-26T23:21:31+00:00

when I post something into my html form, for example in the first name

  • 0

when I post something into my html form, for example in the first name field, I enter in: 

'John', i am getting the following error:

Error in query: . 

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Smith',Address_Line_1='rtuy657tr',Address_Line_2='',City='leicester',Postcode='L' at line 1

I know it has something to do with the mysql_real_escape_string () function, but how would I use it for inserting into a the DB. I have started the function:

function db_insert_preparation(){



}


$con = mysql_connect("localhost","root","");

if (!$con)
{
die('Could not connect: ' . mysql_error());
}

mysql_select_db("project1", $con);

This is where it needs to be used:

$sql2 = "INSERT INTO `".$table_name."` (`Group`, `Date_Of_Birth`, `Gender`, `Title`, `First_Name`, `Last_Name`, `Address_Line_1`, `Address_Line_2`, `City`, `Postcode`, `Contact_No`, `Email`, `Additional_Comment`, `Upload_File`) VALUES ('".db_insert_preparation($group)."','".$_POST[dateofbirth]."','".$_POST[gender]."','".$_POST[title]."','".$_POST[firstname]."','".$_POST[lastname]."','".$_POST[address1]."','".$_POST[address2]."','".$_POST[city]."','".$_POST[postcode]."','".$_POST[contactno]."','".$_POST[email]."','".$_POST[note]."','".$filename."' )";
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The SQL insert statement is vulnerable to SQL injection. If one of the POST values contains a double quote " or a newline, the statement gets corrupted and syntax errors ensue. Make sure you escape everything user-provided with mysql_real_escape_string().

    • 0