Bastard PHP/MYSQL error message

Rollo Tamasi · 07-06-2006 4:04pm #1

You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 2

with this
[PHP]

$first_name = $_POST;
$last_name = $_POST;
$username = $_POST;
$email_address = $_POST;

$adm = mysql_num_rows(mysql_query("SELECT userid FROM user"));
if ($adm == 0) {
$sql = mysql_query("INSERT INTO user (first_name, last_name, email_address, username, password, user_level )
VALUES('$first_name', '$last_name', '$email_address', '$username','$db_password', '1' ") or die (mysql_error());
}
else {
//you tit
}
[/PHP]

the original page is a lot longer but the above segments are that of which is causing striffe

is_that_so · 07-06-2006 4:08pm

Use mysql_real_escape_string($string) around all of the user-generated data.

Also use a print statement in your code to see exactly what you are trying to input. Paste the output here.

eg

print $sql_query;
exit;

Ph3n0m · 07-06-2006 4:10pm

think that should do it

$first_name = $_POST['first_name'];
$last_name = $_POST['last_name'];
$username = $_POST['username'];
$email_address = $_POST['email_address'];

$adm = mysql_num_rows(mysql_query("SELECT userid FROM user"));
    if ($adm == 0) {
$sql = mysql_query("INSERT INTO user (first_name, last_name, email_address, username, password, user_level )
        VALUES('$first_name', '$last_name', '$email_address', '$username','$db_password', '1')") or die (mysql_error());
} 
else {
//you tit
}

comer_97 · 07-06-2006 4:35pm

will $first_name work when it is inside single quotes???

will that not put '$first_name' not the value of $first_name in the string?

Adam · 07-06-2006 4:44pm

I also find it easier to keep track of if you seperate the actual query from the string, i.e.:

[PHP]$sql="INSERT INTO user (first_name, last_name, email_address, username, password, user_level) VALUES ('$first_name', '$last_name', '$email_address', '$username','$db_password', '1')";

mysql_query($sql) or die("Query failed : " . mysql_error());[/PHP]

Rollo Tamasi · 07-06-2006 6:38pm

Ph3nom got it right, i couldn't see any difference in the code from looking at but when i used it and looked back over his and mine, i found that i had an extra ) in there.

democrates · 07-06-2006 11:43pm

comer_97 wrote:

will $first_name work when it is inside single quotes???

will that not put '$first_name' not the value of $first_name in the string?

Well you know the difference between single and double quotes.

The thing is, quotes inside quotes are treated as data, not string delimiters, the outer quotes set the rule allowing variable interpolation or not.

seamus · 07-06-2006 11:54pm

comer_97 wrote:

will $first_name work when it is inside single quotes???

will that not put '$first_name' not the value of $first_name in the string?

One of the subtleties of PHP. As flogen points out, the key is the delimiters which you use.

PHP doesn't parse the inside of single quote delimited strings.

So print('$first_name'); will simply print $first_name

Whereas print("$first_name"); will print John (for example)

The other major difference is that you don't need to escape a double-quote inside a single-quote delimited string, and vice-versa.

If you put those two rules together, then
[php]
print "My First Name is '$first_name'. Good to meet you.";[/php]
Will print My First Name is 'seamus'. Good to meet you

Bastard PHP/MYSQL error message

Comments