" mess up my INSERT into query

**GameCrash** · Sat 1 Mar '03, 12:15am

Try this:

PHP Code:


$message = addslashes($message);

**Icheb** · Sat 1 Mar '03, 11:28am

addslashes(htmlspecialchars($variable)) would be safer actually.

**Chen** · Sat 1 Mar '03, 11:34am

Actually you shouldn't htmlspecialchars() it when placing in the database, only in runtime when the data is displayed. That way you don't lose its original state...

**Swedie** · Sat 1 Mar '03, 5:09pm

Originally posted by Chen

Actually you shouldn't htmlspecialchars() it when placing in the database, only in runtime when the data is displayed. That way you don't lose its original state...

Ok, so how do I submit something into the database that includes ' ... ?

the post is through a <form> and goes to a new page, post.php. Where a query inserts it to the database like this:

mysql_query("INSERT INTO message VALUES ('', $message, '$bbuserinfo[username]', '$bbuserinfo[userid]', '$posttime', '$category', '$color');") or die("MySQL Query Failed: " . mysql_error());

I'd like help.

**XTJ7** · Sat 1 Mar '03, 6:06pm

actually i prefer something like

Code:

mysql_query( "INSERT INTO `messages` VALUES ( '', '" . addslashes( $message ) . "', '" . addslashes( $bbuserinfo[ 'username' ] ) . "', '" . addslashes( $posttime ) . "', '" . addslashes( $category ) . "', '" . addslashes( $color ) . "' );" ) or die("MySQL Query Failed: " . mysql_error() );

is much safer, but i recommend to give mysql the fields with the table so that you just insert the fields you had been selected.
like

Code:

INSERT INTO `messages` (`name`, `info`, `others`) VALUES ( 'xtj7', 'programmer', 'foo' );

so you can leave out id and it increments automatically without giving mysql an empty field.

c:ya

**Swedie** · Sat 1 Mar '03, 11:19pm

what's wrong in this query?

mysql_query("INSERT INTO message ('message', 'postername', 'posterid', 'category', 'color') VALUES ( '" . addslashes( $message ) . "', '" . addslashes( $bbuserinfo[username] ) . "', '" . addslashes( $bbuserinfo[userid] ) . "', '" . addslashes( $category ) . "', '" . addslashes( $color ) . "');") or die("MySQL Query Failed: " . mysql_error());

I get:
MySQL Query Failed: You have an error in your SQL syntax near ''message', 'postername', 'posterid', 'category', 'color') VALUES ( 'sadsda', 'Wh' at line 1

**Chen** · Sat 1 Mar '03, 11:27pm

Field names should be quoted with single quotes - either use backstick (`) or don't quote them at all.

**Swedie** · Sun 2 Mar '03, 12:01am

figured it out...

chen

what is a backstick.. never heard about it and .. hence not knowing why that should be used.. ever.. care to let me know?

**Chen** · Sun 2 Mar '03, 12:05am

It's just the name of this character: `

**Swedie** · Sun 2 Mar '03, 10:54am

but when is that backstick supposed to be used?

**Icheb** · Sun 2 Mar '03, 11:06am

You use

INSERT INTO message ('message', 'postername', 'posterid', 'category', 'color')

You should use

INSERT INTO message (`message`, `postername`, `posterid`, `category`, `color`)

Or just don't use them at all.

**GameCrash** · Sun 2 Mar '03, 12:13pm

It's allways used if you use a reserved keyword as a table or column name for example...

" mess up my INSERT into query

" mess up my INSERT into query

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment