Tags
PHP , MySQL
Asked 8 years ago
27 Sep 2016
Views 1282
ajamil

ajamil posted

mysql error in mysql_query function at php

Hi
i got error

"You have an error in your SQL syntax; check the manual that corresponds
 to your MySQL server version for the right syntax to use near '\"@d')' at line 1

for this php work

$sql=mysql_query("insert into #tablename values('".$_REQUEST['skill']."')")or die(mysql_error());


so what is the issue . i have enetered `' " @` at skill input box .


Mitul Dabhi

Mitul Dabhi
answered Nov 30 '-1 00:00

escape string with mysql_real_escape_string () function

$sql=mysql_query("insert into #tablename values('".mysql_real_escape_string ($_REQUEST['skill'])."')")or die(mysql_error());


for php 7 , use Mysqli extension

$sql=mysqli_query("insert into #tablename values('".mysqli_real_escape_string ($_REQUEST['skill'])."')")or die(mysqli_error());



still not advisable to use input parameters directly like this . you should use some wrapper function or wrapper class which filter/validate/do security check to input before it to save

ok it worked for me , Thanks and how can i validate before it save ? - ajamil  
Oct 4 '16 07:17
jagdish

jagdish
answered Nov 30 '-1 00:00

its Sql Injection .

you should escape the string before it to save in database .

shyam

shyam
answered Nov 30 '-1 00:00

its sql inejction you should filter input before it to save in database . its like cleaning fruit and veggies before pour in to stomach ,

use filter function to filter it , you have Validate or Sanitize or other filters

check it out if it help to code well
http://php.net/manual/en/function.filter-input.php

ravi

ravi
answered Nov 30 '-1 00:00

check this pls http://open-source-customization.com/question/how-to-avoid-sql-injection-in-php/98
Post Answer