single quote mark error is script

**Dormilich** · Jan 18 '10, 06:38 AM

first thing to notice $_POST[name] should be $_POST["name"], otherwise you get a couple of notices.

second, you’re wide open to SQL Injection. (which is the reason for your error)
it is careless, not to treat user input. the least you should do is using mysql_real_esca pe_string().

third, variable testing

Code:

if ((!$_POST[company]) || (!$_POST[fname]) || (!$_POST[fname])) {
// should be better
if (!isset($_POST["company"], $_POST["fname"], $_POST["fname"])) {

**nomad** · Jan 18 '10, 09:01 PM

Thanks Dormilich...
I hope this will help I'm new to PHP.

damon

**nomad** · Jan 19 '10, 12:33 AM

I'm still getting the error and I not to clear about the mysql_real_esca pe_string().
Where do I place it and what does it look like.
This is not a class assignment. I using a book PHP, MySQL and Apache all in one, by Julie C. Meloni.
There was an example and I redesigned it.

Here is my updated code:

Code:

<?php
//check for required fields from the form
if (!isset($_POST["company"], $_POST["fname"], $_POST["comments"])) {
	header("Location: addtestimonial.html");
	exit;
}

//connect to server and select database
$conn = mysql_connect("localhost", "nomad", "nomad") or die(mysql_error());
mysql_select_db("dwdesign", $conn)  or die(mysql_error());

//create and issue the first query
$add_testimo = "insert into testimo values ('', '$_POST[company]', now(), '$_POST[fname]', '$_POST[comments]')";

mysql_query($add_testimo,$conn) or die(mysql_error());

//get the id of the last query
$testimo_id = mysql_insert_id();


//create nice message for user
$display_block = "<P>The <strong>$topic_title</strong> testimonial has been created. <br>
You wrote: <br>
$_POST[comments], <br> 
$_POST[company], <br>
$_POST[fname],<P>
Thank you for your business and your time. If you need any upgrades
please ket ne know.</p>";
?>
<html>
<head>
<title>New Testimonial Added</title>
</head>
<body>
<h1>Testimonial Added</h1>
<?php echo $display_block; ?>
</body>
</html>

Also in my table I have a field called
comments which is a text data type
I did not know how to assign a single quote ("'") amongst that values.

Once again any help would be great.
damo

**Dormilich** · Jan 19 '10, 06:38 AM

I using a book PHP, MySQL and Apache all in one, by Julie C. Meloni.

it’s a poor book, if it doesn’t mention SQL Injection.

how to use mysql_real_esca pe_string() is mentioned in the manual (ref. to the given link), there are also examples given.

**nomad** · Jan 19 '10, 07:32 PM

Still at a lost I read it twice I even did a google search on the info.
Really could use some help.
I have no ideal where to place the code.
is if within the php code or is it with then the db using a SQL query?

thanks
damon

**Dormilich** · Jan 19 '10, 08:13 PM

since it’s a PHP function, it is to be applied in the PHP code, just like in the examples.

Code:

$query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'",
            mysql_real_escape_string($user),
            mysql_real_escape_string($password));
$result = mysql_query($query);

**nomad** · Jan 19 '10, 09:37 PM

finally I figure it out.

**Dormilich** · Jan 19 '10, 10:50 PM

did you notice that this is the example from the manual?

**dlite922** · Jan 19 '10, 11:20 PM

Originally posted by Dormilich

did you notice that this is the example from the manual?

^ LOL

Dan,
[the php nut @]

**nomad** · Jan 21 '10, 12:40 AM

Yes...
Thanks for the help I will be back for more help
soon

single quote mark error is script

single quote mark error is script

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment