0

Heres my create query, works just fine...

$pages = "CREATE TABLE pages (id int NOT NULL AUTO_INCREMENT, PRIMARY KEY(id), name VARCHAR(255), content TEXT, description VARCHAR(255), banner VARCHAR(255), headercol INT, headerdisplay INT, type INT, headersort INT, category INT, footercol INT, footerdisplay INT, footersort INT)";
mysqli_query($dbc, $pages) or die('Error querying database5');

Heres my insert query, returns error...

$jewelry = "INSERT INTO pages (name, description, banner, headerdisplay, type, headersort, category) VALUES ('Jewelry', 'A collection of vintage and contemporary jewelry', 'uploads/banners/jewelry.png', 1, 2, 1, 0)";
mysqli_query($dbc, $jewelry) or die('Error inserting jewelry');
Improve this question
1
  • By the way, i didnt get any error. Commented Oct 12, 2012 at 7:10

2 Answers 2

Reset to default
3

You have an unescaped apostrophe at the second column value for description.

You should escape it with backslash, like this: \'.

Update

If you want to insert from a variable, then you should create a prepared statement with mysqli_prepare and bind parameters with mysqli_stmt_bind_param.

Example

OOP way:

$stmt = $mysqli->prepare("INSERT INTO pages (name, description, banner, headerdisplay, type, headersort, category) VALUES (?, ?, ?, ?, ?, ?, ?)");
$stmt->bind_param($name, $description, $banner, $headerDisplay, $type, $headerSort, $category);

Or you could use PDO or other database abstraction layer.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

damn skippy... so how do I escape this, and would this be an issue if it was inserting $description?
@user1621945: using prepared statements will escape all chars that need escaping for you, that's why the update mentions mysqli_prepare. BTW: I don't know what exactly you're planning to store in that DB, but using TEXT fields should be avoided if possible (each query will create a temporary table on disk, because text fields are deemed too large). Just a tip
0

Use these two functions while entring data to database and out from database.

/****************************************/
/* Encode special chars                 */
/*                                      */
/****************************************/

function DBin($string) 
{
    return  trim(htmlspecialchars($string,ENT_QUOTES));
}

/****************************************/
/* Decode special chars                 */
/*                                      */
/****************************************/

function DBout($string) 
{
    $string = trim($string);
    return htmlspecialchars_decode($string,ENT_QUOTES);
}
Improve this answer

2 Comments

it is for to enter data in mysql database. browser result = Bobby '); DROP TABLE users; -- page source = Bobby '); DROP TABLE users; -- database = Bobby '); DROP TABLE users; --
fair point, forgot I was testing in browser, just saw all the quotes appear, forgot about htmlentities. But I maintain: prepared statements are still the best way to go

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.