0

I have a HTML form. After submit the form it's show following error message:

Error Message:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL 
server version for the right syntax to use near 'm ok. ', 'point of interest', 
'91354857', '6546564654', '2 Person', '25', 'engl' at line 1

Mysql Query:

$insert = mysql_query("INSERT INTO host_signup VALUES('', '$uname', '$f_name', 
'$pr_lname', '$email', '$hashpass', '$title', '$country', '$city', '$state', 
'$postalcode', '$address', '$final_neighbor', '$landline', '$mobileph', '$capacity', 
'$age', '$language', '$final_interest', '$news', '$ip', '$dof', '0' )");

Actually it's show the error message when I put stripslashes() in the variable But without stripslashes() it's show backslashes.

For example: 

$address = $_POST['address'];       
$address = stripslashes($address);
4

3 回答 3

1

You need to escape your sql values before putting them in a query. looks like one of your strings had a ' and mysql cut that? I'm guessing that 'm ok. ' is the end of "i'm ok.".

That string should be i\'m ok..

于 2013-03-30T03:57:03.730 回答
0

You need to use addslashes.

addslashes — Quote string with slashes

Official Document

Example

<?php
  $str = "Is your name O'reilly?";
  // Outputs: Is your name O\'reilly?
  echo addslashes($str);
?>
于 2013-03-30T04:05:15.367 回答
0

You should use mysql_real_escape_string() -- not addslashes(), as suggested by others

The addslashes() documentation concurs:

It's highly recommended to use DBMS specific escape function (e.g. mysqli_real_escape_string() for MySQL or pg_escape_string() for PostgreSQL), but if the DBMS you're using doesn't have an escape function and the DBMS uses \ to escape special chars, you can use this function.

于 2013-03-30T04:20:13.370 回答