php variable in mysql insert

amalafrida · December 15, 2011, 11:33pm

code does not update record.
error report … "Could not insert record: You have an error in your SQL syntax

I suspect the syntax is wrong at $hours … but don’t have solution. print $hours responds properly, reporting the contents of $hours.

Thanks in advance for any help you might offer.

A.

[php]<?php
$hours = ‘’;
if(is_array($_POST[‘hour’])) foreach($_POST[‘hour’] as $key=>$val){
$hours.= $val;
}
print ($hours);

//connect to database successful
//+++++++++++++++++++++++++++++++++++ INSERT RECORD
$query = mysql_query(“INSERT INTO members VALUES(’’,‘David’, ‘$hours’”);
if (!$query) {
echo 'Could not insert record: ’ . mysql_error();
echo $query;
exit;
}
else
{
echo “record inserted”;
}

?>
[/php]

ofir91 · December 16, 2011, 5:06am

u forum to put ).

that will work:
[php]
$query = mysql_query(“INSERT INTO members VALUES(’’,‘David’, ‘$hours’)”);
[/php]

ofir91 · December 16, 2011, 5:07am

*forget

jSherz · December 16, 2011, 10:48am

Whenever you are using user input inside of an SQL query, you should - at the very least - escape it:

[php]mysql_real_escape_string($value)[/php]

Otherwise you are vulnerable to SQL injection.

http://uk.php.net/manual/en/function.mysql-real-escape-string.php

amalafrida · December 16, 2011, 1:49pm

[php]$query = mysql_query(“INSERT INTO members VALUES(’’,‘David’, ‘%s’)”,
mysql_real_escape_string($hours));[/php]

is that it?

thanks for the help. all of this is difficult, but therapeutic, for those of us with orthographic coding dyslexia.