I’m working on a script where the user fills outs a form and then it is added to a sql database. I know the script works without special characters, because if I type “1” into all the fields, I get no errors. If I actually fill out the form truthfully, I get the following error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Falls, 12/28/1989, 5\'8\", blonde blue, granty, ear, tongue, zac efron, Mom - M' at line 2
Here is what I’m using to write the data to the db:
<?php mysql_connect("localhost", "*****", "*****") or die(mysql_error()); mysql_select_db("*****") or die(mysql_error()); //define variables $andrea_birthplace = $_POST['andrea_birthplace']; $andrea_birthday = $_POST['andrea_birthday']; $andrea_height = $_POST['andrea_height']; $andrea_eyehaircolor = $_POST['andrea_eyehaircolor']; $andrea_nickname = $_POST['andrea_nickname']; $andrea_piercingstattoos = $_POST['andrea_piercingstattoos']; $andrea_celebritycrush = $_POST['andrea_celebritycrush']; $andrea_parents = $_POST['andrea_parents']; $andrea_siblings = $_POST['andrea_siblings']; $andrea_fullname = $_POST['andrea_fullname']; $andrea_actor = $_POST['andrea_actor']; $andrea_band = $_POST['andrea_band']; $andrea_magazine = $_POST['andrea_magazine']; $andrea_movie = $_POST['andrea_movie']; $andrea_tvshow = $_POST['andrea_tvshow']; $andrea_cartoon = $_POST['andrea_cartoon']; $andrea_animal = $_POST['andrea_animal']; $andrea_car = $_POST['andrea_car']; $andrea_color = $_POST['andrea_color']; $andrea_food = $_POST['andrea_food']; $andrea_season = $_POST['andrea_season']; $andrea_holiday = $_POST['andrea_holiday']; $andrea_songtoperform = $_POST['andrea_songtoperform']; $andrea_performancetodate = $_POST['andrea_performancetodate']; $andrea_singer = $_POST['andrea_singer']; $andrea_actress = $_POST['andrea_actress'];//clean them
$andrea_birthplace = htmlentities($andrea_birthplace);
$andrea_birthday = mysql_real_escape_string($andrea_birthday);
$andrea_height = mysql_real_escape_string($andrea_height);
$andrea_eyehaircolor = mysql_real_escape_string($andrea_eyehaircolor);
$andrea_nickname = mysql_real_escape_string($andrea_nickname);
$andrea_piercingstattoos = mysql_real_escape_string($andrea_piercingstattoos);
$andrea_celebritycrush = mysql_real_escape_string($andrea_celebritycrush);
$andrea_parents = mysql_real_escape_string($andrea_parents);
$andrea_siblings = mysql_real_escape_string($andrea_siblings);
$andrea_fullname = mysql_real_escape_string($andrea_fullname);
$andrea_actor = mysql_real_escape_string($andrea_actor);
$andrea_band = mysql_real_escape_string($andrea_band);
$andrea_magazine = mysql_real_escape_string($andrea_magazine);
$andrea_movie = mysql_real_escape_string($andrea_movie);
$andrea_tvshow = mysql_real_escape_string($andrea_tvshow);
$andrea_cartoon = mysql_real_escape_string($andrea_cartoon);
$andrea_animal = mysql_real_escape_string($andrea_animal);
$andrea_car = mysql_real_escape_string($andrea_car);
$andrea_color = mysql_real_escape_string($andrea_color);
$andrea_food = mysql_real_escape_string($andrea_food);
$andrea_season =mysql_real_escape_string($andrea_season);
$andrea_holiday = mysql_real_escape_string($andrea_holiday);
$andrea_songtoperform = mysql_real_escape_string($andrea_songtoperform);
$andrea_performancetodate = mysql_real_escape_string($andrea_performancetodate);
$andrea_singer = mysql_real_escape_string($andrea_singer);
$andrea_actress = mysql_real_escape_string($andrea_actress);
mysql_query("INSERT INTO *****
(birthplace, birthday, height, eyehaircolor, nickname, piercingstattoos, celebritycrush, parents, siblings, fullname, actor, actress, singer, band, magazine, movie, tvshow, cartoon, animal, car, color, food, season, holiday, songtoperform, performancetodate) VALUES($andrea_birthplace, $andrea_birthday, $andrea_height, $andrea_eyehaircolor, $andrea_nickname, $andrea_piercingstattoos, $andrea_celebritycrush, $andrea_parents, $andrea_siblings, $andrea_fullname, $andrea_actor, $andrea_actress, $andrea_singer, $andrea_band, $andrea_magazine, $andrea_movie, $andrea_tvshow, $andrea_cartoon, $andrea_animal, $andrea_car, $andrea_color, $andrea_food, $andrea_season, $andrea_holiday, $andrea_songtoperform, $andrea_performancetodate ) ")
or die(mysql_error());
Once agan, I know that my table is setup correctly, because when I enter just “1” for every field, everything runs smoothly. I have tried mysql_real_escape_string and it did not work. I was connected to a database and I did an ifelse function to make sure that that function was available. I consider myself an educated beginner to intermediate level, and I have been trouble shooting this script for about 3 hours, and I am at my wits end. I appreciate any feedback in advance!