From: David Robley on
Paul_S_Johnson(a)mnb.uscourts.gov wrote:

> Yes, I may have mixed up the input and output from different iterations of
> running it. Let me try posting this again although it may not be an issue.
> Once again if I enter two sequential apostrophes in the name (O''Brien)
> the INSERT passes right through to MySQL without an error.
>
> THE INPUT:
>
> $sql_insert_registration = sprintf("INSERT INTO
> Registrations (
> Class_ID,
> prid,
> Registrant,
> Company,
> Phone,
> Email
> )
> VALUES (
> $_POST[Class_ID],
> $_POST[prid],
> '%s',".
> parseNull($_POST['Company']).",
> '$_POST[Phone]',
> '$_POST[Email]'
> )", mysql_real_escape_string($_POST['Registrant']));
>
> echo "<pre>$_POST['Registrant".$_POST["Registrant"]."</pre>";
> echo "<pre>".mysql_real_escape_string($_POST["Registrant"])."</pre>";
> echo "<pre>".$sql_insert_registration."</pre>";
>
>
> THE OUTPUT:
>
> Brian O'Brien
> Brian O\'Brien
> INSERT INTO
> Registrations (
> Class_ID,
> prid,
> Registrant,
> Company,
> Phone,
> Email
> )
> VALUES (
> 355,
> 257,
> 'Brian O\'Brien',NULL,
> '612-456-5678',
> 'somebody(a)somewhere.org'
> )
> Error: You have an error in your SQL syntax; check the manual that
> corresponds to your MySQL server version for the right syntax to use near
> 'Brien', 'Class registration confirmation', ' This email ' at line 16
>
>
> Paul S. Johnson
> U.S. Bankruptcy Court
> District of Minnesota
> paul_s_johnson(a)mnb.uscourts.gov
> 612-664-5276

Check the settings for magic-quotes, and make sure you aren't using
stripslashes somewhere?

Also, echo the actual query that is being passed to mysql to check what is
happening.


Cheers
--
David Robley

Life is Roff when yer Stewpid
Today is Sweetmorn, the 70th day of Confusion in the YOLD 3176.

From: Simcha Younger on

> Paul_S_Johnson(a)mnb.uscourts.gov wrote:

> >
> > THE INPUT:
> >
> > $sql_insert_registration = sprintf("INSERT INTO
> > Registrations (
> > Class_ID,
> > prid,
> > Registrant,
> > Company,
> > Phone,
> > Email
> > )
> > VALUES (
> > $_POST[Class_ID],
> > $_POST[prid],
> > '%s',".

You need double-quotes here,
\"%s\",

> > parseNull($_POST['Company']).",
> > '$_POST[Phone]',
> > '$_POST[Email]'
> > )", mysql_real_escape_string($_POST['Registrant']));
> >


--
Simcha Younger <simcha(a)syounger.com>
From: "Ford, Mike" on
> -----Original Message-----
> From: Simcha Younger [mailto:simcha(a)syounger.com]
> Sent: 04 August 2010 08:19
>
> > Paul_S_Johnson(a)mnb.uscourts.gov wrote:
>
> > >
> > > THE INPUT:
> > >
> > > $sql_insert_registration = sprintf("INSERT INTO
> > > Registrations (
> > > Class_ID,
> > > prid,
> > > Registrant,
> > > Company,
> > > Phone,
> > > Email
> > > )
> > > VALUES (
> > > $_POST[Class_ID],
> > > $_POST[prid],
> > > '%s',".
>
> You need double-quotes here,
> \"%s\",

No, he doesn't. Single quotes are fine. Doubles would more than likely be a SQL error.

> > > parseNull($_POST['Company']).",
> > > '$_POST[Phone]',
> > > '$_POST[Email]'
> > > )", mysql_real_escape_string($_POST['Registrant']));
> > >
>
>
> --
> Simcha Younger <simcha(a)syounger.com>


Cheers!

Mike

--
Mike Ford,
Electronic Information Developer, Libraries and Learning Innovation,
Leeds Metropolitan University, C507 City Campus,
Woodhouse Lane, LEEDS,  LS1 3HE,  United Kingdom
Email: m.ford(a)leedsmet.ac.uk
Tel: +44 113 812 4730




To view the terms under which this email is distributed, please go to http://disclaimer.leedsmet.ac.uk/email.htm
From: Paul_S_Johnson on
OK, I figured it out. I followed the advice here to turn on MySQL logging
(which took more doing that it should have), so I could see what's really
being sent to MySQL. It wasn't choking on the query I posted in my message
but a later one in which the string was not escaped. The red herring that
led me astray was the line no. indicated in the error message that pointed
to the query I posted (or at least seemed to).

Anyway, thanks for the tips that got me pointed in the right direction.

Paul

Paul S. Johnson