Question
I'm having trouble with a syntax error in my mssql_query function. After a while of trying different things, I thought I'd bring it here. Thanks for any help.
This is the code:
https://stackoverflow.com/questions/23225056
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian<?php
...
$name = $_POST['name'];
$contactname = $_POST['contactname'];
$contacttitle = $_POST['contacttitle'];
$streetaddress = $_POST['streetaddress'];
$city = $_POST['city'];
$state = $_POST['state'];
$zipcode = $_POST['zipcode'];
$telephone = $_POST['telephone'];
$fax = $_POST['fax'];
$email = $_POST['email'];
$director = $_POST['director'];
$affiliation1 = $_POST['affiliation1'];
$address1 = $_POST['address1'];
$phone1 = $_POST['phone1'];
$affiliation2 = $_POST['affiliation2'];
$address2 = $_POST['address2'];
$phone2 = $_POST['phone2'];
$affiliation3 = $_POST['affiliation3'];
$address3 = $_POST['address3'];
$phone3 = $_POST['phone3'];
$yearsoperational = $_POST['yearsoperational'];
$donorsannually = $_POST['donorsannually'];
$limit = $_POST['limit'];
$coveraget = $_POST['coverage'];
$donors1 = $_POST['donors1'];
$claims1 = $_POST['claims1'];
$medexppaid1 = $_POST['medexppaid1'];
$donors2 = $_POST['donors2'];
$claims2 = $_POST['claims2'];
$medexppaid2 = $_POST['medexppaid2'];
$donors3 = $_POST['donors3'];
$claims3 = $_POST['claims3'];
$medexppaid3 = $_POST['medexppaid3'];
$donorinstructions = $_POST['donorinstructions'];
//Connect to MSSQL Server
$myServer = ".\MSSQLSERVER2008";
$myUser = "user";
$myPass = "password";
$myDB = "database,name";
//connection to the server
$dbhandle = mssql_connect($myServer, $myUser, $myPass)
or die("Couldn't connect to SQL Server on $myServer");
//select a database to work with
$selected = mssql_select_db($myDB, $dbhandle)
or die("Couldn't open database $myDB");
//insert form results into database
$query = mssql_query("INSERT INTO table_name (Name_of_Center,Name,Title,Street_Address,City,State,Zipcode,Phone,Fax,Email,Director,HA1,HA1_Address,
HA1_Phone,HA2,HA2_Address,HA2_Phone,HA3,HA3_Address,HA3_Phone,No_of_Years_Operational,Donors_Annually,Limit,Coverage,
Donors_2012,Donors_2011,Donors_2010,Claims_2012,Claims_2011,Claims_2010,Med_Exp_Paid_2012,Med_Exp_Paid_2011,Med_Exp_Paid_2010,Donor_Instructions)
VALUES ($name,$contactname,$contacttitle,$streetaddress,$city,$state,$zipcode,$telephone,$fax,$email,$director,$affiliation1,$address1,$phone1,$affiliation2,
$address2,$phone2,$affiliation3,$address3,$phone3,$yearsoperational,$donorsannually,$limit,$coverage,$donors1,$claims1,$medexppaid1,$donors2,$claims2,$medexppaid2,
$donors3,$claims3,$medexppaid3,$donorinstructions);");
if(!$query){
echo 'Failed to receive data. Please try again, or contact support';
}
else{
echo 'Successfully received data.';
$results = mysql_query($query);
var_dump($results);
}
mssql_close()
?>
The line it's saying has the syntax error is this:
$donors3,$claims3,$medexppaid3,$donorinstructions);");
Here's the error in browser:
Warning: mssql_query() [function.mssql-query]: message: Incorrect syntax near ','. (severity 15)
Solution
Your ENTIRE problem is that you're vulnerable to SQL injection attacks. If you were aware of the problem, you'd also realize why your query has these syntax errors and is fundamentally broken: you forgot to quote EVERY SINGLE bit of data you're inserting into the query.
A quick dirty fix that really doesn't fix the fundamental problem:
VALUES ('$name','$contactname','$contacttitle',etc...
^-----^-^--- insert quotes everywhere.
