You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '''')' at line 2
Solution 1
There is a single quote in $submitsubject or $submit_message
Why is this a problem?
The single quote char terminates the string in MySQL and everything past that is treated as a sql command. You REALLY don't want to write your sql like that. At best, your application will break intermittently (as you're observing) and at worst, you have just introduced a huge security vulnerability.
Imagine if someone submitted '); DROP TABLE private_messages; in submit message.
Your SQL Command would be:
INSERT INTO private_messages (to_id, from_id, time_sent, subject, message)
VALUES('sender_id', 'id', now(),'subjet','');
DROP TABLE private_messages;
Instead you need to properly sanitize your values.
AT A MINIMUM you must run each value through mysql_real_escape_string() but you should really be using prepared statements.
If you were using mysql_real_escape_string() your code would look like this:
if($_POST['submit_message']){
if($_POST['form_subject']==""){
$submit_subject="(no subject)";
}else{
$submit_subject=mysql_real_escape_string($_POST['form_subject']);
}
$submit_message=mysql_real_escape_string($_POST['form_message']);
$sender_id = mysql_real_escape_string($_POST['sender_id']);
Here is a great article on prepared statements and PDO.
Solution 2
That's called SQL INJECTION. The ' tries to open/close a string in your mysql query. You should always escape any string that gets into your queries.
for example,
instead of this:
"VALUES ('$sender_id') "
do this:
"VALUES ('". mysql_real_escape_string($sender_id) ."') "
(or equivalent, of course)
However, it's better to automate this, using PDO, named parameters, prepared statements or many other ways. Research about this and SQL Injection (here you have some techniques).
Hope it helps. Cheers
Psinyee
Updated on November 30, 2020Comments
-
Psinyee over 3 years
I am getting an Error in MySQL:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '''')' at line 2'.HTML Code:
<form action="read_message.php" method="post"> <table class="form_table"> <tr> <td style="font-weight:bold;">Subject:</td> <td><input style=" width:300px" name="form_subject"/></td> <td></td> </tr> <tr> <td style="font-weight:bold;">Message:</td> <td id="myWordCount"> (300 words left)</td> <td></td> </tr> <tr> <td><input type="hidden" name="sender_id" value="<?php echo $sender_id?>"></td> <td><textarea cols="50" rows="4" name="form_message"></textarea></td> <td valign="bottom"><input type="submit" name="submit_message" value="send"></td> </tr> </table> </form>Code to insert into a mysql table:
<?php include_once"connect_to_mysql.php"; //submit new message if($_POST['submit_message']){ if($_POST['form_subject']==""){ $submit_subject="(no subject)"; }else{ $submit_subject=$_POST['form_subject']; } $submit_message=$_POST['form_message']; $sender_id = $_POST['sender_id']; if($shortMessagesLeft<1){ $form_error_message='You have left with '.$shortMessagesLeft.' Short Message. Please purchase it from the <a href="membership.php?id='.$id.'">shop</a>.'; } else if($submit_message==""){ $form_error_message = 'Please fill in the message before sending.'; } else{ $message_left = $shortMessagesLeft-1; $update_short_message = mysql_query("UPDATE message_count SET short_message = '$message_left' WHERE user_id = '$id'"); $sql = mysql_query("INSERT INTO private_messages (to_id, from_id, time_sent, subject, message) VALUES('$sender_id', '$id', now(),'$submit_subject','$submit_message')") or die (mysql_error()); } } ?>What does the error mean and what am I doing wrong?