Trying simply to insert into table. Have succeeded in doing this but now want to correct user use of invalid characters. If I'm understanding correctly, Real-escape-string seems to correct these, so I've been trying to figure out how to use it. A short, test code version gives me a syntax error at INSERT VALUES, which--because it still has the single quotes in the text--tells me the real-escape-string didn't work. The code below gives me a parseing error with invalid $END at </body>. Any help appreciated!!!!!!!!!!!!!

-------------------
Insert Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' VALUES (UTC_TIMESTAMP,'What's happen' bra?')' at line 1
-------------------
Parse error: syntax error, unexpected $end in /home/powere15/public_html/DB/exercises_insert_record.php on line 94
--------------------------

<html><head><title>Exercise Catalog Insert Record</title></head>
<body>


<?
/* Change db and connect values if using online */

/* Change db and connect values if using online */

$ExerciseName=$_POST['ExerciseName'];
$ExercisePhoto1=$_POST['ExercisePhoto1'];
$ExercisePhoto2=$_POST['ExercisePhoto2'];
$Position=$_POST['Position'];
$TargetMuscles=$_POST['TargetMuscles'];
$Instructions1=$_POST['Instructions1'];
$Instructions2=$_POST['Instructions2'];
$Instructions3=$_POST['Instructions3'];
$Issues1=$_POST['Issues1'];
$Issues2=$_POST['Issues2'];
$Issues3=$_POST['Issues3'];
$db="powere15_Performax";
$link = mysql_connect('localhost', 'powere15', 'gotperformax');
if (! $link)
die(mysql_error());
mysql_select_db($db , $link) or die("Select Error: ".mysql_error());

// Query
$query = sprintf("SELECT * FROM users WHERE ExerciseName='%s' AND ExercisePhoto1='%s'
AND ExercisePhoto1='%s'
AND ExercisePhoto2='%s'
AND Position='%s'
AND TargetMuscles='%s'
AND Instructions1='%s'
AND Instructions2='%s'
AND Instructions3='%s'
AND Issues1='%s'
AND Issues2='%s'
AND Issues3='%s'",

mysql_real_escape_string($ExerciseName),
mysql_real_escape_string($ExercisePhoto1),
mysql_real_escape_string($ExercisePhoto2),
mysql_real_escape_string($Position),
mysql_real_escape_string($TargetMuscles),
mysql_real_escape_string($Instructions1),
mysql_real_escape_string($Instructions2),
mysql_real_escape_string($Instructions3),
mysql_real_escape_string($Issues1),
mysql_real_escape_string($Issues2),
mysql_real_escape_string($Issues3));

// Perform Query
$result = mysql_query($query);

// Check result
// This shows the actual query sent to MySQL, and the error. Useful for debugging.
if (!$result) {
$message = 'Invalid query: ' . mysql_error() . "\n";
$message .= 'Whole query: ' . $query;
die($message);

$result=mysql_query("INSERT INTO ExerciseCatalog (ExerciseID, ExerciseName, ExercisePhoto1, ExercisePhoto2, Position, TargetMuscles, Instructions1, Instructions2, Instructions3, Issues1, Issues2, Issues3), VALUES (
UTC_TIMESTAMP,
'$ExerciseName',
'$ExercisePhoto1',
'$ExercisePhoto2',
'$Position',
'$TargetMuscles',
'$Instructions1',
'$Instructions2',
'$Instructions3',
'$Issues1',
'$Issues2',
'$Issues3')")

or die("Insert Error: ".mysql_error());

mysql_close($link);
print "Record added";
// Free the resources associated with the result set
// This is done automatically at the end of the script
mysql_free_result($result);
?>

<form method="POST" action="exercises_insert_form.html">
<input type="submit" value="Insert Another Record">
</form>
<br>

<form method="POST" action="exercises_dbase_interface.php">
<input type="submit" value="Dbase Interface">
</form>
</body>
</html>

Try making the change noted below
Adding the echo statement immediately following the assignment of values, and before executing the query will display the query to be executed somewhere on your web page. Check the format of the query to confirm that it is what you intended it to be. In particular note that fields containing spaces or special characters must be enclosed in quotes for sql to process them correctly.

Roger

Thanks Roger, I'll give it a try.