What's wrong with this SQL statement?

puppymagic · 01-29-2011, 10:29 AM

It is under PHP/MySQL

$queryresult = $conn->query("INSERT INTO normalrequests VALUES($finalkey, 1234, 5678, FALSE)");

thanks....

it is connected to the database successfully but I feel there is something wrong with the statement up there~~

Snark1994 · 01-29-2011, 10:52 AM

As far as I'm aware (and without having tried it) the format is correct, as long as you have 4 fields and 4 fields only, which appear in the order listed above. If you had, say, 5 fields then you would need to tell it into which columns you wanted to enter data:

Code:

INSERT INTO normalrequests (key, numberone, numbertwo, aboolean) VALUES ($finalkey, 1234, 5678, FALSE)

where key, numberone, etc. were the names of your columns.

paulsm4 · 01-29-2011, 11:16 AM

Hi -

STRONG SUGGESTION:
Cut/paste the exact statement into mysql.

This will give you an error message; you should be able to identify and resolve the problem almost immediately.

If you have any questions about what mySql is doing, then cut/paste your input and the mysql response into this thread.

My guess is that you probably need to quote one or more of your values.

'Hope that helps!

dugan · 01-29-2011, 11:28 AM

Quote:

Originally Posted by puppymagic

$queryresult = $conn->query("INSERT INTO normalrequests VALUES($finalkey, 1234, 5678, FALSE)");

Isn't this a security vulnerability?

If finalKey were set to:

Code:

$finalKey = '1, 1, 1, FALSE); DROP TABLE normalRequest; INSERT INTO normalRequest VALUES (1'

Then the line would be:

Code:

$queryResult = $conn->query("INSERT INTO normalRequests VALUES(1, 1, 1, FALSE); DROP TABLE normalRequest; INSERT INTO normalRequest VALUES (1, 1234, 5678, FALSE)");

As a rule, every database query that involves a parameter should be done with prepared statements and parameter binding.

eSelix · 01-29-2011, 11:35 AM

It depends on what is in the variable "$finalkey". If this is always an integer I suggest to make

Code:

$finalkey = intval($finalkey);

before $conn->query().

paulsm4 · 01-30-2011, 11:40 AM

Hi again, puppymagic -

Let me repeat - if you think a SQL statement might be having a problem, just try copying/pasting the statement into mysql.

You can add a PHP "echo" to your code in order to get something you can copy/paste from.

It's probably the fastest/easiest way to troubleshoot.

And please let us know how things turn out!

puppymagic · 02-12-2011, 02:57 AM

oh the problem has been solved by going '$finalkey' instead of $finalkey thanks for all your inputs, guys and girls from Linux Questions

and the value of the $finalkey is randomly generated within the php script. it is not something the visitor to the website can place in there instead.