I'm receive the following error below, I believe its do in part the quote that I have in the insert string 5'10 - (178cm)
in which is passed by the $en['height']
variable. what's the best way to handle this error?
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '10 - (178cm)', m_btype = 'Rather Not Say' at line 12
this is the mysql insert:
m_height = '".$en['height']."',
table is set as:
varchar(30) latin1_swedish_ci
Your issue is that you must "escape" strings before inputting them into SQL queries. Not doing that will allow people to alter your query by inputting quotes. Example if I input the following string:
'; select * from users; --
Its possible to execute SQL that you did not intend. The solution is to escape:
m_height = '".mysql_real_escape_string($en['height'])."',
Or better yet use a more up to date method of querying mysql such as PDO or mysqli functions.
Edit I also think you have a more general syntax error. Try this:
m_height = "'".mysql_real_escape_string($en['height'])."'",