I have a mySQL query that is getting stuck when I run a string containing '@'. I have tried htmlentities() and htmlspecialchars() to no avail. Here's what I'm running:
$name=$_POST['name'];
$first=$_POST['first'];
$last=$_POST['last'];
$bio=htmlentities($_POST['bio']);
$email=htmlentities($_POST['email']);
$pass=$_POST['pass'];
$date=date("m/d/y");
$bd=date('m-d-y',strtotime($_POST['month'].$_POST['date'].$_POST['year']));
$qer="insert into everything (user,first,last,bio,email,pass,date,bd) values ($name,$first,$last,$bio,$email,$pass,$date,$bd)";
if(!(mysql_query($qer,$con))){
echo "no qer";
echo mysql_error();
}
Here is the error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '@re5yhgr5tyhrtyhr5tyr5tyhrt,test@first.com,pass,12/13/12,01-01-70)' at line 1
I was first trying it just in my email parameter, but I now know it has trouble no matter where it is. >:|
I'm assuming "line 1" is the first line of sql since my actual line 1 is ""...
Sorry if this is obvious, thanks in advance!
when inserting a value with a data type of string, it should be enclosed with single quote. (Also for Date, Time, DateTime and other as long as it is not numeric)
$qer="insert into everything (user, first, last, bio, email, pass, date, bd)
values ('$name', '$first', '$last', ...)";
but the query above is vulnerable with SQL Injection, please read the article below to learn how to prevent from SQL Injection
you should wrap your args of insert sql within string, like "test@first.com"
Try: Add apostrophe (') in the fields that are of type varchar, char or date.
...values ('$name','$first','$last','$bio','$email','$pass','$date','$bd')...