I'm trying to execute this:
$result = mysql_query("INSERT INTO timesheet (project_no,user,cust_name,notes,duration) VALUES("'".$_POST['project']."', '".$_POST['user']."', '".$_POST['cust']."', '".$_POST['notes']."', '".$_POST['duration']."'")") or die(mysql_error());
I'm aware of SQL injection. But for now can anyone spot the issues with apostrophes, speech marks etc??
The apostrophes were not correct.
$result = mysql_query("INSERT INTO timesheet (project_no,user,cust_name,notes,duration) VALUES('".$_POST['project']."', '".$_POST['user']."', '".$_POST['cust']."', '".$_POST['notes']."', '".$_POST['duration']."')") or die(mysql_error());
The mistake was in the beginning in "values" and on the closing bracket inside the query string. Use an editor with syntax highlighting, that would've already showed the problem.
Use prepared statements http://www.petefreitag.com/item/356.cfm
I think double quote and closing apostrophes issue. Try this:
$result = mysql_query("INSERT INTO timesheet (project_no,user,cust_name,notes,duration) VALUES('".$_POST['project']."', '".$_POST['user']."', '".$_POST['cust']."', '".$_POST['notes']."', '".$_POST['duration']."')") or die(mysql_error());
Unending lines filled with parts of strings and variables concatenated with dots is one of the most horrible habits of too many PHP programmers. Do your future self a favor and write readable code. Sticking with this example (ignoring all its other problems) use other variables to hold the values (which in the real world you'll need anyway since you're not going to directly use $_POST I hope) and write something like this:
$sql = "INSERT INTO timesheet (project_no,user,cust_name,notes,duration)
VALUES('$project', '$user', '$cust', '$notes', '$duration')";
$result = mysql_query($sql) or die(mysql_error());
no more quotes open/close madness, no more 239 chars line, way more readable and maintainable.