bruce bruce
2010-Jul-10 04:07 UTC
[asterisk-users] PHP can't insert - Can someone please help
Hi Guys,
I am making another module for Voicemail. I have three fields in a POST form
that have to be connected together to make it a single 10 digit number but
there is something wrong in my syntax probably.
$npaa = "('$_POST[anpa]')";
$nxxa = "('$_POST[anxx]')";
$blocka = "('$_POST[ablock]')";
*$grplist = $npaa.$nxxa.$blocka;*
$sql="INSERT INTO findmefollow(grpnum, strategy, grptime, grppre, grplist,
annmsg_id, postdest, dring, needsconf, remotealert_id, toolate_id, ringing,
pre_ring)
VALUES
('$_POST[grpnum]','ringall','$_POST[grptime]','$_POST[grppre]',$grplist,'0','$_POST[postdest]','','','0','0','Ring','$_POST[pre_ring]')";
It seems that $grplist is the problem. Can someone please point what is
wrong?
Error:
Error: You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use near
'('333')('4444'),'0','ext-local,vmb2000,1','','','0','0','Ring','0')'
at
line 3
Thanks,
Bruce
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.digium.com/pipermail/asterisk-users/attachments/20100710/8505e904/attachment.htm
Zeeshan Zakaria
2010-Jul-10 12:28 UTC
[asterisk-users] PHP can't insert - Can someone please help
Its not wise to haste in posting for help without first spending sometime
thinking yourself. Your mysql syntax is not right, you can clearly see the
missing single quotes starting from 'ext-local. I would also suggest to use
a different syntax for this mysql statement, i.e. using SET instead of
VALUES, which makes the syntax much clearer, i.e. INSERT INTO `table` SET
`col1` = 'value1', `col2`= 'val2' and so on.
Zeeshan A Zakaria
--
www.ilovetovoip.com
On 2010-07-10 12:13 AM, "bruce bruce" <bruceb444 at gmail.com>
wrote:
Hi Guys,
I am making another module for Voicemail. I have three fields in a POST form
that have to be connected together to make it a single 10 digit number but
there is something wrong in my syntax probably.
$npaa = "('$_POST[anpa]')";
$nxxa = "('$_POST[anxx]')";
$blocka = "('$_POST[ablock]')";
*$grplist = $npaa.$nxxa.$blocka;*
$sql="INSERT INTO findmefollow(grpnum, strategy, grptime, grppre, grplist,
annmsg_id, postdest, dring, needsconf, remotealert_id, toolate_id, ringing,
pre_ring)
VALUES
('$_POST[grpnum]','ringall','$_POST[grptime]','$_POST[grppre]',$grplist,'0','$_POST[postdest]','','','0','0','Ring','$_POST[pre_ring]')";
It seems that $grplist is the problem. Can someone please point what is
wrong?
Error:
Error: You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use near
'('333')('4444'),'0','ext-local,vmb2000,1','','','0','0','Ring','0')'
at
line 3
Thanks,
Bruce
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.digium.com/pipermail/asterisk-users/attachments/20100710/31c11ee7/attachment.htm
bruce bruce
2010-Jul-10 14:21 UTC
[asterisk-users] PHP can't insert - Can someone please help
Thank you for the amazing reply. First few lines of your e-mail was EXACTLY getting me to where I made a mistake. I guess I didn't take the () and ' ' at their face value and was looking somewhere else for the problem. For sanatizing you mean checking the numbers to make sure they are valid numbers and not alphabet or other charecters? or, are you pointing the fact that I am keeping mysql root password in plain .php file? I have done an include of a php file which has mysql root password and that is insert as an #incldue in the html file. So, if someone checks source for html can't see mysql root password. Even though root is user on mysql is to accept only from localhost. I would really appreciate it if you can weigh in on it a bit. Thanks, Bruce On Sat, Jul 10, 2010 at 7:42 AM, Gerald A <geraldablists at gmail.com> wrote:> Hi Bruce, > > First, your problem isn't PHP, it seems to be SQL and I'm guessing MySQL at > that. > > Next, you seem to be accepting user input and not sanatizing it. DANGER > WILL ROBINSON!!! > This is bad, because it leaves you open to something known as a "SQL > injection attack". > > Now, as to syntax: > > On Sat, Jul 10, 2010 at 12:07 AM, bruce bruce <bruceb444 at gmail.com> wrote: > >> >> I am making another module for Voicemail. I have three fields in a POST >> form that have to be connected together to make it a single 10 digit number >> but there is something wrong in my syntax probably. >> >> >> $npaa = "('$_POST[anpa]')"; >> $nxxa = "('$_POST[anxx]')"; >> $blocka = "('$_POST[ablock]')"; >> >> *$grplist = $npaa.$nxxa.$blocka;* >> > > Ok, so suppose arpa=111, anxx=222 and ablock=3333. > grplist would then be ('111')('333')('4444'). > > $sql="INSERT INTO findmefollow(grpnum, strategy, grptime, grppre, >> grplist, annmsg_id, postdest, dring, needsconf, remotealert_id, toolate_id, >> ringing, pre_ring) >> VALUES ('$_POST[grpnum]','ringall','$_POST[grptime]','$_POST[grppre]',$grplist,'0','$_POST[postdest]','','','0','0','Ring','$_POST[pre_ring]')"; >> >> >> It seems that $grplist is the problem. Can someone please point what is >> wrong? >> >> Error: >> Error: You have an error in your SQL syntax; check the manual that >> corresponds to your MySQL server version for the right syntax to use near >> '('333')('4444'),'0','ext-local,vmb2000,1','','','0','0','Ring','0')' at >> line 3 >> > > Look closesly, grasshopper. See it? (Does the hint above help?) Hmmm, ok. > > Let's write the line as SQL: > INSERT INTO findmefollow(grpnum, strategy, grptime, grppre, grplist, > annmsg_id, postdest, dring, needsconf, remotealert_id, toolate_id, ringing, > pre_ring) > VALUES ('0','ringall','0','0',('111')('333')('4444'),'0','0','','','0','0','Ring','0')"; > > Clear now? You are trying to insert the raw value --> > ('111')('333')('4444') <-- into your database. This can't make any sense > except as string, And this isn't one. > > I think what you might have meant is to quote the _whole thing_ as a > string, and not the individual pieces. Then: > $grplist = "'(".$npaa.$nxxa.$blocka.")'"; > and > $blocka = "($_POST[ablock])"; # and for all of them above > > This would make the value '(111)(333)(4444)', which should work fine. > > Now, if you really meant to add in the quotes, you'll have to "quote the > quotes", which can be hard to do in good times. > > Hope this helps, > Gerald. >-------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20100710/1b72fd5f/attachment.htm