insert not working with list of variables

[azw]

Whew. I've tried a bazillion variations but must be missing something obvious. Can someone please take a look at this and see what I'm doing wrong?

If I create the query with raw data instead of variables, it works:
_________

$Query="INSERT into $TableName values (
'0',
Now(),
'0',
'Tom',
'Tom@mail.com',
'Art',
'azw@mail.com',
'no title tomorrow',
'no message today',
'cedarCreekSavannah',
'cedar creek creep'
)";
_________

When I try to use variables, the query prints out to the screen okay, but the mail() function returns false and the record isn't in the table.
_________

$Query="INSERT into $TableName values (
'0',
Now(),
'0',
' " . $_SESSION['rName'] . " ',
' " . $_SESSION['rEmail'] . " ',
' " . $_SESSION['sName'] . " ',
' " . $_SESSION['sEmail'] . " ',
' " . $_SESSION['msgTitle'] . " ',
' " . $_SESSION['msg'] . " ',
' " . $imgSrc . " ',
' " . $imgTitle . " '
)";
_________

I wondered if it was impossible to use SESSION variables, so I made new variables. That did the same thing.
_________

// create non-session variables for insert
$rN=$_SESSION['rName'];
$rE=$_SESSION['rEmail'];
$sN=$_SESSION['sName'];
$sE=$_SESSION['sEmail'];
$mT=$_SESSION['msgTitle'];
$ms=$_SESSION['msg'];

$Query="INSERT into $TableName values (
'0',
Now(),
'0',
' ".$rN." ',
' ".$rE." ',
' ".$sN." ',
' ".$sE." ',
' ".$mT." ',
' ".$ms." ',
' ".$imgSrc." ',
' ".$imgTitle." '
)";
_________

Here's the rest of the code I'm using for the insert
_________

// for testing only
print ("query: <br>$Query<p />\n");

// add data to db
if (mysql_db_query($DBName, $Query, $Link)){ // if successful, send notification to recipient
_________

When I print the query to the screen it reads:
_________

INSERT into artCard values ( '0', Now(), '0', ''azw', 'azw@mail.com', 'art', 'azw@mail.com', 'test6', 'test6', 'filename.jpg', 'Winter Flood Plain III' )

Any hints? I'm having way too much fun with this all by myself....
Thanks!

[DoppyNL]

you're query has got one ' to much:

Code: Select all

INSERT into artCard values ( '0', Now(), '0', ''azw', 'azw@mail.com', 'art', 'azw@mail.com', 'test6', 'test6', 'filename.jpg', 'Winter Flood Plain III' )


see the fourth field.

This is probably due to the fact it is in the variable itsself ($sE).
You can use the function addslashes to escape any characters that should be escaped when used in a query (see manual for more details).

Greetz Daan

[azw]

oops. I corrected that in the code, but forgot to update the output.

BUT...I added addslashes() to the jpg file name and the darn thing worked! So you did solve the problem.

Should I use addslashes with every individual entry or do you just use it in some instances?

Thanks!

[DoppyNL]

Best thing is to add it to all fields, because then the chance is bigger that you're query will work.
You're depending on the input from users, allways asume there really stupid!

Greetz Daan

[azw]

Thanks, that part of the script seems to be okay now....on with the rest!

Do you also use addslashes() for data elements your script adds to the database? In my case there are identifiers for images the user selects from several options. The user can't change those bits of data and I have total control over the form of that data, so it doesn't seem necessary to do the extra step.

I appreciate being able to consult with someone with experience!

[DoppyNL]

addslashes only needs to be used when there is a possibility that something in a string has to be escaped because otherwise you're query doesn't work.

If you're script generates some values you want to enter, there should be no need to use addslashes.

remember that ANY value that comes from the user could be different than you expect, users can edit you're form!
don't get too paranoid though

You can check from field to field if it is necesary to use addslashes, allthough using it on all of them won't do any harm to you're query.

Greetz Daan

[azw]

Thanks, that helps!