You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ””)’ at line 2

There is a single quote in $submitsubject or $submit_message

Why is this a problem?

The single quote char terminates the string in MySQL and everything past that is treated as a sql command. You REALLY don’t want to write your sql like that. At best, your application will break intermittently (as you’re observing) and at worst, you have just introduced a huge security vulnerability.

Imagine if someone submitted '); DROP TABLE private_messages; in submit message.

Your SQL Command would be:

INSERT INTO private_messages (to_id, from_id, time_sent, subject, message) 
        VALUES('sender_id', 'id', now(),'subjet','');

DROP TABLE private_messages;

Instead you need to properly sanitize your values.

AT A MINIMUM you must run each value through mysql_real_escape_string() but you should really be using prepared statements.

If you were using mysql_real_escape_string() your code would look like this:

if($_POST['submit_message']){

if($_POST['form_subject']==""){
    $submit_subject="(no subject)";
}else{
    $submit_subject=mysql_real_escape_string($_POST['form_subject']); 
}
$submit_message=mysql_real_escape_string($_POST['form_message']);
$sender_id = mysql_real_escape_string($_POST['sender_id']);

Here is a great article on prepared statements and PDO.

Related Posts:

  1. Object of class DateTime could not be converted to string
  2. How to log in to phpMyAdmin with WAMP, what is the username and password?
  3. Should I use mysqli_real_escape string() or mysql_real_escape_string() for form data?
  4. Fatal error: Call to undefined function mysql_connect()
  5. PDOException SQLSTATE[HY000] [2002] No such file or directory
  6. http://localhost:80 is not working on running Apache server through UniServer ZeroXIII
  7. PDOException SQLSTATE[HY000] [2002] No such file or directory
  8. Mysql query- How to use contains?
  9. mysqli_fetch_array() expects parameter 1 to be mysqli_result, boolean given in
  10. Invalid column count in CSV input on line 1 Error
  11. Invalid column count in CSV input on line 1 Error
  12. $wpdb->update or $wpdb->insert results in slashes being added in front of quotes
  13. PDO with INSERT INTO through prepared statements
  14. phpMyAdmin: secret passphrase?
  15. PDO bindParam() with prepared statement isn’t working
  16. Forbidden :You don’t have permission to access /phpmyadmin on this server
  17. Creating a search form in PHP to search a database?
  18. How can I do ‘insert if not exists’ in MySQL?
  19. Fatal error: Call to a member function bind_param() on boolean [duplicate]
  20. MySqli Commands out of sync; you can’t run this command now
  21. Trying to get property of non-object in
  22. Fix Access denied for user ‘root’@’localhost’ for phpMyAdmin
  23. Getting connection failed: php_network_getaddresses: getaddrinfo failed: Name or service not known
  24. Commands out of sync; you can’t run this command now
  25. Lost connection to MySQL server at ‘reading initial communication packet’, system error: 0
  26. PHP with MySQL 8.0+ error: The server requested authentication method unknown to the client
  27. SQLSTATE[HY093]: Invalid parameter number: parameter was not defined
  28. How can I do ‘insert if not exists’ in MySQL?
  29. What does it mean to escape a string?
  30. Convert from MySQL datetime to another format with PHP
  31. MAMP “Apache couldn’t be started because port is in use.” AND “Can’t connect to local MySQL server through /tmp/mysql.sock
  32. mysqli::query(): Couldn’t fetch mysqli
  33. Unexpected Exception: SQLSTATE[HY000] [1045] Access denied for user ****@’localhost’ (using password: YES)
  34. Uncaught Error: Call to undefined function mysql_escape_string()
  35. Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in
  36. Call to a member function on null?
  37. SQLSTATE[HY093]: Invalid parameter number: number of bound variables does not match number of tokens on line 102
  38. Warning: mysqli_query() expects parameter 1 to be mysqli, resource given
  39. MySQL query to get column names?
  40. What does MYSQLI_NUM mean and do?
  41. Mysql where id is in array
  42. ERROR: SQLSTATE[HY000] [2002] No connection could be made because the target machine actively refused it
  43. What is the advantage of using try {} catch {} versus if {} else {}
  44. select * from table where column = value ^ column2= value
  45. Deprecated: mysql_query() [duplicate]
  46. No query results for model [App\Products] Laravel
  47. Fatal error: Call to a member function query() on null
  48. mysqlworkbench giving version error on exporting database
  49. How to make DROP INDEX IF EXISTS for mysql?
  50. What is the meaning of sprintf(): Too few arguments
  51. Having a problem getting mysqli_query to execute
  52. CodeIgniter: Unable to connect to your database server using the provided settings Error Message
  53. Can I store images in MySQL 
  54. MySQL Daemon Failed to Start – centos 6
  55. How to insert TIMESTAMP into my MySQL table?
  56. How to remove index.php from WordPress site URL
  57. PHP Like thing similar to MySQL Like, for if statement?
  58. How get value from URL
  59. How to use Memcached with PHP7?
  60. select count(*) from table of mysql in php
  61. Replace ' and similar html codes with their correspondent character?
  62. Google Calendar API event update always return 404 “not found” error
  63. How to prevent the “Confirm Form Resubmission” dialog?
  64. navigate back with PHP form submission
  65. How to set 777 permission on a particular folder? [closed]
  66. How do I make a redirect in PHP?
  67. How to use mysqli_query() in PHP?
  68. List of All Locales and Their Short Codes?
  69. Difference between “as $key => $value” and “as $value” in PHP foreach
  70. How do I get a YouTube video thumbnail from the YouTube API?
  71. What is a slug?
  72. Visual list of all installed fonts with respective pangram phrase?
  73. How to avoid Request Entity Too Large 413 error
  74. Array to String PHP?
  75. Undefined function mysql_connect()
  76. MySQL column count doesn’t match value count at row 1 [closed]
  77. Undefined function mysql_connect()
  78. Fatal error: Call to undefined function mysql_connect()
  79. count() parameter must be an array or an object that implements countable in laravel
  80. regex match any whitespace
  81. What’s the net::ERR_HTTP2_PROTOCOL_ERROR about?
  82. How to fix “Headers already sent” error in PHP
  83. currently unable to handle this request HTTP ERROR 500
  84. PHP page redirect
  85. Fatal error: Call to undefined function mysql_connect()
  86. Whoops, looks like something went wrong. Laravel 5.0
  87. PHP “or” Syntax
  88. How to fix “Headers already sent” error in PHP
  89. “Notice: Undefined variable”, “Notice: Undefined index”, and “Notice: Undefined offset” using PHP
  90. What are namespaces?
  91. Get the full URL in PHP
  92. “INSERT IGNORE” vs “INSERT … ON DUPLICATE KEY UPDATE”
  93. How do I get PHP errors to display?
  94. S_SESSION variable (user role) not recognised
  95. What are the main differences between PHPExcel and PhpSpreadsheet?
  96. Is SAJAX dead? What to replace with?
  97. How do I resolve a HTTP 414 “Request URI too long” error?
  98. Get the full URL in PHP
  99. How do I check if a string contains a specific word?
  100. PDOException: SQLSTATE[HY000] [2002] No such file or directory

Leave a Comment

Hata!: SQLSTATE[HY000] [1045] Access denied for user 'divattrend_liink'@'localhost' (using password: YES)