You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ””)’ at line 2

There is a single quote in $submitsubject or $submit_message

Why is this a problem?

The single quote char terminates the string in MySQL and everything past that is treated as a sql command. You REALLY don’t want to write your sql like that. At best, your application will break intermittently (as you’re observing) and at worst, you have just introduced a huge security vulnerability.

Imagine if someone submitted '); DROP TABLE private_messages; in submit message.

Your SQL Command would be:

INSERT INTO private_messages (to_id, from_id, time_sent, subject, message) 
        VALUES('sender_id', 'id', now(),'subjet','');

DROP TABLE private_messages;

Instead you need to properly sanitize your values.

AT A MINIMUM you must run each value through mysql_real_escape_string() but you should really be using prepared statements.

If you were using mysql_real_escape_string() your code would look like this:

if($_POST['submit_message']){

if($_POST['form_subject']==""){
    $submit_subject="(no subject)";
}else{
    $submit_subject=mysql_real_escape_string($_POST['form_subject']); 
}
$submit_message=mysql_real_escape_string($_POST['form_message']);
$sender_id = mysql_real_escape_string($_POST['sender_id']);

Here is a great article on prepared statements and PDO.

Related Posts:

  1. Object of class DateTime could not be converted to string
  2. How to log in to phpMyAdmin with WAMP, what is the username and password?
  3. Should I use mysqli_real_escape string() or mysql_real_escape_string() for form data?
  4. Fatal error: Call to undefined function mysql_connect()
  5. PDOException SQLSTATE[HY000] [2002] No such file or directory
  6. http://localhost:80 is not working on running Apache server through UniServer ZeroXIII
  7. PDOException SQLSTATE[HY000] [2002] No such file or directory
  8. Mysql query- How to use contains?
  9. mysqli_fetch_array() expects parameter 1 to be mysqli_result, boolean given in
  10. Invalid column count in CSV input on line 1 Error
  11. Invalid column count in CSV input on line 1 Error
  12. $wpdb->update or $wpdb->insert results in slashes being added in front of quotes
  13. PDO with INSERT INTO through prepared statements
  14. phpMyAdmin: secret passphrase?
  15. PDO bindParam() with prepared statement isn’t working
  16. Forbidden :You don’t have permission to access /phpmyadmin on this server
  17. Creating a search form in PHP to search a database?
  18. How can I do ‘insert if not exists’ in MySQL?
  19. Fatal error: Call to a member function bind_param() on boolean [duplicate]
  20. MySqli Commands out of sync; you can’t run this command now
  21. Trying to get property of non-object in
  22. Fix Access denied for user ‘root’@’localhost’ for phpMyAdmin
  23. Getting connection failed: php_network_getaddresses: getaddrinfo failed: Name or service not known
  24. Commands out of sync; you can’t run this command now
  25. Lost connection to MySQL server at ‘reading initial communication packet’, system error: 0
  26. PHP with MySQL 8.0+ error: The server requested authentication method unknown to the client
  27. SQLSTATE[HY093]: Invalid parameter number: parameter was not defined
  28. How can I do ‘insert if not exists’ in MySQL?
  29. What does it mean to escape a string?
  30. Convert from MySQL datetime to another format with PHP
  31. MAMP “Apache couldn’t be started because port is in use.” AND “Can’t connect to local MySQL server through /tmp/mysql.sock
  32. mysqli::query(): Couldn’t fetch mysqli
  33. Unexpected Exception: SQLSTATE[HY000] [1045] Access denied for user ****@’localhost’ (using password: YES)
  34. Uncaught Error: Call to undefined function mysql_escape_string()
  35. Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in
  36. Call to a member function on null?
  37. SQLSTATE[HY093]: Invalid parameter number: number of bound variables does not match number of tokens on line 102
  38. Warning: mysqli_query() expects parameter 1 to be mysqli, resource given
  39. MySQL query to get column names?
  40. What does MYSQLI_NUM mean and do?
  41. Mysql where id is in array
  42. ERROR: SQLSTATE[HY000] [2002] No connection could be made because the target machine actively refused it
  43. What is the advantage of using try {} catch {} versus if {} else {}
  44. select * from table where column = value ^ column2= value
  45. Deprecated: mysql_query() [duplicate]
  46. No query results for model [App\Products] Laravel
  47. Fatal error: Call to a member function query() on null
  48. mysqlworkbench giving version error on exporting database
  49. How to make DROP INDEX IF EXISTS for mysql?
  50. What is the meaning of sprintf(): Too few arguments
  51. Having a problem getting mysqli_query to execute
  52. CodeIgniter: Unable to connect to your database server using the provided settings Error Message
  53. Can I store images in MySQL 
  54. MySQL Daemon Failed to Start – centos 6
  55. How to insert TIMESTAMP into my MySQL table?
  56. How to remove index.php from WordPress site URL
  57. PHP Like thing similar to MySQL Like, for if statement?
  58. How get value from URL
  59. How to use Memcached with PHP7?
  60. select count(*) from table of mysql in php
  61. regex match any whitespace
  62. How do I resolve a HTTP 414 “Request URI too long” error?
  63. xajax expanding list query
  64. Data source name not found, and no default driver specified
  65. How do I run a file on localhost?
  66. How to call a JavaScript function from PHP?
  67. Print array to a file
  68. How to find the date of a day of the week from a date using PHP?
  69. Convert a date format in PHP
  70. Get user role by ID WordPress
  71. How to fix syntax error, unexpected T_IF error in php?
  72. Unzip a file with php
  73. Difference between require, include, require_once and include_once?
  74. What does the PHP error message “Notice: Use of undefined constant” mean?
  75. Why I get “ERR_RESPONSE_HEADERS_TOO_BIG” on chrome?
  76. How can I force users to access my page over HTTPS instead of HTTP?
  77. How to install a specific version of package using Composer?
  78. A non well formed numeric value encountered
  79. Getting a 500 Internal Server Error on Laravel 5+ Ubuntu 14.04
  80. Access PHP variable in JavaScript
  81. Php – Your PHP installation appears to be missing the MySQL extension which is required by WordPress
  82. cannot change admin password, wordpress on godaddy
  83. Add value to usermeta without removing previous values?
  84. How can I call a row of user specific data from a custom table added to the WP Database
  85. Create a quick start wordpress installation [closed]
  86. Display data on Word Press site posts and pages from mysql table
  87. Ordering users by custom user meta
  88. Multiple meta_key in one global $wpdb;
  89. WordPress member notification
  90. Most commented posts by time period (last 12h, last 24h and etc)
  91. Known Issues in WordPress When Upgrading PHP to ver 7
  92. Modify WooCommerce used to get all orders in dashboard
  93. How to get database connection details without longing to cpanel in WordPress?
  94. Weird fonts showing which are coming from database
  95. cant insert data in a custom table in phpmyadmin
  96. SQL Query Search page
  97. How to pass username into form that sends data to database
  98. Your PHP installation appears to be missing the MySQL … After deleting and restarting from cpanel
  99. PHP Creating a formula from mysql db values and db stored math operator
  100. How to set variable to specific field when querying

Leave a Comment