Thank you for the amazing reply. First few lines of your e-mail was EXACTLY getting me to where I made a mistake. I guess I didn't take the () and ' ' at their face value and was looking somewhere else for the problem.<div>
<br></div><div>For sanatizing you mean checking the numbers to make sure they are valid numbers and not alphabet or other charecters? or, are you pointing the fact that I am keeping mysql root password in plain .php file? I have done an include of a php file which has mysql root password and that is insert as an #incldue in the html file. So, if someone checks source for html can't see mysql root password. Even though root is user on mysql is to accept only from localhost.</div>
<div><br></div><div>I would really appreciate it if you can weigh in on it a bit.</div><div><br></div><div>Thanks,</div><div>Bruce<br><br><div class="gmail_quote">On Sat, Jul 10, 2010 at 7:42 AM, Gerald A <span dir="ltr"><<a href="mailto:geraldablists@gmail.com">geraldablists@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">Hi Bruce,<br><br>First, your problem isn't PHP, it seems to be SQL and I'm guessing MySQL at that.<br><div style="display:inline">
</div><br>
Next, you seem to be accepting user input and not sanatizing it. DANGER WILL ROBINSON!!!<br>This is bad, because it leaves you open to something known as a "SQL injection attack".<br><br>Now, as to syntax:<br><br>
<div class="gmail_quote"><div class="im">On Sat, Jul 10, 2010 at 12:07 AM, bruce bruce <span dir="ltr"><<a href="mailto:bruceb444@gmail.com" target="_blank">bruceb444@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left:1px solid rgb(204, 204, 204);margin:0pt 0pt 0pt 0.8ex;padding-left:1ex">
<br><div>I am making another module for Voicemail. I have three fields in a POST form that have to be connected together to make it a single 10 digit number but there is something wrong in my syntax probably.</div>
<div><br></div><div><br></div><div><div>$npaa = "('$_POST[anpa]')";</div><div>$nxxa = "('$_POST[anxx]')";</div><div>$blocka = "('$_POST[ablock]')";</div><div><br></div>
<div><b>$grplist = $npaa.$nxxa.$blocka;</b></div></div></blockquote></div><div><br>Ok, so suppose arpa=111, anxx=222 and ablock=3333.<br>grplist would then be ('111')('333')('4444'). <br><br></div>
<div class="im"><blockquote class="gmail_quote" style="border-left:1px solid rgb(204, 204, 204);margin:0pt 0pt 0pt 0.8ex;padding-left:1ex">
<div>$sql="INSERT INTO findmefollow(grpnum, strategy, grptime, grppre, grplist, annmsg_id, postdest, dring, needsconf, remotealert_id, toolate_id, ringing, pre_ring) VALUES ('$_POST[grpnum]','ringall','$_POST[grptime]','$_POST[grppre]',$grplist,'0','$_POST[postdest]','','','0','0','Ring','$_POST[pre_ring]')";</div>
<div>
</div><div><br></div><div><br></div><div>It seems that $grplist is the problem. Can someone please point what is wrong?</div><div><br></div><div>Error:</div><div><span style="font-family:'Times New Roman';font-size:medium">Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '('333')('4444'),'0','ext-local,vmb2000,1','','','0','0','Ring','0')' at line 3</span></div>
</blockquote></div><div><br>Look closesly, grasshopper. See it? (Does the hint above help?) Hmmm, ok.<br><br>Let's write the line as SQL:<br>INSERT INTO findmefollow(grpnum, strategy, grptime, grppre, grplist,
annmsg_id, postdest, dring, needsconf, remotealert_id, toolate_id,
ringing, pre_ring) VALUES ('0','ringall','0','0',('111')('333')('4444'),'0','0','','','0','0','Ring','0')";<br>
<br>Clear now? You are trying to insert the raw value --> ('111')('333')('4444') <-- into your database. This can't make any sense except as string, And this isn't one.<br><br>I think what you might have meant is to quote the _whole thing_ as a string, and not the individual pieces. Then:<br>
$grplist = "'(".$npaa.$nxxa.$blocka.")'";<br>and <br>$blocka = "($_POST[ablock])"; # and for all of them above<br><br>This would make the value '(111)(333)(4444)', which should work fine.<br>
<br>Now, if you really meant to add in the quotes, you'll have to "quote the quotes", which can be hard to do in good times.<br><br>Hope this helps,<br>Gerald.<br></div></div>
</blockquote></div><br></div>