SQL INSERT STATEMENT

[vivilady]

Good Afternoon,

Is it possible for anyone out there to spot our why this piece of code is NOT carrying or the sql statement even though the cookie does exist? please Help

if (!$conn = new COM("ADODB.Connection"))
exit("Unable to create an ADODB connection");

$user = $HTTP_COOKIE_VARS[userName];
$topic = $_POST['topic'];
$comment = $_POST['comment'];
$password = $_POST['password'];
$submit = $_POST['submit'];
if(isset($_COOKIE['userName']) && isset($submit)){
$strConn = "DRIVER={Microsoft Access Driver (*.mdb)}; DBQ=" . realpath("insert.mdb");
$conn->open($strConn);
$sql=("INSERT INTO comments (comment, user) VALUES ('$comment', '$user')");
$result = $conn->Execute($sql);
die ("<META http-equiv=\"Refresh\" content=\"0;url=view-blog.php\">");
exit();
}
else {

echo 'PLEASE LOGIN FIRST';
echo ($user); // Testing if the USER variable is set for query use
echo ($sql); // Trying to echo the sql statement to see if its right
}
?>

Thanks for you help!


__________________

 

[vivilady]

The <?php ?> tags are there I just didnt put them on the board beacuse I thouaght it was not neccesary. I have put some debuggin info in the code, i.e I checked if the value of the cookie is being passed to the $user variable which it is, and then I check if the sql statement is being executed by echoing it out like so echo ($sql); but nothing appears which makes me suspicious of the sql statement. In addition, the code seems to be happy to carry out the else statement after the sql but NOT the sql itself....

Thanks

 

[jpadie]

number of thoughts:

1. in your debug output you have not set the $user variable outside of the conditional. so you'll never get an output.

2. inside the conditional it is good practice to put quotes around the key name of the variable (see http_user_vars). this is not mandatory if there is no constant with the same name as a key but it will throw up php notices (not errors).

3. it is normally vital to escape incoming variables before writing to or querying a database. not knowing access dbs very well, i'd suggest using addslashes (). i'm assuming that magic_quotes_gpc is turned off. if it isn't turn it off - it's just annoying.

4. why are you putting brackets around your $sql variable?

last, it is uncertain whether your post variables are coming through ok. start the debug process off with

print_r ($_POST)

to ensure that they are looking as you expect.

 

[vivilady]

I have implemented your suggestions jpadie except " it is normally vital to escape incoming variables before writing to or querying a database. not knowing access dbs very well, i'd suggest using addslashes (). i'm assuming that magic_quotes_gpc is turned off. if it isn't turn it off - it's just annoying." because i dont know how to implement that. the code is still the same and the output for the print_r is outputting right.

any more suggestions?

 

[jpadie]

it may then be that you need to escape the variables before inserting them into the db.

escape a var by

$var = addslashes($var);

again - i don't know whether access has any special escaping needs. you might google for this?

another debug is to echo the sql string to the screen. then copy and paste it into a native instance of access' sql query tool and see whether the insert is happening properly.