Browser specific error

Hi guys!

I know this shouldnt happen but ive got a mysql error but only in google chrome and I presume safari. Its strange because the page shows correctly in all browsers despite the error :s

here is the error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '(email, password, first, sur, contact) VALUES ('','d41d8cd98f00b204e9800998ecf84' at line 1

email should have a value going into it as well. This error is only seen in the source on chrome but not in the ie ff source. And the values go into the table as well.

Any ideas how to fix this? Ive echoed the email address to screen and it is their.

insert code:

mysql_query("INSERT INTO $_POST[table] (email, password, first, sur, contact) VALUES ('$_POST','".md5($_POST['pass'])."','$_POST[first]','$_POST[sur]','$_POST[contact]')")or die(mysql_error());

Any help?

Cheers,

J

 

try to use like this

mysql_query("INSERT INTO $_POST[table] (`email`, `password`, `first`, `sur`, `contact`) VALUES ('" .mysql_real_escape_string($_POST) ."','".md5($_POST['pass'])."','". mysql_real_escape_string($_POST[first]). "','". mysql_real_escape_string($_POST[sur]). "','". mysql_real_escape_string($_POST[contact]). "')")or die(mysql_error());

 

Hi mate. Nope, another good effort. Error now:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '(`email`, `password`, `first`, `sur`, `contact`) VALUES ('','d41d8cd98f00b204e98' at line 1

page still loads and inserts data. Any other ideas?

 

do u mean that query executes and stil gives error?

ok do like this so i can see the full error query

$cmd="INSERT INTO $_POST[table] (`email`, `password`, `first`, `sur`, `contact`) VALUES ('" .mysql_real_escape_string($_POST) ."','".md5($_POST['pass'])."','". mysql_real_escape_string($_POST[first]). "','". mysql_real_escape_string($_POST[sur]). "','". mysql_real_escape_string($_POST[contact]). "')"
mysql_query($cmd)or die(mysql_error().$cmd);

 

now the error is:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '(`email`, `password`, `first`, `sur`, `contact`) VALUES ('','d41d8cd98f00b204e98' at line 1INSERT INTO (`email`, `password`, `first`, `sur`, `contact`) VALUES ('','d41d8cd98f00b204e9800998ecf8427e','','','')

its strange. if you echo any of the variables to screen it works fine.

 

forgot to say the values still go into db and page loads fine still.

 

now see here

INSERT INTO <MISSING TABLE NAME> (`email`, `password`, `first`, `sur`, `contact`) VALUES ('','d41d8cd98f00b204e9800998ecf8427e','','','')

 

Not sure whats going on. If I hardcode it the code works. Also If I look at the code the variables arent in the source code.

Chrome: <input type="hidden" name="table" value="" />
<input type="hidden" name="email" value="" />

IE & FF: <input type="hidden" name="table" value="reps" />
<input type="hidden" name="email" value="av1bbatey@hotmail.com" />

Yet both can echo the variables to the screen! whats going on!!! :s

 

you should never pass table variables through that way...It can lead to being hacked quite easily...ALWAYS hardcode them in some way or in a way no one can alter them.

 

what is the page url?

 

NatalicWolf - How can they hack it? I guess they could create a new file to the same page and fill in the values that they wanted but any table that doesnt exist will just error right? And I can put anti injection code to stop them trying to remove data.

octal - thanks I will PM you the url.