PHP MSSQL Query Syntax Error

Question

I'm having trouble with a syntax error in my mssql_query function. After a while of trying different things, I thought I'd bring it here. Thanks for any help.

This is the code:

<?php
...
$name = $_POST['name'];
$contactname = $_POST['contactname'];
$contacttitle = $_POST['contacttitle'];
$streetaddress = $_POST['streetaddress'];
$city = $_POST['city'];
$state = $_POST['state'];
$zipcode = $_POST['zipcode'];
$telephone = $_POST['telephone'];
$fax = $_POST['fax'];
$email = $_POST['email'];
$director = $_POST['director'];
$affiliation1 = $_POST['affiliation1'];
$address1 = $_POST['address1'];
$phone1 = $_POST['phone1'];
$affiliation2 = $_POST['affiliation2'];
$address2 = $_POST['address2'];
$phone2 = $_POST['phone2'];
$affiliation3 = $_POST['affiliation3'];
$address3 = $_POST['address3'];
$phone3 = $_POST['phone3'];
$yearsoperational = $_POST['yearsoperational'];
$donorsannually = $_POST['donorsannually'];
$limit = $_POST['limit'];
$coveraget = $_POST['coverage'];
$donors1 = $_POST['donors1'];
$claims1 = $_POST['claims1'];
$medexppaid1 = $_POST['medexppaid1'];
$donors2 = $_POST['donors2'];
$claims2 = $_POST['claims2'];
$medexppaid2 = $_POST['medexppaid2'];
$donors3 = $_POST['donors3'];
$claims3 = $_POST['claims3'];
$medexppaid3 = $_POST['medexppaid3'];
$donorinstructions = $_POST['donorinstructions'];

//Connect to MSSQL Server
$myServer = ".\MSSQLSERVER2008";
$myUser = "user";
$myPass = "password";
$myDB = "database,name"; 

//connection to the server
$dbhandle = mssql_connect($myServer, $myUser, $myPass)
  or die("Couldn't connect to SQL Server on $myServer"); 

  //select a database to work with
$selected = mssql_select_db($myDB, $dbhandle)
  or die("Couldn't open database $myDB"); 

//insert form results into database
$query = mssql_query("INSERT INTO table_name (Name_of_Center,Name,Title,Street_Address,City,State,Zipcode,Phone,Fax,Email,Director,HA1,HA1_Address,
HA1_Phone,HA2,HA2_Address,HA2_Phone,HA3,HA3_Address,HA3_Phone,No_of_Years_Operational,Donors_Annually,Limit,Coverage,
Donors_2012,Donors_2011,Donors_2010,Claims_2012,Claims_2011,Claims_2010,Med_Exp_Paid_2012,Med_Exp_Paid_2011,Med_Exp_Paid_2010,Donor_Instructions)
VALUES ($name,$contactname,$contacttitle,$streetaddress,$city,$state,$zipcode,$telephone,$fax,$email,$director,$affiliation1,$address1,$phone1,$affiliation2,
$address2,$phone2,$affiliation3,$address3,$phone3,$yearsoperational,$donorsannually,$limit,$coverage,$donors1,$claims1,$medexppaid1,$donors2,$claims2,$medexppaid2,
$donors3,$claims3,$medexppaid3,$donorinstructions);");
if(!$query){
echo 'Failed to receive data. Please try again, or contact support';
}
else{
echo 'Successfully received data.';
$results = mysql_query($query);
var_dump($results);
}

mssql_close()
?>

The line it's saying has the syntax error is this:

$donors3,$claims3,$medexppaid3,$donorinstructions);");

Here's the error in browser:

Warning: mssql_query() [function.mssql-query]: message: Incorrect syntax near ','. (severity 15)

Answer 1

Your ENTIRE problem is that you're vulnerable to SQL injection attacks . If you were aware of the problem, you'd also realize why your query has these syntax errors and is fundamentally broken: you forgot to quote EVERY SINGLE bit of data you're inserting into the query.

A quick dirty fix that really doesn't fix the fundamental problem:

VALUES ('$name','$contactname','$contacttitle',etc...
        ^-----^-^--- insert quotes everywhere.