using a string in php into a mysql database

Question

I am getting a string using PHP and then trying to put it into my database(mySql). I keep getting an error

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'material )' at line 1.

Here is my code. I printed out the statement in php and that is correct.

$description=$_POST["textField4"];

$description= addslashes($description);//found these two line using google
$description = mysql_real_escape_string($description);//neither seem to help.


$sql="INSERT INTO budget8000 (categories,subCategory, amount, date, description)
VALUES ($category,$subCategory, $amount, curdate(), $description )";

Answer 1

The proper way to do this is:

$description=mysql_real_escape_string($_POST["textField4"]);
...
//and so on for each an every field that you $_GET or $_POST.

$sql= "INSERT INTO budget8000 (categories,subCategory, amount, date, description)
VALUES ('$category','$subCategory', '$amount', curdate(), '$description' )";
//      ^         ^ these quotes are vital to prevent SQL-injection and errors.
// without them mysql_real_escape_string will not work!

See: How does the SQL injection from the "Bobby Tables" XKCD comic work?

Answer 2

You need to use the php function mysql_real_escape_string()

$description = mysql_real_escape_string($description);

PHP documention for mysql_real_escape_string