Ben Stones wrote:
Thanks all for your replies. Much appreciated. I have edited the code and
took points into account:

$con = mysql_connect("localhost","ben_test","removed") or die("con");
$db = mysql_select_db("ben_test") or die("db");
$sql1 = mysql_query("INSERT INTO `comments` (`messages`) VALUES
($comments)") or die("insert");
$mysql_query_one = mysql_query("SELECT * FROM `comments`");
while($rows=mysql_fetch_array($mysql_query_one)) {
echo $rows['messages'] . "[br /]";

Okay, the browser outputted "insert" so it has to be something to do with
the insert sql syntax I have added. Not sure if its over-riding the same
content added as before or something.

It's dieing when you try to insert, probably because of quotes. As the other Ben mentioned you need to escape the data.


$query = "INSERT INTO comments(messages) VALUES ('" . mysql_real_escape_string($_POST['comments']) . "')";

$insert_result = mysql_query($query);

if (!$insert_result) {
  echo "Error with insert: ", mysql_error(), "<br/>\n";
  echo "Query I tried to run:<br/>\n", $query, "<br/>\n";

that way mysql will show you the error that occurred when you tried to run the insert, and also you are escaping the comment you typed in so things like quotes will be handled properly.

When you print the data out, you should use htmlspecialchars so if someone enters javascript or any other 'bad' data it won't get printed or executed.

For example:

$query = "SELECT * FROM comments";
$result = mysql_query($query);
while ($row = mysql_fetch_assoc($result)) {
echo "Comment was: ", htmlspecialchars($row['messages'], ENT_QUOTES), "<br/>\n";

There's some good info available here about this sort of stuff:

If something doesn't make sense, send us another email :)

Postgresql & php tutorials

PHP Database Mailing List (
To unsubscribe, visit:

Reply via email to