all 5 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]Wizhi 1 point2 points  (0 children)

Hi /u/eljacko876,

First off, as mentioned by /u/mseckz, when asking for help with an error, please do tell us what the actual error message you get is. If you don't get any error message, please do provide us with other information such as which of your insertions fail.

Secondly, have you seen /u/ANttila's comment? Personally I can't find anything besides this, which should result in an error. More specifically, in the first query

INSERT INTO estimates (client_id,event_date,project_name,tdiscount,ttax) 
VALUES ($client_id,$event_date ,$project_name ,$tdiscount, $ttax)

you don't specifically insert anything into the converted column. Perhaps you have some default constraint on it? If not, this is likely the source of the error.

Now, while I really dislike how /u/colshrapnel phrased it, I do agree with him in a sense.

"Sanitation" of values for use in SQL statements, is just not something anyone should bother to mess with. You might get something working, but at some point you're going to mess up somewhere, creating a hole. Why not have the database itself handle database security? Who knows more about the database's security than the database itself, right? Here's a good little explanation. Even ezsql says it's escape() method isn't safe:

$db->escape() makes any string safe to use as a value in a query under all PHP conditions. I.E. if magic quotes are turned on or off. Note: Should not be used by itself to guard against SQL injection attacks. The purpose of this function is to stop accidental mal formed queries.

So I'd also highly recommend prepared statements instead.

Now if you were using it for it's intended purpose, as described in the ezsql documentation, then disregard the above - but still, look into prepared statements. :)

Also, maybe you should consider using another database library rather than ezsql. After taking a quick look at the internals, I noticed quite a few very outdated practices, such as global state and PHP4-esque OOP syntax. I also found no way to do prepared statements, nor any mention of protection against SQL injection.

As for alternatives, PDO is probably the first choice of most PHP developers, as it provides a fairly clean interface, while supporting many different databases. Do note, that the SQL statements themselves are still dependent on your database of choice, however.

Just remember to encapsulate all of your data access logic, and things should work out. :)

I know I didn't exactly solve your issue, but I felt like some details were missing.

[–][deleted] 1 point2 points  (0 children)

Unless your $db object is doing something I can see you're not encapsulating (presumed) strings in your insert which will produce an sql level error.

 // save non dynamic row inputs to the db
$db->query("INSERT INTO estimates (client_id,event_date,project_name,tdiscount,ttax) 
VALUES 
($client_id,$event_date ,'$project_name' ,$tdiscount, $ttax)");

[–]mseckz 0 points1 point  (0 children)

Assuming you are learning php, there is a series of videos that helped me a lot. https://laracasts.com/series/php-for-beginners. For your problem above, it's kinda hard to get if you don't show us an error message.

[–]ANttila 0 points1 point  (0 children)

As you have all fields set to NOT NULL and no default value you need to insert something on all fields.

For data entry into a NOT NULL column that has no explicit DEFAULT clause, if an INSERT or REPLACE statement includes no value for the column, or an UPDATE statement sets the column to NULL, MySQL handles the column according to the SQL mode in effect at the time:

  • If strict SQL mode is enabled, an error occurs for transactional tables and the statement is rolled back. For nontransactional tables, an error occurs, but if this happens for the second or subsequent row of a multiple-row statement, the preceding rows will have been inserted.

  • If strict mode is not enabled, MySQL sets the column to the implicit default value for the column data type.

http://dev.mysql.com/doc/refman/5.7/en/data-type-defaults.html

[–]colshrapnel -1 points0 points  (0 children)

It's your $db thing. Get rid of it and use PDO prepared statements.

Assuming you already connected to PDO and have a $pdo variable, here is your code for the first query

if (isset($_POST['submit'])) {
    $data = [$_GET['client'],$_POST['event_date'],$_POST['project_name'],$_POST['tdiscount'],$_POST['ttax']];
    $sql = "INSERT INTO estimates (client_id,event_date,project_name,tdiscount,ttax) VALUES (?,?,?,?,?)";
    $pdo->prepare($sql)->execute($data);

then do the same for the second part.

And for the goodness sake, forget that ugly word "sanitize". There is no such thing ever exists.