0
I'm working on an Escrow payments system for a Project I'm working on. I keep getting errors with it, and I can't see where I've gone wrong. When a user wishes to make an escrow payment, they type in the name of the recipient, the amount, and they select a reason from a listmenu. When they click submit, the form goes to the following script:
<?php require_once('Connections/pbmddb.php'); ?>
<?php
$colname_userfrom = "-1";
if (isset($_POST['from'])) {
$colname_userfrom = (get_magic_quotes_gpc()) ? $_POST['from'] : addslashes($_POST['from']);
}
mysql_select_db($database_pbmddb, $pbmddb);
$query_userfrom = sprintf("SELECT * FROM `user` WHERE username = '%s'", $colname_userfrom);
$userfrom = mysql_query($query_userfrom, $pbmddb) or die(mysql_error());
$row_userfrom = mysql_fetch_assoc($userfrom);
$totalRows_userfrom = mysql_num_rows($userfrom);
$userto = $_POST['payto'];
$amount = $_POST['amount'];
$reason = $_POST['reason'];
$from = $_POST['from'];
$commission = ceil($amount * 1.1);
$money = $row_userfrom['money'];
$deduct = $money - $commission;
$id = $row_userfrom['genid'];
if ($commission > $money) {
echo "You do not have enough money in your account to make this payment.";
}
if (($userto !== "") && ($amount !== "") && ($from !== "") && ($commission <= $money)) {
$newpay = "INSERT INTO escrow (id, from, to, amount, reason) VALUES ('', '$from', '$userto', '$amount', '$reason')";
mysql_query($newpay) or die(mysql_error());
$takepay = "UPDATE `user` SET `money`='$amount' WHERE `id`='$id' LIMIT 1;";
mysql_query($takepay) or die(mysql_error());
include("escrow_skip.php");
}
mysql_free_result($userfrom);
?>
When I tested this, I get the following error:
You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 'from, to, amount, reason) VALUES ('', 'AndyMills', 'mruser', '2
Can anyone spot where I've gone wrong. I can't figure it out. Thanks!
. Cheers again!
