So I have a database of downloads on my site set up that enables me to track the number of downloads, and I'm trying to set up a front-end for me and my compatriots to insert new downloads into the database. I'm setting up the front-end with primarily PHP.
The way my paging is set up removes the possibility of my forms simply posting, so instead I have JS serializing the data and reloading the page, then I unserialize the data in PHP, stick the values into a mysql query, and try to run it.
Here's what my SQL code looks like inside of PHP:
$sql = "INSERT INTO dl (id, file, desc) VALUES ('$idd', '$file', '$desc')";
Which turns into this string:
INSERT INTO dl (id, file, desc) VALUES ('a56', 'test.zip', 'cake')
But when the page tries to run it, I get this error:
You have an error
in your SQL syntax; check the manual that corresponds to your MySQL
server version for the right syntax to use near 'desc) VALUES ('a56',
'test.zip', 'cake')' at line 1
And the weirdness of that is compounded by the fact that the line of code running the query is not on line 1. It's on line 28.
Any help is appreciated :)
desc is a reserved keyword in MySQL.
The recommended workaround is to use backticks. From MySQL manual:
If an identifier contains special characters or is a reserved word, you must quote it whenever you refer to it.
If renaming the table or column isn't possible, wrap the offending identifier in backticks (`):
$sql = "INSERT INTO dl (id, `file`, `desc`) VALUES ('$idd', '$file', '$desc')";
Take a look at this question too: When to use single quotes, double quotes, and backticks in MySQL
Please change the column name of desc, its reserved by MYSQL. for more details please see list of reserved words on MYSQL Reserved Words
http://dev.mysql.com/doc/refman/5.5/en/reserved-words.html
desc is a reserved word in SQL.
It is (together with ASC) used to determine the sorting order of the results.
Please try this.
$sql = "INSERT INTO dl (`id`, `file`, `desc`) VALUES ('".$idd."', '".$file."', '".$desc."')";
hope this is your useful.
Related
This question already has an answer here:
Syntax error due to using a reserved word as a table or column name in MySQL
(1 answer)
Closed 6 years ago.
I have spent two days trying to figure out why this statement wouldn't insert those data into my database. Been reading through all similar questions here as well and tried with no luck. This is the statement:
$sql = "INSERT INTO removal_shipment_detail (request_date, order_id, shipment_date, product, product_name, delivered, quantity, local, tracking, update) VALUES ('".$request_date."','".$order_id."','".$shipment_date."','".$product."','".$product_name."','".$delivered."','".$quantity."','".$local."','".$tracking."','".$update."')";
Where quantity is a INT here. I've exchanged single quote with double quote back and force combined with the concatenation added and deleted as well, but none of those combinations would work.
Thanks, please advice!
update is a MySQL reserved word, so you can't use this word as your column name like that.
Here's the reference:
http://dev.mysql.com/doc/refman/5.7/en/keywords.html
Escape your columns using backticks, like this:
$sql = "INSERT INTO removal_shipment_detail (`request_date`, `order_id`, `shipment_date`, `product`, `product_name`, `delivered`, `quantity`, `local`, `tracking`, `update`) VALUES ('".$request_date."','".$order_id."','".$shipment_date."','".$product."','".$product_name."','".$delivered."','".$quantity."','".$local."','".$tracking."','".$update."')";
Sidenote: Learn about prepared statements because right now your query is susceptible to SQL injection. Also see how you can prevent SQL injection in PHP.
try to use intval
$sql = "INSERT INTO removal_shipment_detail
(request_date, order_id, shipment_date, product, product_name, delivered, quantity, local, tracking, update)
VALUES
('".$request_date."','".$order_id."','".$shipment_date."','".$product."','".$product_name."','".$delivered."',".intval ($quantity).",'".$local."','".$tracking."','".$update."')";
If you are using MySQLi you can check your SQL errors with following methods:
Object oriented style
if (!$mysqli->query("QUERY_HERE")) {
printf("Errormessage: %s\n", $mysqli->error);
}
Procedural style
if (!mysqli_query($con, "QUERY_HERE")) {
printf("Errormessage: %s\n", mysqli_error($con));
}
More informations can be found in PHP: mysqli:$error
Also I dont like connecting string with . when it's not necessary (it' always harder to read). Your syntax can be as follows:
$sql = "INSERT INTO removal_shipment_detail (`request_date`, `order_id`, `shipment_date`, `product`, `product_name`, `delivered`, `quantity`, `local`, `tracking`, `update`) VALUES ('$request_date','$order_id','$shipment_date','$product','$product_name','$delivered','$quantity','$local','$tracking','$update')";
Firstly, if quantity is an INT, then it need not be surrounded with quotes.
Secondly, avoid using reserved words such as "update" for your field names. It may confuse the database engine.
Rajdeep Paul's answer is also good but he failed to talk about the quantity field which has the INT data type.
Try this
$sql = "INSERT INTO removal_shipment_detail (request_date, order_id, shipment_date, product, product_name, delivered, quantity, local, tracking, update1) VALUES ('".$request_date."','".$order_id."','".$shipment_date."','".$product."','".$product_name."','".$delivered."',".$quantity.",'".$local."','".$tracking."','".$update."')";
Notice that the field name "update" has been changed to "update1" to avoid confusing of the sql interpreter and also the quotes surrounding the quantity value have been removed.
I hope this helps.
This question already has an answer here:
Syntax error due to using a reserved word as a table or column name in MySQL
(1 answer)
Closed 7 years ago.
i have a simple php INSERT INTO SQL statement that simply refuses to update several columns at once. i have no idea why but the following statement is acceptabel;
$sql = "INSERT INTO niceTable (first) VALUES ('Hello')";
however if i try to following
$sql = "INSERT INTO niceTable (first, last) VALUES ('Hello', 'You')";
it breaks down and throws the following error:
"Error updating record: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'desc) VALUES ('Hello', 'update')' at line 1"
I have checked the syntax, but it seems ok. I am using a one.com server. Anyone got any tips?
Your actual query (not the one in your question) seems different. The error message seems to have desc somewhere, which is a reserved word. If you use reserve words as column names (don't), you should enclose them in backticks:
INSERT INTO tbl (`order`, `desc`) VALUES ('foo', 'bar');
As per your "posted code":
The reason being that first and last are MySQL reserved words
https://dev.mysql.com/doc/refman/5.5/en/keywords.html
and require special attention.
Either wrap them in ticks or rename them to something other than reserved keywords.
INSERT INTO niceTable (`first`, `last`)
Edit: However, your error doesn't support the issue here, nor the column name(s):
for the right syntax to use near 'desc)
this tells me you are using desc which is also another MySQL reserved word.
You should also use prepared statements
https://en.wikipedia.org/wiki/Prepared_statement
Plus, should your inputs contain characters that MySQL may complain about such as apostrophes John O'Neil then you will need to escape those values.
MySQL will interpret that as ('Hello', 'John O'Neil') in turn causing another syntax error.
Escaping it, would interpret it as ('Hello', 'John O\'Neil') making it valid.
I'm thinking ahead here.
Enclose your column names in backticks
Last is a function in MySQL
$sql = "INSERT INTO niceTable (`first`, `last`) VALUES ('Hello', 'You')";
trying to add data to mySQL db.
I get this error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'MATCH(time, date, location, weather, team_id) VALUES('t', 't', 't','t','2')'
this is the PHP code snippet:
$sql = "insert into MATCH(time, date, location, weather, team_id) VALUES('$time', '$date', '$location','$weather','$team_id')";
I cant see any syntax errors
MATCH is a reserved for a function used in fulltext search:
http://dev.mysql.com/doc/refman/5.5/en/fulltext-search.html
That's not a php syntax error. It's a Mysql syntax error. I suggest changing the table's name.
Try
$sql = "INSERT INTO `MATCH` (`time`, `date`, `location`, `weather`, `team_id`) VALUES ('".$time."', '".$date."', '".$location."','".$weather."','".$team_id."')";
Using the backtick character ` you can distinguish names you gave to your table or columns from reserved words of the MySQL language. Leaving them out might seem more compfortable at first, but can be a pain later.
E.g. one should know that mysql syntax is not case sensitive. So even if you write match you will get this problem. A list of the reserved words can be found at the link Mark gave you in his comment.
You might also want to read up on MySQL Syntax in general:
http://dev.mysql.com/doc/refman/5.1/en/sql-syntax.html
This question already has an answer here:
Syntax error due to using a reserved word as a table or column name in MySQL
(1 answer)
Closed 8 years ago.
When I remove '$user' and by this works perfectly
$query = $db -> query("INSERT INTO posts (title, body, tags, published, date, by) VALUES
('$title', '$body', '$tags', '$published', '$date', '$user')");
User is varchar(11)
when I print_r $user I get the value I want
I am not sure what is going on, by is at the end of the table.
Sorry if this question is stupid.
peace
Because BY is a Reserved keyword and happens to be the name of the column. In order to avoid syntax error, you need to escape it using backtick,
INSERT INTO posts (title, body, tags, published, date, `by`) VALUES (...)
MySQL Reserved Keywords List
I rather change the column name to avoid problem from getting back again :D
As a sidenote, the query is vulnerable with SQL Injection if the value(s) of the variables came from the outside. Please take a look at the article below to learn how to prevent from it. By using PreparedStatements you can get rid of using single quotes around values.
How to prevent SQL injection in PHP?
And addition, you can also put a backtick on the "date" column since it is also a reserved word..
INSERT INTO posts (title, body, tags, published, `date`, `by`) VALUES (...)
Well in my case I really don't prefer using backtick but it's really helpful in avoiding syntax errors..
I'm using the joomla CMS to write to my db and have written a custom front end.
I'm trying to obtain the contents of the 'fulltext' row. I've tried mysql_fetch_assoc['fulltext'] and mysql_result($sql, 0, 'fulltext'). Both return fulltext. Here's the query string:
SELECT created, modified, title, introtext, 'fulltext', state, urls, created_by
FROM table_content
WHERE id='$id'
It's probably something really obvious I've missed because fulltext seems to conflict with sql without the quotation marks around it.
Any assistance would as always be appreciated!
You can use SQL keywords as field names, with appropriate escaping with backticks. You're using single quotes, which turns the word into a string that contains the word "fulltext".
Try
SELECT .... introtext, `fulltext`, state, ...
^--------^--- backticks
instead.