"INSERT INTO forum_topics (category_id, poster_id, poster_username, topic_title, topic_content, date) VALUES (".$category_id.", '$poster_id', '$topic_title', '$message', NOW()";
mysql_error() says that there is a problem with the syntax, however it might be something else. I'm gonna post the variables just so you know where they come from.
$message = $_POST['topic_message'];
$topic_title = $_POST['topic_title'];
$category_id = $_GET['id'];
EDIT
Changed it to
$topic_sql = "INSERT INTO forum_topics (category_id, poster_id, poster_username, topic_title, topic_content, date) VALUES (".$category_id.", '$poster_id', '$username', '$topic_title', '$message', NOW())";
However it still doesn't work...
You're missing the closing paren for VALUES:
... NOW())";
There are other issues:
The parameter count is incorrect
Your query is vulnerable to injection since you are not using parameterized queries with PDO/mysqli
Maybe you list 6 columns but only give data for 5? And missing closing ).
Looks like you're missing a closing parenthesis and only inserting 5 values into 6 columns...
INSERT INTO forum_topics (category_id, poster_id, poster_username, topic_title, topic_content, date)
VALUES (".$category_id.", '$poster_id', '$username', '$topic_title', '$message', NOW())
You missing the user name?
Related
So I'm trying to insert 4 values into a table. I'm getting 3 values from POST and the other one I want to get it from another table. This is how I thought about implementing it but it doesn't seem to be working. Any suggestions?
$query = "INSERT INTO topics (subject, data, uid, role) VALUES (:user, :pass, :uid, SELECT role FROM users WHERE uid=:uid) ";
In SQL, all subqueries need to be surrounded by their own parentheses. So, you can fix your query by using:
INSERT INTO topics (subject, data, uid, role)
VALUES (:user, :pass, :uid, (SELECT role FROM users WHERE uid = :uid));
Personally, I much prefer the INSERT . . . SELECT version of SELECT:
INSERT INTO topics (subject, data, uid, role)
SELECT :user, :pass, :uid, u.role
FROM users u
WHERE uid = :uid;
I getting error "Query error!" with this code:
$result = $connection->query("INSERT INTO EMP_TBLE (NAME, AGE, CATEGORY, UPDATE_COUNT) VALUES('$NAME', '$AGE', $CAT, 1
ON DUPLICATE KEY UPDATE UPDATE_COUNT = UPDATE_COUNT + 1"));
echo "<br>".$result;die;
I also check different example like this example was running success but I found error in above code for my demo project.
The closing brace for VALUES is missing. There is also a non-needed brace at the end of your code line.
Please change
$result = $connection->query("INSERT INTO EMP_TBLE (NAME, AGE, CATEGORY, UPDATE_COUNT) VALUES('$NAME', '$AGE', $CAT, 1 ON DUPLICATE KEY UPDATE UPDATE_COUNT = UPDATE_COUNT + 1"));
to
$result = $connection->query("INSERT INTO EMP_TBLE (NAME, AGE, CATEGORY, UPDATE_COUNT) VALUES('$NAME', '$AGE', $CAT, 1) ON DUPLICATE KEY UPDATE UPDATE_COUNT = UPDATE_COUNT + 1");
Apparently you did not close the parentesis in the right place:
$result = $connection->query("INSERT INTO EMP_TBLE (NAME, AGE, CATEGORY,
UPDATE_COUNT) VALUES('$NAME', '$AGE', $CAT, 1)
ON DUPLICATE KEY UPDATE UPDATE_COUNT = UPDATE_COUNT + 1");
Also... you should at least escape all the variables before concatenating in queries like this to avoid SQL injection
I have following lines:
$sql = "INSERT INTO news (title, content) VALUES :title, :content";
$pre = $this->prepare($sql);
$pre->bindValue(":title", "xxx");
$pre->bindValue(":content", "yyy");
$pre->execute();
I get no error, but the query is also not executed (i checked the query log).
I tried following changes desperately:
$t="xxx" and $pre->bindValue(":title", $t); (the same also for y)
$sql = "INSERT INTO `news` (`title`, `content`) VALUES :title, :content";
$sql = "INSERT INTO `news` (`title`, `content`) VALUES ':title', ':content'";
Nothing changes. Funny thing is i get no response, no warning, no error just nothing.
But the query is not executed.
I found similar posts but non of them solved my problem.
(about $this ... The code is in a class extended from PDO class.)
try this, your values should be wrapped inside the values()
"INSERT INTO news (title, content) VALUES (:title, :content)";
instead of
"INSERT INTO news (title, content) VALUES :title, :content";
Try: "INSERT INTO news (title, content) VALUES (:title, :content)";
You must surround the insert values with parentheses.
This question already has answers here:
MySQL, safely using reserved word in query [duplicate]
(2 answers)
Closed 9 years ago.
I am building a small Twitter clone for personal use, and I have so trouble with it.
Fist, I want to show you my SQL structure of the table "poke_history":
http://puu.sh/3Sci0.png
This is the command I use to insert the values into a table (in PHP):
$insert = "INSERT INTO poke_history (id, from, time, reason) VALUES ('".$to_id."', '".$from_id."', '".$time."', '".$reason."')";
mysql_query($insert) or die(mysql_error());
This is the annoying error that I am getting:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'from, time, reason) VALUES ( '1'' at line 3.
Let me clarify some things.
$to_id is a number.
$from_id is a number.
$time is a number (coming from PHP's time()).
$reason is a text string.
I am using MySQL and PHP5.
Try to quote your column identifiers like
INSERT INTO poke_history (`id`, `from`, `time`, `reason`) ...
Everything inside `` is considered to be a "identifier" not a language keyword. From the SQL-syntax it should be clear that after INSERT INTO tablename cannot come a FROM, but the MySQL sometimes needs this kind of guidance (and other sql parsers, too).
credit to mario as well:
from is a reserved keyword. Use backticks to escape them.
for example
`from`
INSERT INTO table (`from`) ....
So your code would like this:
$insert = "INSERT INTO poke_history (`id`, `from`, `time`, `reason`) VALUES ('".$to_id."', '".$from_id."', '".$time."', '".$reason."')";
mysql_query($insert) or die(mysql_error());
$insert = "INSERT INTO poke_history (`id`, `from`, `time`, `reason`) VALUES (".$to_id.", ".$from_id.", ".$time.", '".$reason."')";
mysql_query($insert) or die(mysql_error());
Numbers don't need to be quoted. Only strings.
Also don't use mysql, it's deprecated. Better use PDO, with prepared statements, to avoid issues like this.
You should try to use prepared statements to prevent SQL injection.
$query = "
INSERT INTO
poke_history (`id`, `from`, `time`, `reason`)
VALUES
(:id, :from, :time, :reason)";
$db = new PDO("mssql:host=sqlserver;dbname=database", "username", "password");
$statement = $db->prepare($query);
$parameters = array(
":id" => $name,
":from" => $from,
":time" => $time,
":reason" => $reason
);
$statement->execute($parameters);
I think that you forgot to add * in between INSERT and INTO, here is the fixed script:
$insert = "INSERT * INTO poke_history (id, from, time, reason) VALUES ('".$to_id."', '".$from_id."', '".$time."', '".$reason."')";
mysql_query($insert) or die(mysql_error());
The reason why you are getting the error is because you are trying to use a built in function name for one of your columns. Say you have the following CREATE TABLE...
CREATE TABLE customers
(
name varchar(80),
streetAddr varchar(160),
"from" varchar(60),
);
Notice that to create the table I had to put the column from in quotes. Now if you wanted to insert a row into this table, your insert statement should look like the following:
INSERT INTO ShoppingFun.dbo.customers
(
name,
streetAddr,
"from"
)
VALUES
(
'MRBubbleGum',
'1061 SW BubbleGumVillage St',
'yourmom'
)
I would like to use two different insert statements with two different tables such as
<?
mysql_query("INSERT INTO Customer (ID,Name,Subject, OrderDate) VALUES ('$ID', '$name', '$status', '$ODate')");
mysql_query("INSERT INTO Order (ID,Subject, Department, Status, OrderDate, Receive, Notes) VALUES ('$ID', '$status', 'Financial', 'Financial Department', '$ODate', 'NO', 'Notes')");
?>
It just works with the first table and does not work with the second table.
Can some one help solving this problem?
Thanks
You need to check for errors:
<?php
$query1 = "INSERT INTO Customer (ID,Name,Subject, OrderDate) VALUES ('$ID', '$name', '$status', '$ODate')";
if(!mysql_query($query1)) {
throw new Exception(mysql_error());
}
$query2 = "INSERT INTO Order (ID,Subject, Department, Status, OrderDate, Receive, Notes) VALUES ('$ID', '$status', 'Financial', 'Financial Department', '$ODate', 'NO', 'Notes')";
if(!mysql_query($query2)) {
throw new Exception(mysql_error());
}
I'm guessing you are getting an error because Order is a reserved word in MySQL and should be escaped accordingly:
$query2 = "INSERT INTO `Order` (ID,Subject, Department, Status, OrderDate, Receive, Notes) VALUES ('$ID', '$status', 'Financial', 'Financial Department', '$ODate', 'NO', 'Notes')";
It also seems to me like you're inserting a fixed value as a primary key - are you sure that's what you want?
As I said in the comments, you should stop using mysql_ functions completely and use MySQLi or PDO instead.
First of all thanks to DCoder who helped me to solve the problem and advised me to use PDO and MySQLi.
The problem was with the tabel name Order, when I replaced it with a new name, it works fine.
I thought the problem with using two mysql_query but it is not. The table name that I used is a reserved word in MySQL.
Thanks