This question already has answers here:
Using SQL keyword in title of table or column
(2 answers)
Closed 9 years ago.
I'm getting this error when trying to insert data into the database
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'add (price, catID, subCatID, title, description) VALUES ('1500', '1', '1', 'aaa'' at line 1
Here is my code. Could you please help me to solve this problem.
require "dbConnect.php";
dbConnect();
$category = mysql_real_escape_string($_POST['catID']);
$sub_category = mysql_real_escape_string($_POST['subCatID']);
$title = mysql_real_escape_string($_POST['title']);
$description = mysql_real_escape_string($_POST['description']);
$price = mysql_real_escape_string($_POST['price']);
I have included the relevant code here
$insert_data = mysql_query("INSERT INTO add (price, catID, subCatID, title, description) VALUES ('$price', '$category', '$sub_category', '$title', '$description')");
if($insert_data === FALSE)
{
die(mysql_error());
}
ADD is a MySQL reserved keyword which you must quote with backticks if it is used as a table or column name. If you have an opportunity to change the schema, it is advisable not to use a reserved word since you're likely to encounter this again in the future, as will future developers on your code.
$insert_data = mysql_query("INSERT INTO `add` (price, catID, subCatID, title, description) VALUES ('$price', '$category', '$sub_category', '$title', '$description')");
//-------------------------------------^^^^^^^
As you've probably seen already, the mysql_*() extension has been deprecated in PHP 5.5, and will eventually be removed. Rather than continuing to write new code with it, it is advisable to start learning prepared statements in PDO or MySQLi.
Related
This question already has an answer here:
Syntax error due to using a reserved word as a table or column name in MySQL
(1 answer)
Closed 7 years ago.
Can someone please help me what is wrong with this syntax.
when i run this, it doesn't insert the values into the table.
Currently all the variables e.g $land, etc have a value.
in my database table, all except $nOwners,$id(int) are defined as varchar, .
Details:
I am using Mysqli
$sql= "INSERT into property_list (id, title_no, status, register_type, type,land_district, issue_date,guarantee_status,provisional,title_no_srs,title_no_head_srs, survey_reference, Maori_land, number_owners)
VALUES($id,'$title', '$status', '$register', '$type', '$land', '$issue_date', '$guarantee', '$provision', '$title_no_srs','$head_srs', '$survery', '$maori', $nOwners)";
if($conn->query($sql)!==false)
{
$flag=false;
echo "successfully inserted ";
}
Hmm, the column name status might be an issue, it is a reserved keyword in sql. Try another name and see if that fixes it.
https://www.drupal.org/node/141051
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 7 years ago.
I've done some searching here and have not found what I'm looking for.
I've got a form that gets filled out, upon submitting it adds it to an SQL database (using PHP). However, if someone puts an apostrophe or single quote, it will blow up...I need to be able to either parse each text field to check for single quotes to escape them out or find some other way for this to work. Here is my SQL statement...if it helps.
$query = "INSERT INTO workshopinfo (Year, Presentername, email, bio, arrival, title, description, costyn, matcost, schedlimit, additionalinfo, typeofws, verified)" .
"VALUES ('$year', '$presentername', '$email', '$bio', '$arrival', '$title', '$description', '$costyn', '$matcost', '$schedlimit', '$additionalinfo', '$typeofws', '$verified')";
So of course a single quote will blow it up, as will a double quote...it fails every time. There is likely an easy solution to this.
I may have just found it after posting. The php functon addslashes() works in this case.
You can use PDO with prepared statements to handle quotes in SQL requests :
$req = $bdd->prepare("INSERT INTO yourTable (a, b, c) VALUES (:a, :myb, :c)");
$req->bindParam("a", $name, PDO::PARAM_STR); // string
$req->bindParam("myb", $title, PDO::PARAM_STR); // string
$req->bindParam("c", $identifier, PDO::PARAM_INT); // integer
$req->execute();
With this, you avoid all SQL injections.
Documentation : http://php.net/manual/en/book.pdo.php
This question already has an answer here:
Syntax error due to using a reserved word as a table or column name in MySQL
(1 answer)
Closed 8 years ago.
Hi I have the following with the below code? I have another statement which works but it is to another table and without the project_id column.
(
[0] => 42000
[1] => 1064
[2] => You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'change (title, description, project_id) VALUES ('Test1', 'Test1', '1')' at line 1
)
$sql = "INSERT INTO change (title, description, project_id) VALUES (:title, :description, :project_id)";
$query = $db->prepare($sql);
$query->execute(array(":title" => $title,
":description" => $description,
":project_id" => $row_id));
$arr = $query->errorInfo();
print_r($arr);
Where have I gone wrong?
Always encapsulate your table and field names in backticks:
INSERT INTO `change` (`title`, `description`, `project_id`) VALUES (:title, :description, :project_id)
In this case: CHANGE is a keyword in MySQL, so your statement doesn't interpret it as a table name.
When you make tables always check here for reserved keywords in mysql
Your table name is a reserved keyword which is why you have these errors.
Use backticks to fix the problem. But i will recommend that you change the table name.
Sometimes prople find it hard to locate the backticks, it's above your tab key if you are using a normal qwerty or azerty keyboard.
This question already has an answer here:
Syntax error due to using a reserved word as a table or column name in MySQL
(1 answer)
Closed 8 years ago.
I am having problems with this MySql query:
INSERT INTO groups (NAME, DESC, TIME, OWNER) VALUES ('$GNAME', '$DESC', '$TIME', '$UID')
Essentially, the script adds the Group Name, Decription, Time and the Username of the person who registered the Group, into the mysql database.
Full script:
<?php
include_once('include/session.php');
$GNAME = $_POST['groupname'];
$DESC = $_POST['desc'];
$SPAM = $_POST['spam'];
$UID = $_POST['UID'];
$TIME = date('Y-m-d H:i:s');
if($SPAM == "queuee"){
$query ="INSERT INTO groups (NAME, DESC, TIME, OWNER) VALUES ('$GNAME','$DESC','$TIME', '$UID')";
$result = mysql_query($query) or die("There as been an Error! <hr>Error:<hr>".mysql_error() ."<br><hr>Go Back");
header("Location: ../group.php?id=$GNAME");
}else{
?>
The Security Question was wrong. Try Again.
<?
}
?>
I ran the Query directly into MySql itself using Phpmyadmin. However it still threw an error.
The error is:
#1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'DESC, TIME, OWNER) VALUES ('$GNAME', '$DESC', '$TIME', '$UID')' at line 1
Any help at all is much appreciated and perhaps I am being a complete fool and not noticing an obvious mistake. If you need any more information just ask!
Many Thanks.
"DESC" is a keyword. Put it in backquotes.
..., `DESC`, ...
DESC is a reserved keyword. If you must use it for a column name, wrap it in backticks:
`DESC`
Try:
INSERT INTO groups (`NAME`, `DESC`, `TIME`, `OWNER`) VALUES ('$GNAME','$DESC','$TIME', '$UID')";
You're using reserved words as column names - PHP gets terribly confused in that case.
I should also add that your code is open to SQL injection, and you should look at moving away from using the mysql_* functions.
The quickstart guide for mysqli is at http://www.php.net/manual/en/mysqli.quickstart.php
PDO is another option; the information on prepared statements is at http://www.php.net/manual/en/pdo.prepared-statements.php
DESC is SQL keyword, use `` to escape column names:
$query ="INSERT INTO `groups` (`NAME`, `DESC`, `TIME`, `OWNER`) VALUES ('$GNAME','$DESC','$TIME', '$UID')";
According to MySQL Reserved Words, the word `DESC can't be used as a field name, unless you enclose it with backticks.
Put single (or double maybe) quotes around DESC in the "INSERT INTO groups" part. DESC is a reserved word and must be quoted.
use
$DESCRIPTION = $_POST['desc'];
inseted of
$DESC = $_POST['desc'];
$DESCRIPTION variable use in you query
$query ="INSERT INTO groups (NAME, DESC, TIME, OWNER) VALUES ('$GNAME','$DESCRIPTION','$TIME', '$UID')";
This question already has an answer here:
Syntax error due to using a reserved word as a table or column name in MySQL
(1 answer)
Closed 8 years ago.
I'm currently following a PHP tutorial, and I've got the following code::
$sql = "insert into practice (title, synopsis, genre, release, score, poster)
values('{$title}','{$synopsis}','{$genre}','{$release}','{$score}','{$poster}')";
if ($result = $mysqli->query($sql)) {
// movie successfully added
// redirect to index.php
header("Location: index.html");
exit;
}
elseif ($mysqli->connect_errno) {
// there was a database error when inserting
printf("Insert failed: %s\n", $mysqli->error);
}
else {
printf("Sorry this isn't working! Insert failed: %s\n", $mysqli->error);
}
I'm currently getting the error that states "Sorry this isn't working..." the mysqli error simply states:
You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version for the right syntax
to use near 'release, score, poster) values ('fa','f','ff','ff','ff','ff')' at line 1.
I'm a complete newbie so I'm a bit lost in terms of what the syntax error might actually be. Thanks for any help in advance
release is a reserved keyword in MySql 5.1
You need to encapsulate with backticks
$sql = "insert into practice (title, synopsis, genre, `release`, score, poster)
values('{$title}','{$synopsis}','{$genre}','{$release}','{$score}','{$poster}')";
"release" seems to be a keyword of mysql.
Try to escape the key word with "`".
$sql = "insert into practice (title, synopsis, genre, `release`, score, poster)
values('{$title}','{$synopsis}','{$genre}','{$release}','{$score}','{$poster}')";
It says the sytax problem starts right at "release". Since it doesn't look like a syntax error, it's probably a reserved word. See http://dev.mysql.com/doc/refman/5.5/en/reserved-words.html.