This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Syntax error due to using a reserved word as a table or column name in MySQL
(1 answer)
Closed 8 years ago.
I have this following sql code:
$sql = "INSERT INTO data (Artist, Name) VALUES ('TF2', 'you're right behind me')";
The code itself looks normal but for some reason mysql doesn't want to allow me to save it. I get the following error:
"#1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 're right behind me')' at line 1"
What I know the problem is because of the word "right" being reserved in mysql but I need to save it so how should my code look like. All help is appreciated
As #Fred and #JunM have already commented, you have two issues. The first is that Name is a reserved word. The second is that you have a single quote inside your single quoted string. Change your SQL to this:
$sql = "INSERT INTO data (`Artist`, `Name`) VALUES ('TF2', 'you\'re right behind me')";
Your problem is because you have an ' in the work you're. So your string is terminating to early in your sentence. Use you\'re instead to escape the character '
$sql = "INSERT INTO data ('Artist', 'Name') VALUES ('TF2', 'you\'re right behind me')";
My experience with MySQL is limited, but I use SQL Server extensively. To me it seems that the problem is in the apostrophy used in the "you're right behind me". In SQL server, I'd have to use a double apostrophy, so the sql instruction would be something like this (notice the double apostrophy in the you''re):
$sql = "INSERT INTO data (Artist, Name) VALUES ('TF2', 'you''re right behind me')";
Hope this helps.
Regards
Related
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 6 years ago.
i programm some PHP Scripts and i wrote this sql query (for example):
INSERT INTO \`table1\` (\`article\`, \`typ\`)
VALUES(\`test\`, \`test2\`)
this query works.
my problem is that if i write the tablename and columns like this 'table1'
i get an sql error:
SQL Error(1064): You have an error in your SQL Syntax; check the manual that corresponds to your MariaDB server Version for the right syntax to use near ''article', 'typ') VALUES('test', 'test1')'
Does anybody know why i have to write it like this `table1` and why it doesnt work with normal --> ' ?
Server-Typ: MariaDB
Server-Version: 10.1.9-MariaDB - mariadb.org binary distribution
Server-Zeichensatz: UTF-8 Unicode (utf8)
The right way to write the code is:
INSERT INTO table1(article, typ)
VALUES ('test', 'test2')
All of the identifiers (table and column names) are valid names. They do not need to be escaped. Hence, no backticks are necessary.
You do need single quotes for quoted strings, not backticks. If the backticks are part of the name, you could just do:
INSERT INTO table1(article, typ)
VALUES ('`test`', '`test2`');
But that seems highly unlikely.
This question already has answers here:
How to deal with SQL column names that look like SQL keywords?
(17 answers)
Syntax error due to using a reserved word as a table or column name in MySQL
(1 answer)
Closed 6 years ago.
update cometchat set read='1' where id='18'
SQL Error 156:Incorrect syntax near the keyword 'read'.
Can you guys help me how do I do that?
Read is a reserved word. You need to escape it.
Also, if the values are integers, you should not use the single quotes around them.
If It's Sql Server (and it is, based on the error message), you need to use square brackets:
update cometchat set [read]=1 where id=18
In MySql, your query should look like this:
update cometchat set `read`=1 where id=18
You shouldn't put quotes around int values in your query as it converts them to type string.
Should I quote numbers in SQL?
UPDATE cometchat SET `read`=1 WHERE id=18
**Edit:
You're also using a reserved keyword, and need to escape it, see:
https://dev.mysql.com/doc/refman/5.5/en/keywords.html
Seriously...
UPDATE cometchat SET `read`=1...
"read" is a restricted keyword. It needs to be quoted.
This question already has an answer here:
Syntax error due to using a reserved word as a table or column name in MySQL
(1 answer)
Closed 7 years ago.
i have a simple php INSERT INTO SQL statement that simply refuses to update several columns at once. i have no idea why but the following statement is acceptabel;
$sql = "INSERT INTO niceTable (first) VALUES ('Hello')";
however if i try to following
$sql = "INSERT INTO niceTable (first, last) VALUES ('Hello', 'You')";
it breaks down and throws the following error:
"Error updating record: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'desc) VALUES ('Hello', 'update')' at line 1"
I have checked the syntax, but it seems ok. I am using a one.com server. Anyone got any tips?
Your actual query (not the one in your question) seems different. The error message seems to have desc somewhere, which is a reserved word. If you use reserve words as column names (don't), you should enclose them in backticks:
INSERT INTO tbl (`order`, `desc`) VALUES ('foo', 'bar');
As per your "posted code":
The reason being that first and last are MySQL reserved words
https://dev.mysql.com/doc/refman/5.5/en/keywords.html
and require special attention.
Either wrap them in ticks or rename them to something other than reserved keywords.
INSERT INTO niceTable (`first`, `last`)
Edit: However, your error doesn't support the issue here, nor the column name(s):
for the right syntax to use near 'desc)
this tells me you are using desc which is also another MySQL reserved word.
You should also use prepared statements
https://en.wikipedia.org/wiki/Prepared_statement
Plus, should your inputs contain characters that MySQL may complain about such as apostrophes John O'Neil then you will need to escape those values.
MySQL will interpret that as ('Hello', 'John O'Neil') in turn causing another syntax error.
Escaping it, would interpret it as ('Hello', 'John O\'Neil') making it valid.
I'm thinking ahead here.
Enclose your column names in backticks
Last is a function in MySQL
$sql = "INSERT INTO niceTable (`first`, `last`) VALUES ('Hello', 'You')";
This question already has an answer here:
Syntax error due to using a reserved word as a table or column name in MySQL
(1 answer)
Closed 7 years ago.
I am new user in php. I am trying insert in a table using following query:
$insert = "INSERT INTO forget (key,user_name) values('Abc','Xyz')";
mysql_query($insert)
echo mysql_error();
Output:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'key,user_name) values('abc','xyz')' at line 1
MySQL has a few reserved words which will cause queries using them to fail. In this case it is key.
You can either change the column name (also known as "key" which is why it fails) or you can escape the term with backticks like so:
$insert = "INSERT INTO forget (`key`,user_name) values('Abc','Xyz')";
Here are the list of words what mysql has reserved, and that cant be used as a table or field name in a query, unless its escaped using back ticks. You can use them as your field name, but when you query it, it must be escaped using " ` ".
In your case, key is a reserved word. So you must either escape it using back ticks.
Here is a list of mysql reserved words : https://dev.mysql.com/doc/refman/5.5/en/reserved-words.html
This question already has answers here:
Closed 11 years ago.
Possible Duplicate:
Can a number used to name a sql column
I am trying to figure out what is wrong with this code
$query = "UPDATE $table SET '$_GET[qty]'=$_GET[newprice] WHERE 'id'='1'";
this is what $query looks like - UPDATE retail_12x18 SET '25'=100 WHERE 'id'='1'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''25'=100 WHERE 'id'='1'' at line 1
I have put backticks ' every which way and cant get it to go through, always the same error message.
use backtick around your field name:
UPDATE table SET `25` = '{thevalue}', `100` = '{thevalue}', `200` = '{thevalue}' WHERE wherefield = '{wherevalue}'
See here (look for backtick word): http://dev.mysql.com/doc/refman/5.0/en/identifiers.html
It's a bit hard to know for sure, without seeing the table definition, but:
[1] It might be the column types. For instance this bit:
type=" .$_GET['type'];
is trying to set the value of the "type" column without using quotes. It will fail if the "type" column is type like varchar, for example.
[2] You need to use backtics if you're going to have numeric column names
[3] It really must be said that the main thing that's wrong with your code is that you are putting un-escaped $_GET values into your SQL query. Anyone could mount an SQL injection attack by putting SQL into the URL of the page. Very bad practice.
http://en.wikipedia.org/wiki/SQL_injection