This question already has an answer here:
Syntax error due to using a reserved word as a table or column name in MySQL
(1 answer)
Closed 8 years ago.
I am having problems with this MySql query:
INSERT INTO groups (NAME, DESC, TIME, OWNER) VALUES ('$GNAME', '$DESC', '$TIME', '$UID')
Essentially, the script adds the Group Name, Decription, Time and the Username of the person who registered the Group, into the mysql database.
Full script:
<?php
include_once('include/session.php');
$GNAME = $_POST['groupname'];
$DESC = $_POST['desc'];
$SPAM = $_POST['spam'];
$UID = $_POST['UID'];
$TIME = date('Y-m-d H:i:s');
if($SPAM == "queuee"){
$query ="INSERT INTO groups (NAME, DESC, TIME, OWNER) VALUES ('$GNAME','$DESC','$TIME', '$UID')";
$result = mysql_query($query) or die("There as been an Error! <hr>Error:<hr>".mysql_error() ."<br><hr>Go Back");
header("Location: ../group.php?id=$GNAME");
}else{
?>
The Security Question was wrong. Try Again.
<?
}
?>
I ran the Query directly into MySql itself using Phpmyadmin. However it still threw an error.
The error is:
#1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'DESC, TIME, OWNER) VALUES ('$GNAME', '$DESC', '$TIME', '$UID')' at line 1
Any help at all is much appreciated and perhaps I am being a complete fool and not noticing an obvious mistake. If you need any more information just ask!
Many Thanks.
"DESC" is a keyword. Put it in backquotes.
..., `DESC`, ...
DESC is a reserved keyword. If you must use it for a column name, wrap it in backticks:
`DESC`
Try:
INSERT INTO groups (`NAME`, `DESC`, `TIME`, `OWNER`) VALUES ('$GNAME','$DESC','$TIME', '$UID')";
You're using reserved words as column names - PHP gets terribly confused in that case.
I should also add that your code is open to SQL injection, and you should look at moving away from using the mysql_* functions.
The quickstart guide for mysqli is at http://www.php.net/manual/en/mysqli.quickstart.php
PDO is another option; the information on prepared statements is at http://www.php.net/manual/en/pdo.prepared-statements.php
DESC is SQL keyword, use `` to escape column names:
$query ="INSERT INTO `groups` (`NAME`, `DESC`, `TIME`, `OWNER`) VALUES ('$GNAME','$DESC','$TIME', '$UID')";
According to MySQL Reserved Words, the word `DESC can't be used as a field name, unless you enclose it with backticks.
Put single (or double maybe) quotes around DESC in the "INSERT INTO groups" part. DESC is a reserved word and must be quoted.
use
$DESCRIPTION = $_POST['desc'];
inseted of
$DESC = $_POST['desc'];
$DESCRIPTION variable use in you query
$query ="INSERT INTO groups (NAME, DESC, TIME, OWNER) VALUES ('$GNAME','$DESCRIPTION','$TIME', '$UID')";
Related
This question already has answers here:
Using SQL keyword in title of table or column
(2 answers)
Closed 9 years ago.
I'm getting this error when trying to insert data into the database
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'add (price, catID, subCatID, title, description) VALUES ('1500', '1', '1', 'aaa'' at line 1
Here is my code. Could you please help me to solve this problem.
require "dbConnect.php";
dbConnect();
$category = mysql_real_escape_string($_POST['catID']);
$sub_category = mysql_real_escape_string($_POST['subCatID']);
$title = mysql_real_escape_string($_POST['title']);
$description = mysql_real_escape_string($_POST['description']);
$price = mysql_real_escape_string($_POST['price']);
I have included the relevant code here
$insert_data = mysql_query("INSERT INTO add (price, catID, subCatID, title, description) VALUES ('$price', '$category', '$sub_category', '$title', '$description')");
if($insert_data === FALSE)
{
die(mysql_error());
}
ADD is a MySQL reserved keyword which you must quote with backticks if it is used as a table or column name. If you have an opportunity to change the schema, it is advisable not to use a reserved word since you're likely to encounter this again in the future, as will future developers on your code.
$insert_data = mysql_query("INSERT INTO `add` (price, catID, subCatID, title, description) VALUES ('$price', '$category', '$sub_category', '$title', '$description')");
//-------------------------------------^^^^^^^
As you've probably seen already, the mysql_*() extension has been deprecated in PHP 5.5, and will eventually be removed. Rather than continuing to write new code with it, it is advisable to start learning prepared statements in PDO or MySQLi.
I'm trying to insert some values into the database using information posted on a form through php
following is the code that i'm using for insertion
$query=mysql_query("select * from poll_question where question = '$question'") or die(mysql_error());
$numrows=mysql_num_rows($query);
if($numrows)
{
while($row=mysql_fetch_assoc($query))
{
$dbid=$row['id'];
}
}
$sql1 = "INSERT INTO poll_option(option , poll_id ,click)
VALUES('$_POST[optionone]',
'$dbid' , 0)";
$result1 = mysql_query($sql1);
echo "1 record added";
echo mysql_error();
$sql2 = "INSERT INTO poll_option(option , poll_id , click)
VALUES('$_POST[optiontwo])',
'$dbid', 0)";
$result2 = mysql_query($sql2);
echo mysql_error();
$sql3 = "INSERT INTO poll_option(option , poll_id, click)
VALUES('$_POST[optionthree])',
'$dbid ', 0)";
$result3 = mysql_query($sql3);
echo mysql_error();
now i'm getting the following output
You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version for the right syntax to use near 'option , poll_id ,click) VALUES('sj', '24' , 0)' at line 1
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'option , poll_id , click) VALUES('dsdg', '24', 0)' at line 1
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'option , poll_id, click) VALUES('xzf', '24 ', 0)' at line 1
The part under the "values" syntax is the one that i'm trying to insert. that information is correct.that is VALUES('xzf', '24 ', 0) is Correct and i want to insert this only , but their is some problem with the syntax.Any suggestions?
What echo_me said.
Additionally, in $sql2 and $sql3 you are closing the VALUES (...) parenthesis too soon:
VALUES('$_POST[optiontwo])',
^ remove this
Your $sql1 is correct.
OPTION is reserved keyword for mysql
try use backticks around it in all your queries
like that:
`option`
look reserved keywords here
In addition to what echo_me stated in removing the parentheses incorrectly added to $sql2 and $sql3, you really should migrate over to mysqli (since mysql is deprecated) and at least use the real escape string option on your post variable before automatically inserting whatever is posted to the script into your database. A good example for your code is:
$post_option1 = mysql_real_escape_string($_POST['optionone']);
$post_option2 = mysql_real_escape_string($_POST['optiontwo']);
$sql1 = "INSERT INTO poll_option (`option`, `poll_id`, `click`) VALUES('$post_option1', '$dbid', 0)";
$sql2 = "INSERT INTO poll_option (`option`, `poll_id`, `click`) VALUES('$post_option2', '$dbid', 0)";
My opinion is it would make things simpler for you as well. The info on the real escape string can be found here:
http://php.net/manual/en/function.mysql-real-escape-string.php
It's against best practice to insert a POST or GET directly into your database without any form of mitigation against SQL injection.
Try to avoid using mysql functions, but rather learn to use PDO functions. They have a number of advantages over mysql functions, although im really sorry, i dont remember them right now, and i dont want to say anything that's not true.
Also, i dont think that the mysql functions can prevent SQL injection, which can let any user alter your Database however they want.
Most importantly though, is that they're deprecated in PHP 5.5
Sorry if i didn't solve your question, just thought to let you know. Good luck, maybe you can get it to work with the new functions.
Update: Sorry, didn't see the comments and posts about switching to mysqli and such.
I am using following insert command to insert value in my db table called demo_organization
$sql = "INSERT INTO demo_organization (org_name, abn_acn_no, org_url,city,
state, country, pin, street, primary_mobile,
secondary_mobile, primary_landline,
secondary_landline, primary_email, secondary_email)
VALUES ($org_name, $abn_acn_no, $org_url, $city, $state, $country,
$pin, $street, $primary_mobile, $secondary_mobile,
$primary_landline, $secondary_landline, $primary_email,
$secondary_email)";
$result = mysql_query($sql) or die (mysql_error());
in php
but i am getting error like
You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near '://loc.com,Melburn,Melburn,Australia,56007,123 park
avenue,+6190567890,+89685552' at line 2
i am completely new in php mysql please tell me what i am doing wrong
You are missing single quotes around the text values:
insert into demo (org_name, abn_acn_no) values ('$org_name', abn_acn_no);
// assumes that abn_acn_no is numeric.
You also cannot pass an empty variable into the query. If you don't have it, you will need to insert it as , null, rather than as a variable with no value - which would result in , , which SQL won't accept - even if the column accepts null values.
If you will be using MYSQL, you need to escape the values mysql_escape_string($string)
There is a problem with the url provided in the query, try escaping it and running it again.
Otherwise, MYSQL is becoming depreciated, use MYSQLi or PDO
http://php.net/manual/en/book.mysqli.php
http://php.net/manual/en/book.pdo.php
your code is vulverable with your sql injection. I'll recomend MYSQLi or PDO. But anyway, your values that are string format should be wrap with single quotes.
$sql = "INSERT INTO demo_organization (org_name, abn_acn_no, org_url,city,
state, country, pin, street, primary_mobile,
secondary_mobile, primary_landline,
secondary_landline, primary_email, secondary_email)
VALUES ('$org_name', 'abn_acn_no, '$org_url', '$city', ...,
'$secondary_email')";
I don't know what's wrong with my syntax, but I'm missing something:
$createrequest = mysql_query("INSERT INTO products_updates_queue (id, kid,
product_version_id, key, ip) VALUES ('$request_id', '$uid', '$version_id',
'$request_key', '$request_ip')");
I receive this error:
"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'key, ip) VALUES ('j4ctveyd0x62', '1', 'z451ah3', 'hqbyu7bhg8za', '64.134.163.2' at line 2"
Can anyone see what I am missing?
I think key is a reserved word, and you should avoid using it as a column name. Try using backticks around it:
$createrequest = mysql_query("INSERT INTO products_updates_queue (id, uid, product_version_id, `key`, ip) VALUES ('$request_id', '$uid', '$version_id', '$request_key', '$request_ip')");
key is a reserved word in MySQL. Avoid it, or wrap it in backticks.
Edit: And I hope you escaped the variables you're putting into that query.
I'm having problems with an INSERT statement, and the error only says:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1
It's not helpful at all.
The version I have tried so far and failed is:
mysql_query("INSET INTO `cos` VALUES ('".$_GET['prod']."','".$_GET['page']."')");
[needless to say that the two variables when printed show the right values]
I've also tried versions with nothing around the table name, with ` or ', a million combinations really and nothing works. Not even with constants or into different tables. It just won't insert anything ever. I've checked the privileges (I'm logging into it with root), and it's all on.
I've tried similar stuff on two different machines with the same server (XAMPP 1.7.7) and it works. I'm completely baffled! What can it be?
Thank you for your time!
First and foremost, just type INSERT correctly.
Using _GET like that really opens you up to SQL INJECTIONS...
Do take a look into MySQL prepared statements.
It is also considered good practice to name the columns that you're inserting data into. That allows you to, latter on, insert extra-columns and keep application logic.
INSERT INTO cos(rowName1, rowName2) VALUES(?, ?)
Where ? would be prepared statements.
Correct:
mysql_query("INSERT INTO `cos` VALUES ('".$_GET['prod']."','".$_GET['page']."')");
Have you tried passing the $link to mysql_query ?
Like:
mysql_query("INSERT INTO `cos` VALUES ('".$_GET['prod']."','".$_GET['page']."')", $link);
EDIT:
And of course you must take some security measures before inserting anything into the database, maybe mysql_real_escape_string() or even prepared statements.
You are doing it wrong. Why aren't you escaping the values?
Php.net documentation is providing some good and safe working examples:
$query = sprintf("SELECT firstname, lastname, address, age FROM friends
WHERE firstname='%s' AND lastname='%s'",
mysql_real_escape_string($firstname),
mysql_real_escape_string($lastname));
// Perform Query
$result = mysql_query($query);
So adapted to your code:
$query = sprintf("INSERT INTO `cos` VALUES (%s, %s);",
mysql_real_escape_string($_GET['prod']),
mysql_real_escape_string($_GET['page']));
$result = mysql_query($query);
Please, always escape your values. And use INSERT, not INSET :)
first this is you are using INSET make it correct with INSERT like
$pro = mysql_real_escape_string($_GET['prod']);
$page = mysql_real_escape_string($_GET['page']);
mysql_query("INSERT INTO `cos` (column1, column2)
VALUES ('$pro', '$page')" );
you forget to set the column names...
Try this:
$prod = $_GET['prod'];
$page = $_GET['page'];
mysql_insert("INSERT INTO 'cos' VALUES('$prod','$page)");
This should very well do it :)