Sign in to follow this  
EXER

[web] MySQL Syntax error! Help (PHP, mysql)

Recommended Posts

When make a entry with my form i use the following code to add the entry to my database:
<?php
if(isset($_POST['menu'])){
$con = mysql_connect("localhost","user","pass");
mysql_select_db("database", $con);
$sql="INSERT INTO menu (1, 3, 5, 7, 9, notes, order)
VALUES
('$_POST[1]','$_POST[3]','$_POST[5]','$_POST[7]','$_POST[9]','$_POST[notes]','$_POST[order]')";
mysql_query($sql,$con) or die('Send error: ' . mysql_error());
  }
  ?>
It comes up with a mysql syntax error. By the way i used my username, password and database name on my site but i did not add them here :) This is the message i get: Send error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1, 3, 5, 7, 9, notes, order) VALUES ('test','test','test','test','test','test','test')' at line 1 Thanks for any help

Share this post


Link to post
Share on other sites
You really have columns named 1,3,5,7, and 9?

Try (1, 3, 5, 7, 9, notes, `order`) instead.


Edit: I guess it is backticks instead of []s in MySQL.

Share this post


Link to post
Share on other sites
Columns named 1, 3, 5, 7 and 9? Wow, you're almost ripe for TDWTF.

Anyway, aaron_ds is close. You need to use backticks. But you need to use them on the numbers instead:

INSERT INTO menu (`1`, `3`, `5`, `7`, `9`, notes, order) ...

Share this post


Link to post
Share on other sites
Quote:
Original post by Sander
Anyway, aaron_ds is close. You need to use backticks. But you need to use them on the numbers instead:
'order', as in 'order by', is also an SQL keyword.

Share this post


Link to post
Share on other sites
Quote:
Original post by ToohrVyk
Quote:
Original post by Sander
Anyway, aaron_ds is close. You need to use backticks. But you need to use them on the numbers instead:
'order', as in 'order by', is also an SQL keyword.


I think it depends on the dialect whether it is considered a keyword in that context.

edit: Looks like the ANSI grammar specification is not freely available, sorry.

edit2: Looks like MySql defines "order" as a reserved word (MySql 5.1: Reserved words, but e.g. Basis SQL seems to reserve "ORDERBY" only (Basis SQL Reserved words).

edit3: Okay, according to this, "ORDER" is a reserved word in ANSI Sql 2003. Note that SQL is not case sensitive, though some dialects are.

Share this post


Link to post
Share on other sites
Look, i am not the best person at naming things, i have other numbers but i want to keep there defaults. Why should i not name things as numbers? Moving on...


Thanks anyway.

Share this post


Link to post
Share on other sites
Quote:
Original post by Kylotan
You might also want to consider what happens if someone types "'); DROP TABLE menu; SELECT ('" in the notes field of your form.


Depending on the PHP version and configuration, it might do nothing but spit back an error, since they've disabled that feature in all current versions because most PHP developers are idiots who couldn't spell "SQL Injection" even if it was right in front of their noses.

Share this post


Link to post
Share on other sites
Quote:
Original post by Kylotan
You might also want to consider what happens if someone types "'); DROP TABLE menu; SELECT ('" in the notes field of your form.


Share this post


Link to post
Share on other sites
Using addslashes, or mysql_real_escape would do it. You need to get rid of the apostrophes (single quotes) in the input, in some way.

Oh, and LOL!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this