Back to General and Gameplay Programming

[web] MySQL Syntax error! Help (PHP, mysql)

General and Gameplay Programming Programming

Started by EXER June 09, 2009 05:46 PM

9 comments, last by ID Merlin 14 years, 9 months ago

EXER

122

Author

June 09, 2009 05:46 PM

When make a entry with my form i use the following code to add the entry to my database:


<?php
if(isset($_POST['menu'])){
$con = mysql_connect("localhost","user","pass");
mysql_select_db("database", $con);
$sql="INSERT INTO menu (1, 3, 5, 7, 9, notes, order)
VALUES
('$_POST[1]','$_POST[3]','$_POST[5]','$_POST[7]','$_POST[9]','$_POST[notes]','$_POST[order]')";
mysql_query($sql,$con) or die('Send error: ' . mysql_error());
  }
  ?>

It comes up with a mysql syntax error. By the way i used my username, password and database name on my site but i did not add them here :) This is the message i get: Send error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1, 3, 5, 7, 9, notes, order) VALUES ('test','test','test','test','test','test','test')' at line 1 Thanks for any help

aaron_ds

486

June 09, 2009 05:53 PM

You really have columns named 1,3,5,7, and 9?

Try (1, 3, 5, 7, 9, notes, `order`) instead.

Edit: I guess it is backticks instead of []s in MySQL.

Sander

1,332

June 10, 2009 02:16 AM

Columns named 1, 3, 5, 7 and 9? Wow, you're almost ripe for TDWTF.

Anyway, aaron_ds is close. You need to use backticks. But you need to use them on the numbers instead:

INSERT INTO menu (`1`, `3`, `5`, `7`, `9`, notes, order) ...

<hr />
Sander Marechal<small>[Lone Wolves][Hearts for GNOME][E-mail][Forum FAQ]</small>

ToohrVyk

1,596

June 10, 2009 03:07 AM

Quote:Original post by Sander
Anyway, aaron_ds is close. You need to use backticks. But you need to use them on the numbers instead:

'order', as in 'order by', is also an SQL keyword.

Blog — Facebook

phresnel

953

June 10, 2009 03:29 AM

Quote:Original post by ToohrVyk
Quote:Original post by Sander
Anyway, aaron_ds is close. You need to use backticks. But you need to use them on the numbers instead:
'order', as in 'order by', is also an SQL keyword.

I think it depends on the dialect whether it is considered a keyword in that context.

edit: Looks like the ANSI grammar specification is not freely available, sorry.

edit2: Looks like MySql defines "order" as a reserved word (MySql 5.1: Reserved words, but e.g. Basis SQL seems to reserve "ORDERBY" only (Basis SQL Reserved words).

edit3: Okay, according to this, "ORDER" is a reserved word in ANSI Sql 2003. Note that SQL is not case sensitive, though some dialects are.

[~/www/ — ~/projects/picogen — ~/projects/metatrace]

Kylotan

10,510

June 10, 2009 11:48 AM

You might also want to consider what happens if someone types "'); DROP TABLE menu; SELECT ('" in the notes field of your form.

EXER

122

Author

June 10, 2009 01:15 PM

Look, i am not the best person at naming things, i have other numbers but i want to keep there defaults. Why should i not name things as numbers? Moving on...

Thanks anyway.

Washu

7,836

June 10, 2009 01:17 PM

Quote:Original post by Kylotan
You might also want to consider what happens if someone types "'); DROP TABLE menu; SELECT ('" in the notes field of your form.

Depending on the PHP version and configuration, it might do nothing but spit back an error, since they've disabled that feature in all current versions because most PHP developers are idiots who couldn't spell "SQL Injection" even if it was right in front of their noses.

In time the project grows, the ignorance of its devs it shows, with many a convoluted function, it plunges into deep compunction, the price of failure is high, Washu's mirth is nigh.

phresnel

953

June 10, 2009 02:25 PM

Quote:Original post by Kylotan
You might also want to consider what happens if someone types "'); DROP TABLE menu; SELECT ('" in the notes field of your form.