Gatsu Posted November 8, 2007 Share Posted November 8, 2007 Hello, I get an error I dont understand, please tell me whats wrong if you know =)I have created a table in my db and I get. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'level, desired level, world type, prem, skills, mag, eq, id, leveler, msn, Order' at line 1 the line looks likethis $sql="INSERT INTO orders (login, vocation, current level, desired level, world type, prem, skills, mag, eq, id, leveler, msn, Order status)VALUES(".$_POST['login'].",".$_POST['select1'].",".$_POST['select2'].",".$_POST['select3'].",".$_POST['select4'].",".$_POST['select5'].",".$_POST['select6'].",".$_POST['select7'].",".$_POST['select8'].",".$_POST['leveler'].",".$_POST['msn'].",".$_POST['order status'].")"; Link to comment Share on other sites More sharing options...
Reg Edit Posted November 8, 2007 Share Posted November 8, 2007 INSERT INTO orders (login, vocation, current level, desired level, world type [...]I don't do MySQL but in all the SQL I have used, you would need to do something about the spaces in the fieldnames, normally enclosing the fieldnames in square brackets:INSERT INTO orders (login, vocation, [current level], [desired level], [world type] Link to comment Share on other sites More sharing options...
Gatsu Posted November 8, 2007 Author Share Posted November 8, 2007 you may be right but your solution gave me this insteda ^^ You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '[current level], [desired level], [world type], prem, skills, mag, eq, id,' at line 1 Thank you anyway ^^ Link to comment Share on other sites More sharing options...
Gatsu Posted November 8, 2007 Author Share Posted November 8, 2007 I removed the spaces and got You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'knight,8+,8+,Non-Pvp,Free,10/10+,0+,none,,,)' at line 3 and these are the values I tried to addwhat does syntax error mean?and line 3 where???? Link to comment Share on other sites More sharing options...
justsomeguy Posted November 8, 2007 Share Posted November 8, 2007 Syntax error means that the code structure is not valid, the computer doesn't know what you mean. The error in this case is that you have string values without quotes. You need to put quotes around anything that's not a number field. Link to comment Share on other sites More sharing options...
Gatsu Posted November 8, 2007 Author Share Posted November 8, 2007 but they do have quotes $sql="INSERT INTO orders (login, vocation, cl, dl, wt, prem, skills, mag, eq, id, leveler, msn, os)VALUES(".$_POST['login'].",".$_POST['select1'].",".$_POST['select2'].",".$_POST['select3'].",".$_POST['select4'].",".$_POST['select5'].",".$_POST['select6'].",".$_POST['select7'].",".$_POST['select8'].",".$_POST['leveler'].",".$_POST['msn'].",".$_POST['order status'].")"; Link to comment Share on other sites More sharing options...
justsomeguy Posted November 8, 2007 Share Posted November 8, 2007 No they don't.You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'knight,8+,8+,Non-Pvp,Free,10/10+,0+,none,,,)' at line 3Should be:'knight','8+','8+','Non-Pvp','Free','10/10+','0+','none','','','') Link to comment Share on other sites More sharing options...
Gatsu Posted November 8, 2007 Author Share Posted November 8, 2007 first try gets'\'knight\',\'8+\',\'8+\',\'Non-Pvp\',\'Free\',\'10/10+\',\'0+\',\'none\',,,)' at line 3second gets''login', 'vocation', 'cl', 'dl', 'wt', 'prem', 'skills', 'mag', 'eq', 'id', 'lev' Link to comment Share on other sites More sharing options...
justsomeguy Posted November 8, 2007 Share Posted November 8, 2007 $sql="INSERT INTO orders (login, vocation, cl, dl, wt, prem, skills, mag, eq, id, leveler, msn, os)VALUES('".$_POST['login']."','".$_POST['select1']."','".$_POST['select2']."','".$_POST['select3']."','".$_POST['select4']."','".$_POST['select5']."','".$_POST['select6']."','".$_POST['select7']."','".$_POST['select8']."','".$_POST['leveler']."','".$_POST['msn']."','".$_POST['order status']."')"; There. That code is also vulnerable to SQL injection attacks, it's not safe to include anything from $_GET, $_POST, or $_COOKIE directly into a SQL statement without escaping it.http://www.php.net/manual/en/security.data...l-injection.phphttp://www.php.net/manual/en/function.mysq...cape-string.php Link to comment Share on other sites More sharing options...
Gatsu Posted November 8, 2007 Author Share Posted November 8, 2007 thank you soooo much for helping me =)=)I will look at the injection attack thing. thank you thank you thank you thank you thank you Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.