Jump to content

Having A Problem With Finding The Correct Sql Syntax.


Yvil
 Share

Recommended Posts

Here I am again, with another problem.I can't figure out what syntax I should use to insert my stuff to my MySQL database.I have database version: MySQL v5This is the error I'm getting:

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''Update, Current') VALUES ('inserted1','inserted2' at line 1*
* the text after 'VALUES' is what I tried to insert into my database.* The underlined part is what is in my PHP.And this is my PHP code now:
<?php$con = mysql_connect("localhost", "name", "pass");if (!$con)  {  die('Could not connect: ' . mysql_error());  }mysql_select_db("dbname", $con);$sql = "INSERT INTO updates ('Update, Current')	VALUES ('$_POST[update]','$_POST[current]')";if (!mysql_query($sql,$con))  {  die('Error: ' . mysql_error());  }echo "updates updated!";mysql_close($con)?>

Does anyone know the correct syntax?If so, please tell me :).Thanks,Yvil

Edited by Yvil
Link to comment
Share on other sites

same error?
Yes, unfortunately.If you think (this is what I do, but I'm unsure) it is because of my MySQL version, please say so so I can ask my hosting website to update the available MySQL versions.
Link to comment
Share on other sites

  • 1 month later...
Update is a reserved word. If you want to use a reserved word as a table or column name you need to surround it with `backquotes`.
Tried changing that, but it still doesn't work. I just can't insert stuff into a database. If someone could please write me a working script I would be very gratefull!(sorry for late reply, but I have the same problem again, this time with something I do want to be done trough PHP)
Link to comment
Share on other sites

Guest FirefoxRocks

First of all, you shouldn't insert POSTDATA directly into a database for security reasons, so this is a safer script here and hope it works:

<?php$con = mysql_connect("localhost", "name", "pass");if (!$con){	die('Could not connect: ' . mysql_error());}mysql_select_db("dbname", $con);(string)$update = mysql_real_escape_string($_POST["update"]);(string)$current = mysql_real_escape_string($_POST["current"]);(string)$sql = "INSERT INTO `updates` ('Update', 'Current') VALUES ('$update','$current');";if (!mysql_query($sql,$con)) {   die('Error: ' . mysql_error());}echo "updates updated!";mysql_close($con);?>

EDIT:I caught the error.What you have:

INSERT INTO `updates` ('Update, Current') VALUES ('$_POST[update]','$_POST[current]')

What I (basically) have:

INSERT INTO `updates` ('Update', 'Current') VALUES ('$_POST[update]','$_POST[current]')

See the difference? Unless you have a column/field called "Update, Current", there's only 1 field to insert stuff into yet you are telling MySQL to insert 2 field values.

Edited by FirefoxRocks
Link to comment
Share on other sites

Will try it tomorrow, going to bed now!Even if it doesn't work, thanks a load (I think it is what was wrong, since I tried to insert 2 values into 1 field according to the script).But could you explain how that thing makes it safer?

Edited by Yvil
Link to comment
Share on other sites

Guest FirefoxRocks

I'm not the expert of SQL injection, but perhaps these articles might help:http://www.tizag.com/mysqlTutorial/mysql-p...l-injection.phphttp://www.php.net/manual/en/security.data...l-injection.php (this one is a bit advanced)http://en.wikibooks.org/wiki/PHP_Programming/SQL_InjectionBasically, it comes down to not trusting what users input until you are sure it is safe.I guess I could show a simple example:

SELECT * FROM users WHERE `username`='{$_POST["name"]}'

Now what if the user requested a username called Yvil'; DELETE FROM users WHERE 'id'>'0?This would make the statement:

SELECT * FROM users WHERE `username`='Yvil'; DELETE FROM users WHERE 'id'>'0'

Instead of just selecting the user where the name is "Yvil", it would also delete all the rows that have an ID greater than 0 (usually all rows).To protect against this, PHP has mysql_real_escape_string(). So the query would be:

SELECT * FROM users WHERE `username`='Yvil\'; DELETE FROM users WHERE \'id\'>\'0'

Maybe you can't see the difference with the syntax highlighting, but basically it would look for a username that was Yvil'; DELETE FROM users WHERE 'id'>'0, which probably doesn't exist.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...