Yvil Posted June 6, 2009 Share Posted June 6, 2009 Here I am again, with another problem.I can't figure out what syntax I should use to insert my stuff to my MySQL database.I have database version: MySQL v5This is the error I'm getting: Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''Update, Current') VALUES ('inserted1','inserted2' at line 1* * the text after 'VALUES' is what I tried to insert into my database.* The underlined part is what is in my PHP.And this is my PHP code now:<?php$con = mysql_connect("localhost", "name", "pass");if (!$con) { die('Could not connect: ' . mysql_error()); }mysql_select_db("dbname", $con);$sql = "INSERT INTO updates ('Update, Current') VALUES ('$_POST[update]','$_POST[current]')";if (!mysql_query($sql,$con)) { die('Error: ' . mysql_error()); }echo "updates updated!";mysql_close($con)?> Does anyone know the correct syntax?If so, please tell me .Thanks,Yvil Link to comment Share on other sites More sharing options...
smerny Posted June 6, 2009 Share Posted June 6, 2009 try $sql = "INSERT INTO updates (Update, Current) VALUES ('".$_POST[update]."','".$_POST[current]."')"; Link to comment Share on other sites More sharing options...
Yvil Posted June 6, 2009 Author Share Posted June 6, 2009 Thanks for the reply, but it still doesn't work.Any other suggestions anyone? Link to comment Share on other sites More sharing options...
smerny Posted June 6, 2009 Share Posted June 6, 2009 same error? Link to comment Share on other sites More sharing options...
Yvil Posted June 6, 2009 Author Share Posted June 6, 2009 same error?Yes, unfortunately.If you think (this is what I do, but I'm unsure) it is because of my MySQL version, please say so so I can ask my hosting website to update the available MySQL versions. Link to comment Share on other sites More sharing options...
justsomeguy Posted June 8, 2009 Share Posted June 8, 2009 Update is a reserved word. If you want to use a reserved word as a table or column name you need to surround it with `backquotes`. Link to comment Share on other sites More sharing options...
Yvil Posted August 1, 2009 Author Share Posted August 1, 2009 Update is a reserved word. If you want to use a reserved word as a table or column name you need to surround it with `backquotes`.Tried changing that, but it still doesn't work. I just can't insert stuff into a database. If someone could please write me a working script I would be very gratefull!(sorry for late reply, but I have the same problem again, this time with something I do want to be done trough PHP) Link to comment Share on other sites More sharing options...
Guest FirefoxRocks Posted August 1, 2009 Share Posted August 1, 2009 First of all, you shouldn't insert POSTDATA directly into a database for security reasons, so this is a safer script here and hope it works: <?php$con = mysql_connect("localhost", "name", "pass");if (!$con){ die('Could not connect: ' . mysql_error());}mysql_select_db("dbname", $con);(string)$update = mysql_real_escape_string($_POST["update"]);(string)$current = mysql_real_escape_string($_POST["current"]);(string)$sql = "INSERT INTO `updates` ('Update', 'Current') VALUES ('$update','$current');";if (!mysql_query($sql,$con)) { die('Error: ' . mysql_error());}echo "updates updated!";mysql_close($con);?> EDIT:I caught the error.What you have: INSERT INTO `updates` ('Update, Current') VALUES ('$_POST[update]','$_POST[current]') What I (basically) have: INSERT INTO `updates` ('Update', 'Current') VALUES ('$_POST[update]','$_POST[current]') See the difference? Unless you have a column/field called "Update, Current", there's only 1 field to insert stuff into yet you are telling MySQL to insert 2 field values. Link to comment Share on other sites More sharing options...
Yvil Posted August 1, 2009 Author Share Posted August 1, 2009 Will try it tomorrow, going to bed now!Even if it doesn't work, thanks a load (I think it is what was wrong, since I tried to insert 2 values into 1 field according to the script).But could you explain how that thing makes it safer? Link to comment Share on other sites More sharing options...
Guest FirefoxRocks Posted August 1, 2009 Share Posted August 1, 2009 I'm not the expert of SQL injection, but perhaps these articles might help:http://www.tizag.com/mysqlTutorial/mysql-p...l-injection.phphttp://www.php.net/manual/en/security.data...l-injection.php (this one is a bit advanced)http://en.wikibooks.org/wiki/PHP_Programming/SQL_InjectionBasically, it comes down to not trusting what users input until you are sure it is safe.I guess I could show a simple example: SELECT * FROM users WHERE `username`='{$_POST["name"]}' Now what if the user requested a username called Yvil'; DELETE FROM users WHERE 'id'>'0?This would make the statement: SELECT * FROM users WHERE `username`='Yvil'; DELETE FROM users WHERE 'id'>'0' Instead of just selecting the user where the name is "Yvil", it would also delete all the rows that have an ID greater than 0 (usually all rows).To protect against this, PHP has mysql_real_escape_string(). So the query would be: SELECT * FROM users WHERE `username`='Yvil\'; DELETE FROM users WHERE \'id\'>\'0' Maybe you can't see the difference with the syntax highlighting, but basically it would look for a username that was Yvil'; DELETE FROM users WHERE 'id'>'0, which probably doesn't exist. Link to comment Share on other sites More sharing options...
Yvil Posted August 1, 2009 Author Share Posted August 1, 2009 Okay, thanks! And I got it working now! Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.