Can't add to database

[unplugged_web]

Please help me, I've no idea what's going wrong here. I'm trying to add to a database. This works:

mysql_query("INSERT INTO `images` (`id`, `class`, `foreign_id`, `title`, `filename`, `created`, `modified`, `order`, `category`) VALUES (NULL,'Bio','99','test','image.jpg',CURRENT_TIMESTAMP,CURRENT_TIMESTAMP,'0','0')"); 

But this doesn't:

mysql_query("INSERT INTO `images` (`id`, `class`, `foreign_id`, `title`, `filename`, `created`, `modified`, `order`, `category`) VALUES (NULL, '$_POST[class]'', '$_POST[foreign_id]', '$_POST[name]', '$_POST[pic]', CURRENT_TIMESTAMP, CURRENT_TIMESTAMP, '$_POST[order]', '$_POST[category]')"); 

All of the fields have the correct values, but for some reason it just won't let me do it. I've sent three days trying to get it sorted, but I think I'm just going round in circles now.

[justsomeguy]

Did you add code to check for errors from MySQL over those three days? I see one syntax error, but there might also be unescaped quotes in the data. Use mysql_error to check for errors, and print out the query to verify what it says. There's no reason to spend 3 days debugging a syntax error when you can have MySQL tell you exactly what the problem is.

[oldscholar]

I think the error was in the'$_POST[class]'' should be '$_POST[class]'Maybe you unintentionally doubled the single quote.

[unplugged_web]

That's I didn't notice that - I guess I was looking in the wrong place. In phpmyadmin it said that there was an error, but in a php checker it said there wasn't any errors at all so I got quite confused. Thanks

[birbal]

it will not report errors in mysql implictly unless you tell it to do so. what php myadmin do is display errors when there is error in mysql. mysql_error() is the function which tells about the errors.

[justsomeguy]

It's not a PHP error because the error is inside the SQL string that you're sending to MySQL. It's a SQL error, not a PHP error, so a PHP error checking wouldn't find anything wrong.

[ShadowMage]

I can't believe nobody's mentioned escaping data. You are using the POST variables directly in the query, which is a very bad idea. Google "SQL injection" if you want to see why it's a bad idea. You should be using mysql_real_escape_string to escape those values before using them in your query.

[JohnTipperton]

yes you should use mysql_real_escape_string to avoid sql injection. try to declare your variables first like. $user=$_POST['username']; so it will be easier for you.