I need a little help, I've been trying for an hour with googles help to fix this error message I'm getting. Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'desc, tel) VALUES ('Steves 2nd hand Cars','old banger from ebay','0191 4235862')' at line 1 I'm trying to post from my form into my database but there seems to be something wrong with this.. $sql="INSERT INTO dealers (name, desc, tel) VALUES ('$_POST[name]','$_POST[desc]','$_POST[tel]')"; any ideas?
Try this: if(isset($_POST['name'], $_POST['desc'], $_POST['tel'])) { $name = $_POST['name']; $desc = $_POST['desc']; $tel = $_POST['tel']; $sql="INSERT INTO dealers (name, desc, tel) VALUES ('$name', '$desc', '$tel')"; } PHP:
No I'm sorry but I'm still getting the same error message. Full php looks like ... <?php $con = mysql_connect("localhost","**********","*********"); if (!$con) { die('Could not connect: ' . mysql_error()); } mysql_select_db("*****", $con); if(isset($_POST['name'], $_POST['desc'], $_POST['tel'])) { $name = $_POST['name']; $desc = $_POST['desc']; $tel = $_POST['tel']; $sql="INSERT INTO dealers (name, desc, tel) VALUES ('$name', '$desc', '$tel')"; } if (!mysql_query($sql,$con)) { die('Error: ' . mysql_error()); } echo "1 record added"; mysql_close($con) ?> PHP: my html form looks like .... <form action="dealersubmitted.php" method="post" onsubmit="return checkform(this);"> <table width="50%" border="0" cellpadding="0" cellspacing="0"> <tr> <td>name: <input name="name" type="text" size="20" maxlength="20" /></td> </tr> <tr> <td>description: <input name="desc" type="text" size="80" maxlength="80" /></td> </tr> <tr> <td>telephone: <input name="tel" type="text" size="15" maxlength="15" /></td> </tr> <tr> <td><input type="submit" /></td> </tr></table> </form> HTML:
DESC is MySQL reserved word and must be surrounded by back-quotes: $sql="INSERT INTO dealers (name, `desc`, tel) VALUES ('$name', '$desc', '$tel')"; Code (markup): Regards p.s.: You've to pass all input data in mysql_real_escape_string() function to prevent attacks.
Thanks koko5 that seems to have sorted it, i've replaced instances of 'desc' with 'comment' I'll look at the real escape string now. Cheers
I've looked at the link koko5 has gave me and in all honesty it may as well be wrote in Russian. How much security and checking do I need on a simple php script to enter a few fields into a mysql database. Here's my code so far <?php $con = mysql_connect("localhost","****","****"); if (!$con) { die('Could not connect: ' . mysql_error()); } mysql_select_db("****", $con); $sql="INSERT INTO dealers (name, comment, tel) VALUES ('$_POST[name]','$_POST[comment]','$_POST[tel]')"; if (!mysql_query($sql,$con)) { die('Error: ' . mysql_error()); } echo "1 record added"; mysql_close($con) ?> PHP:
For me it's far enough: $sql="INSERT INTO dealers (name, comment, tel) VALUES ('".mysql_real_escape_string($_POST['name'])."','".mysql_real_escape_string($_POST['comment'])."','".mysql_real_escape_string($_POST['tel'])."')"; PHP:
Sure, btw I'm not Russian-great nation too IMHO-because this is mentioned twice in this thread. There is always more than one solution