PHP & MySQL Insert Issue - I'm stumped :(

Discussion in 'PHP' started by gpearce, Dec 1, 2007.

0
  1. #1
    Okay, i've been making a form to insert some details into my database. The form posts to the PHP script, which is ok, and the script collects info and tries to put it into the database. My insert is like this:
    $sql = "INSERT INTO index (name, description, imageurl, url, siteurl, categoryid, submit-date, status, contact-email) 
VALUES('$_POST[name]', '$_POST[description]', '$_POST[imageurl]', '$_POST[url]', '$_POST[site]', '$_POST[categoryid]', '$_POST[date]', '$_POST[status]', '$_POST[contactemail]')";
if (!mysql_query($sql))
  {
  die('Error: ' . mysql_error());
  }
echo "1 record added";
    PHP:
    which brings up no PHP errors, but it gives the following error with MySQL:
    Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'index [(name, description, imageurl, url, siteurl, categoryid, submit-date, stat' at line 1
    Code (markup):
    I've now been through it about 10 times, and I cannot see a Syntax error, what should I do? I'm using Plesk, and it's MySQl version 4.1.20

    Thanks
     
    gpearce, Dec 1, 2007 IP
  2. selling vcc

    selling vcc Peon

    Messages:
    361
    Likes Received:
    18
    Best Answers:
    0
    Trophy Points:
    0
    #2
    try 

    $sql = "INSERT INTO `index`...";
    PHP:
     
    selling vcc, Dec 1, 2007 IP
  3. mvl

    mvl Peon

    Messages:
    147
    Likes Received:
    5
    Best Answers:
    0
    Trophy Points:
    0
    #3
    index is a reserved word in (My)Sql. Try putting backticks around the tablename like this:


    
$sql = "INSERT INTO `index` (name, description, ...
    Code (markup):
     
    mvl, Dec 1, 2007 IP
  4. matthewrobertbell

    matthewrobertbell Peon

    Messages:
    781
    Likes Received:
    35
    Best Answers:
    0
    Trophy Points:
    0
    #4
    You should be using mysql_real_escape_string on all input into a database, otherwise you will be vulnerable to a SQL injection attack!
     
    matthewrobertbell, Dec 1, 2007 IP
  5. gpearce

    gpearce Active Member

    Messages:
    1,432
    Likes Received:
    49
    Best Answers:
    0
    Trophy Points:
    90
    #5
    Put the back thingies on it, now get this:
    Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-date, status, contact-email) VALUES('testing', 'testing', 'testing', 'testing'' at line 1
    Code (markup):
     
    gpearce, Dec 1, 2007 IP
  6. gpearce

    gpearce Active Member

    Messages:
    1,432
    Likes Received:
    49
    Best Answers:
    0
    Trophy Points:
    90
    #6
    Update - Fixed it. Seems like it was the - too :p
    Thanks for the help everyone, and i'm not intending to make it available to anyone but me, it's in a protected directory through htaccess :)
     
    gpearce, Dec 1, 2007 IP
  7. mvl

    mvl Peon

    Messages:
    147
    Likes Received:
    5
    Best Answers:
    0
    Trophy Points:
    0
    #7
    also put backticks around the column names, otherwise names with a dash trigger are not allowed.
    For example `contact-email` instead of contact-email.

    It is better however to avoid using dashes. Underscores are allowed: contact_email
     
    mvl, Dec 1, 2007 IP