DamienRoche Posted January 2, 2009 Share Posted January 2, 2009 I have seriously been troubleshooting this for nearly 2 hours now. I just don't get it. Here is the code: <?php $insert = mysql_query("INSERT INTO texts (id,title,al,cat,key,d,val,content) VALUES('$id','$t','$a','$c','$k','$d','$i','$co')") or die("mysql said:".mysql_error()); ?> and the output of the fields: REV819712Uc fdasf dsadfas fasfsa fsdadfsa hell 4 fdsafdsadfsa ..and finally, the error: <?php mysql said:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'key,d,val,content) VALUES('REV819712Uc','fdasf','dsadfas','fasfsa','fsdadfsa','' at line 1 ?> This is unbelievable. I've tried everything I could. I use this query *all the time* but for some reason I can't figure it out. Any help with this is greatly appreciated. Quote Link to comment Share on other sites More sharing options...
Mchl Posted January 2, 2009 Share Posted January 2, 2009 http://dev.mysql.com/doc/refman/5.1/en/reserved-words.html Quote Link to comment Share on other sites More sharing options...
DarkWater Posted January 2, 2009 Share Posted January 2, 2009 You can't name a field or table 'key'. Quote Link to comment Share on other sites More sharing options...
DamienRoche Posted January 2, 2009 Author Share Posted January 2, 2009 hahahaha driven to insanity. Wow...a reserved word. If it wasn't so damn subtle I might have sussed it in less than an hour :/ Nonetheless, thank you so much for hitting me upside the head with some knowledge..and resources thanks. Quote Link to comment Share on other sites More sharing options...
hobeau Posted January 2, 2009 Share Posted January 2, 2009 one other thing worth noting is that your not escaping your variables thus leaving yourself wide open for a hacker to do anything he/she wishes with your database VERY easily. Use mysql_real_escape_string() to escape your variables. <?php $insert = mysql_query("INSERT INTO texts (id,title,al,cat,key,d,val,content) VALUES('" . mysql_real_escape_string($id) . "','" . mysql_real_escape_string($t) . "','" . mysql_real_escape_string($a) . "','" . mysql_real_escape_string($c) . "','" . mysql_real_escape_string($k) . "','" . mysql_real_escape_string($d) . "','" mysql_real_escape_string($i) . "','" . mysql_real_escape_string($co) . "')") or die("mysql said:".mysql_error()); ?> Quote Link to comment Share on other sites More sharing options...
DarkWater Posted January 2, 2009 Share Posted January 2, 2009 He just posted a tiny one line snippet. I'm fairly sure he already did that stuff before this line. Quote Link to comment Share on other sites More sharing options...
DamienRoche Posted January 2, 2009 Author Share Posted January 2, 2009 Yeh, thanks for looking out for me but security comes before common sense for me...which kinda...wait....ugh, never mind. Thanks again guys! Quote Link to comment Share on other sites More sharing options...
Mchl Posted January 2, 2009 Share Posted January 2, 2009 We don't even know if those variables are input by user... It's always good to remind about security though. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.