derrick1123 Posted October 16, 2009 Share Posted October 16, 2009 Page Error Output KEY: uuUIeA62GWIIwo SID: 4 TITLE: Vid DESCRIPTION: Test URL: mygood.avi You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'key, url) VALUES ('4', 'Vid', 'Test', 'uuUIeA62GWIIwo', 'mygood.avi')' at line 1 To get the most accurate help, I will post everything on the page. <? function rand_chars($c, $l, $u) { if (!$u) for ($s = '', $i = 0, $z = strlen($c)-1; $i < $l; $x = rand(0,$z), $s .= $c{$x}, $i++); else for ($i = 0, $z = strlen($c)-1, $s = $c{rand(0,$z)}, $i = 1; $i != $l; $x = rand(0,$z), $s .= $c{$x}, $s = ($s{$i} == $s{$i-1} ? substr($s,0,-1) : $s), $i=strlen($s)); return $s; } $PAGE['title'] = "AddVideo"; include "../public_src/admin/header.php"; include "../include/constants.php"; $c = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; $con = mysql_connect(DB_SERVER, DB_USER, DB_PASS) or die(mysql_error()); mysql_select_db(DB_NAME, $con) or die(mysql_error()); $result = mysql_query("SELECT * FROM vids ORDER BY sid ASC"); while($row = mysql_fetch_array($result)){ $Rsid = $row['sid']; } mysql_close($con); $key = (string)rand_chars($c, rand(5,15), FALSE); $sid = $Rsid+1; $con1 = mysql_connect(DB_SERVER, DB_USER, DB_PASS) or die(mysql_error()); mysql_select_db(DB_NAME, $con1) or die(mysql_error()); echo "KEY: ".$key; echo "<br>SID: ".$sid; echo "<br>TITLE: ".$_POST['title']; echo "<br>DESCRIPTION: ".$_POST['description']; echo "<br>URL: ".$_POST['url']; $sql = "INSERT INTO vids (sid, title, description, key, url) VALUES ('".$sid."', '".$_POST['title']."', '".$_POST['description']."', '".$key."', '".$_POST['url']."')"; mysql_query($sql) or die(mysql_error()); echo "<br><br>Video Added..."; echo "<meta http-equvi='refresh' content='5;url=admin.php'>"; mysql_close($con1); ?> What is being sent is on the page already...but I will re-show it. KEY: uuUIeA62GWIIwo SID: 4 TITLE: Vid DESCRIPTION: Test URL: mygood.avi Any help at all is already greatly appreciated! Link to comment https://forums.phpfreaks.com/topic/177875-sql-error/ Share on other sites More sharing options...
Coreye Posted October 16, 2009 Share Posted October 16, 2009 KEY is a reserved word for MySQL. $sql = "INSERT INTO `vids` (`sid`, `title`, `description`, `key`, `url`) VALUES ('" . $sid . "', '" . $_POST['title'] . "', '" . $_POST['description'] . "', '" . $key . "', '" . $_POST['url'] . "')"; mysql_query($sql) or die(mysql_error()); Link to comment https://forums.phpfreaks.com/topic/177875-sql-error/#findComment-937873 Share on other sites More sharing options...
GoneNowBye Posted October 16, 2009 Share Posted October 16, 2009 key is reserevered, but that always gets me. Here's what i do query failed; copy and paste it into the mysql gui tools if a keyword exists it goes blue you use ` quotes around fields normally, by default SQL looks for these however the ability to do it without quotes is a feture. so key - > `key` the quotes can be found above tab and left of 1 good luck Link to comment https://forums.phpfreaks.com/topic/177875-sql-error/#findComment-937885 Share on other sites More sharing options...
derrick1123 Posted October 16, 2009 Author Share Posted October 16, 2009 THANK YOU! That key thing saved my life, after I changed it into a different word in every script...it seems to look a lot cleaner, and less room for mistakes. Link to comment https://forums.phpfreaks.com/topic/177875-sql-error/#findComment-938310 Share on other sites More sharing options...
Kaboom Posted October 16, 2009 Share Posted October 16, 2009 SO im kinda new but from what I see $sql = "INSERT INTO vids (sid, title, description, key, url) VALUES ('".$sid."', '".$_POST['title']."', '".$_POST['description']."', '".$key."', '".$_POST['url']."')"; Should be $sql = "INSERT INTO `vids` (`sid`, `title`, `description`, `key`, `url`) VALUES ('".$sid."', '".$_POST['title']."', '".$_POST['description']."', '".$key."', '".$_POST['url']."')"; Right? Sorry if someone else answered but that's the only thing I see althought I am kinda a narb ... Link to comment https://forums.phpfreaks.com/topic/177875-sql-error/#findComment-938328 Share on other sites More sharing options...
teynon Posted October 16, 2009 Share Posted October 16, 2009 Kaboom, you are correct, but keep in mind I have done that approach of applying ` to everything and at some point it actually caused an error for me. I don't remember what happened during that error, but I think it may be a good idea to moderate the use of it. Also, you don't have to do all that ". $value ." stuff. You could use {$value} instead. (Only with double quotes though) Link to comment https://forums.phpfreaks.com/topic/177875-sql-error/#findComment-938335 Share on other sites More sharing options...
Maq Posted October 16, 2009 Share Posted October 16, 2009 Inserting raw POST values? You should really sanitize your input before you learn that hard way. Link to comment https://forums.phpfreaks.com/topic/177875-sql-error/#findComment-938336 Share on other sites More sharing options...
GoneNowBye Posted October 17, 2009 Share Posted October 17, 2009 By Santise he means use "addlashes" on it, and the one that prevents SQL injections. Yes you have it lastly. table names and databases should (but not required) to use them aswell eg SELECT id as `some var with spaces` FROM `some_schema`.`some_table` Another one you should know about btw, is the alternate INSERT syntax (which i prefer) if you want to insert mutliple rows at once, then INSERT .. VALUES () is perfect, but for one row. INSERT `table` SET `this`='that', `foo`='bar' very much like the UPDATE syntax Link to comment https://forums.phpfreaks.com/topic/177875-sql-error/#findComment-938549 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.