getting weird syntax error when INSERTing query to table

[WhiteRau]

 

why is this error generated from the subsequent code?  all values are $_POST retrieved strings dumped into a varchar table column.  i checked all variable names, &c.

 

database query failed: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'long time, lots, fuzzy, probed, yes, your dog stinks, b.mast@theduke.net)' at line 1

 

$connexion = mysql_connect(HOST, LOGIN, PASS);
if (!$connexion) {
	die('database connexion failed: ' . mysql_error());
}

$dbselexion = mysql_select_db('someDB');
if (!$dbselexion) {
	die('database selexion failed: ' . mysql_error());
}

$query = "INSERT INTO someTable ";
$query .= "(first_name, last_name, when_happened, how_long, how_many, ";
$query .= "description, did_what, was_spotted, other, email) ";
$query .= "VALUES ({$firstName}, {$lastName}, {$whenhappen}, {$howlong}, {$howmany}, ";
$query .= "{$desc}, {$didwhat}, {$wasseen}, {$other}, {$email})";

$result = mysql_query($query);
if (!$result) {
	die('database query failed: ' . mysql_error());
}

 

if you need more information, let me know.

 

TIA!

 

WR!

[PFMaBiSmAd]

Each string data value that is put into a query must be enclosed by single-quotes in the query so that it is treated as a string instead of a sql keyword.

[xyph]

Also, you should escape the string using mysql_real_escape_string() to make sure any quotes within the string are escaped. This also makes SQL injection attacks much more difficult.

[Psycho]

I'll also add that for debugging purposes it is always helpful to echo the actual query to the page when it fails. It makes finding/fixing mistakes much easier. For example, sometimes a query will fail because a value is not set which you believe is (maybe there was a typo in the variable name or the value just wasn't set). By echoing the query to the page the error will sometimes be very obvious and allows you to know exactly where to look to fix it.

 

However, you should always provide "friendly" error messages in a production environment that do not give the users DB errors that provide details about the nature of the error. Personally, I typically use a custom function for running my queries that checks to see if the application is in "debug mode". If yes, I will show the actual DB error and query. If not, I provide a friendly error message to the user.

[WhiteRau]

okay.  first, thanks for your replies.

 

what i'm understanding is you're saying i should do this:

        $query .= "VALUE " . $firstName . ", " . $lastName . ", " . $whathappen  ...and so on....

 

is that right?  i purposely used double quotes and enclosed the variables with curly braces so it would parse the variable inline...  why wouldn't that work?

 

and i already escaped the vars, but thanks for the helpful reinforcer! 

 

WR!

[Pikachu2000]

No. Each string value must appear in quotes if you were to echo the query string. There's really no need for all the concatenation either, it's just another way to open yourself up to typos.

 

$query = "INSERT INTO someTable 
( first_name, last_name, when_happened, how_long, how_many, description, did_what, was_spotted, other, email ) 
VALUES 
( '$firstName', '$lastName', '$whenhappen', '$howlong', '$howmany', '$desc', '$didwhat', '$wasseen', '$other', '$email' )";

[WhiteRau]

good to know.  i thought the quotes were implied with the strings.

 

thank you so much.

 

WR!