SQL Query

[livethedead]

How is

"INSERT INTO posts (title) VALUES ("  . $_POST['title'] . ");";

 

not the same as INSERT INTO posts (title) VALUES ("test");

 

I'm getting There was an error executing the queryUnknown column 'adfd' in 'field list' when I run the script but if I execute the query by hand it works fine..........

[requinix]

1. You need quotes around the title string.

2. You need to use mysql_real_escape_string on that title first.

3. Don't end your queries with semicolons. This is not the circumstance when they're supposed to be used.

"INSERT INTO posts (title) VALUES ('" . mysql_real_escape_string($_POST['title']) . "')"

[livethedead]

Thank you much. Could you explain why not to use the semicolon?

[requinix]

Semicolons are used to terminate queries in situations where (a) it's not always clear when one is finished, and (b) when there could be more than one query provided. Neither is true with what you provide to mysql_query().

 

Whatever the reason, MySQL themselves have said explicitly that you should not include it:

Normally, the string must consist of a single SQL statement and you should not add a terminating semicolon (";") or \g to the statement.

http://dev.mysql.com/doc/refman/5.5/en/mysql-query.html