Jump to content

SQL Statement Hiccups


LiamG

Recommended Posts

I\'ve had a look at this a few times, so I figured you guys would get it right first off, a new pair of eyes and a new brain is all I need:

$addnews_sql = "INSERT INTO `news` (`subject`, `username`, `body`) VALUES (`$_POST[\'subject\']`, `$_POST[\'username\']`, `$_POST[\'body\']`)";

returns the error:

Unknown column \'\' in \'field list\'
while my SCHEMA for that table is:
CREATE TABLE news (

 newsid int(11) NOT NULL auto_increment,

 subject text NOT NULL,

 username text NOT NULL,

 posted timestamp(14) NOT NULL,

 body longtext NOT NULL,

 PRIMARY KEY  (newsid)

) TYPE=MyISAM;

Thanks guys,

 

LiamG.

Link to comment
https://forums.phpfreaks.com/topic/418-sql-statement-hiccups/
Share on other sites

Hi!

 

I think you used backquotes for the values which are only valid for table and field names.

 

Single quotes should be used instead:

addnews_sql = "INSERT INTO `news` (`subject`, `username`, `body`) VALUES (\'$_POST[\'subject\']\', \'$_POST[\'username\']\', \'$_POST[\'body\']\')";

Also please note that creating queries that way is not really secure... you should try to see if get_magic_quotes_gpc() returns you true and if it doesn\'t, you should use addslashes() on the values you insert in your query:

addnews_sql = "INSERT INTO `news` (`subject`, `username`, `body`) VALUES (\'".addslashes($_POST[\'subject\'])."\', \'".addslashes($_POST[\'username\'])."\', \'".addslashes($_POST[\'body\'])."\')";

Hope this helps!

JP.

Link to comment
https://forums.phpfreaks.com/topic/418-sql-statement-hiccups/#findComment-1407
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.