Jump to content


SQL Statement Hiccups

  • Please log in to reply
1 reply to this topic

#1 LiamG

  • Members
  • PipPipPip
  • Advanced Member
  • 46 posts
  • LocationMelbourne, Australia

Posted 01 May 2003 - 08:48 AM

I\'ve had a look at this a few times, so I figured you guys would get it right first off, a new pair of eyes and a new brain is all I need:
$addnews_sql = "INSERT INTO `news` (`subject`, `username`, `body`) VALUES (`$_POST[\'subject\']`, `$_POST[\'username\']`, `$_POST[\'body\']`)";
returns the error:

Unknown column \'\' in \'field list\'

while my SCHEMA for that table is:

 newsid int(11) NOT NULL auto_increment,
 subject text NOT NULL,
 username text NOT NULL,
 posted timestamp(14) NOT NULL,
 body longtext NOT NULL,
 PRIMARY KEY  (newsid)

Thanks guys,


#2 barbatruc

  • Members
  • PipPip
  • Member
  • 28 posts
  • LocationMontreal, Quebec, Canada

Posted 01 May 2003 - 12:13 PM


I think you used backquotes for the values which are only valid for table and field names.

Single quotes should be used instead:
addnews_sql = "INSERT INTO `news` (`subject`, `username`, `body`) VALUES (\'$_POST[\'subject\']\', \'$_POST[\'username\']\', \'$_POST[\'body\']\')";
Also please note that creating queries that way is not really secure... you should try to see if get_magic_quotes_gpc() returns you true and if it doesn\'t, you should use addslashes() on the values you insert in your query:
addnews_sql = "INSERT INTO `news` (`subject`, `username`, `body`) VALUES (\'".addslashes($_POST[\'subject\'])."\', \'".addslashes($_POST[\'username\'])."\', \'".addslashes($_POST[\'body\'])."\')";
Hope this helps!
Unfortunately, PHP \'empowered every moron with a copy of Windows notepad to be \"web programmers\". (...) Give PHP a real INFRASTRUCTURE. Use PEAR!!!\'

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users