Problems with INSERT INTO

Questions about the MySQL, PostgreSQL, and most other databases, as well as using it with PHP can be asked here.

Moderator: General Moderators

Post Reply
User avatar
PHP_ColdFusion
Forum Newbie
Posts: 21
Joined: Thu Jan 04, 2007 2:16 pm
Location: Leesville, Louisiana, USA

Problems with INSERT INTO

Post by PHP_ColdFusion »

i have had some issues with the following code

Code: Select all

$reservupdate = mysql_query("INSERT INTO reserv (lastname,firstname,#carts,rented,returned,phone,email)
VALUES (".$lastname.",".$firstname.",".$carts.",".$rented.",".$returned.",".$phone.",".$email.")");

if (!$reservupdate)
  {
  die("Error: " . mysql_error());
  }
when i run that with the form, i get this
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'VALUES (Bartlett,Dennis,4,3/31/07,4/2/07,337-353-3620,dcbartlett
a working example of the error can be found at http://funcartsofcrystalbeach.com/index2?pid=2

please help, i'm goin nuts, been at this script for 2 days
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

You have a field with a # sign in it?

#carts

Try escaping the field names with backticks.

Also, the strings your inserting need to be encapsulated with single quotes.
User avatar
PHP_ColdFusion
Forum Newbie
Posts: 21
Joined: Thu Jan 04, 2007 2:16 pm
Location: Leesville, Louisiana, USA

Post by PHP_ColdFusion »

thanks

i think it was the #

its fixed now
Last edited by PHP_ColdFusion on Sun Apr 01, 2007 11:34 pm, edited 1 time in total.
User avatar
aaronhall
DevNet Resident
Posts: 1040
Joined: Tue Aug 13, 2002 5:10 pm
Location: Back in Phoenix, missing the microbrews
Contact:

Post by aaronhall »

You really need ti be enclosing non-integer query values in single-quotes. For those non-integers, always run them through mysql_real_escape_string() before using them in the query, and verifying that integers and floating-points are what you think they are (is_numeric()).You're completely open to sql injection otherwise.
Post Reply