tags:

views:

20

answers:

2
Q: 

Error when inserting into SQL table with php

So this is my code:

function function() {
$isbn = $_REQUEST["isbn"];
$price = $_REQUEST["price"];
$cond = $_REQUEST["cond"];

$con = mysql_connect("localhost","my_usernam", "password");
if (!$con) die('Could not connect:' . mysql_error());
mysql_select_db("my_database",$con);

$sql="INSERT INTO 'Books' (isbn, price, condition)
VALUES ('$isbn','$price','$cond')";


if (!mysql_query($sql,$con))
 {
 die('Error: ' . mysql_error());
 }

mysql_close($con);
return "It works";

But when run it results in:

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''Books' (isbn, price....

Anyone know why this is happening?

Thanks!

A: 

Wrap table names in backticks, not quotes, and make sure to escape your input for security:

$sql="INSERT INTO `Books` (`isbn`, `price`, `condition`)
VALUES ('" . mysql_real_escape_string($isbn) . "',
      '" . mysql_real_escape_string($price) . "',
      '" . mysql_real_escape_string($cond) . "')";
Scott Saunders  2010-08-05 19:36:23
Sorry, I don't know what you mean
Jake  2010-08-05 19:37:46
I've added code to show you.
Scott Saunders  2010-08-05 19:38:35
and now pray that "condition" will never become a reserved keyword in mysql ;-)
mvds  2010-08-05 19:39:42
Excellent point mvds
Scott Saunders  2010-08-05 19:42:03
Thanks Scott!!!
Jake  2010-08-05 19:48:33
+3  A: 

You should use backticks instead of single quotes for table and field names:

$sql="INSERT INTO `Books` (`isbn`, `price`, `condition`)
    VALUES ('$isbn','$price','$cond')";

will work.

ps. to prevent all kinds of nasty security holes, escape the input fields with:

$isbn = mysql_real_escape_string($_REQUEST["isbn"]);
// etc etc for all fields
mvds  2010-08-05 19:37:12
Awesome, thanks mvds! :)
Jake  2010-08-05 19:39:07
Note that you won't be able to use mysql_real_escape_string() until the connection to the DB is made.
Scott Saunders  2010-08-05 19:40:14
Excellent point Scott
mvds  2010-08-05 19:44:52
Its best if you can work with a framework or at the very least a wrapper function to deal with your SQL injections.
 2010-08-06 13:39:31

related questions

Remove Quotes and Commas from a String in MySQL
What's the best way of converting a mysql database to a sqlite one?
How do you manage databases in development, test, and production?
Multiple foreign keys?
Add 1 to a field (MySQL)
Issues using MS Access as a front-end to a MySQL database back-end?
Bigger than a char but smaller than a blob
How do I retrieve my MySQL username and password?
Long-time LAMP Developer moving to VB.NET
How do I Concatenate entire result sets in MySQL?
Full complete MySQL database replication? Ideas? What do people do?
SQL: Distribution of table in time
SQLite vs MySQL
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Multiple Updates in MySQL
MySQL/Apache Error in PHP MySQL query
What all do I need to escape when sending a (My)SQL query?
Auto Generate Database Diagram MySQL
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
Python and MySQL
SQL Server 2005 implementation of MySQL REPLACE INTO?
How to export data from SQL Server 2005 to MySQL
Throw Error In MySQL Trigger
Binary Data in MySQL