mysql insert error in my form

Question

I have this php code:

$db = new mysql;
$new_bad = $_POST['new_bad'];
$new_replace = $_POST['new_replace'];
if ($_POST['submit']) {
  if ($new_bad && $new_replace) {
    $db->query("SELECT * FROM BAD_WORDS WHERE BAD_WORD='".$new_bad."'");
    if ($db->CNrows() == 0) {
      $db->query("
        INSERT INTO BAD_WORDS(BAD_WORD,REPLACE)
        VALUE('".$new_bad."','".$new_replace."')
      ");
      $err = "added succesfully..";
      $tmp->assign('msg', 'true');
    } else {
      $err = "the word is in table ..!!";
      $tmp->assign('msg', 'false');
    }
  } else {
    $err = "you must fill all feilds ..!!";
    $tmp->assign('msg', 'false');
  }
}

but when I test it i found this error:

You have an error in your SQL syntax; check the manual that corresponds
to your MySQL server version for the right syntax to use near 'REPLACE)
VALUES('bad1','replace1')' at line 1

what's the problem??

$tmp-> = it's smarty template class and work with no problems

BAD_WORDS table = ID,BAD_WORD,REPLACE

Mr47 -- No, beceuse when i fetch the words i don't found the problem — SoNiC_H, May 10 '12 at 07:52
**Your code is vulnerable to SQL injection.** You **really** should be using prepared statements, into which you pass your variables as parameters that do not get evaluated for SQL. If you don't know what I'm talking about, or how to fix it, read the story of [Bobby Tables](http://bobby-tables.com). — eggyal, May 10 '12 at 07:56
Mr47 - I have changed feild name and my code now work - thank you — SoNiC_H, May 10 '12 at 08:00

OptimusCrime · Accepted Answer · 2012-05-10T07:55:33.227

3

Replace is a reserved word in MySQL. Try putting quotes around it (these `). You also need an S in VALUE

Like so:

INSERT INTO `BAD_WORDS` (`BAD_WORD`,`REPLACE`) VALUES [...]

You can take a look at all the reserved words in MySQL queries here: http://dev.mysql.com/doc/refman/5.5/en/reserved-words.html

EDIT:

$db->query("INSERT INTO `BAD_WORDS` (`BAD_WORD`,`REPLACE`) VALUES ('$new_bad','$new_replace')");

edited May 10 '12 at 07:55

answered May 10 '12 at 07:48

OptimusCrime

14,662
13
58
96

I have changed feild name and my code now work – SoNiC_H May 10 '12 at 07:58

score 0 · Answer 2 · answered May 10 '12 at 07:51

0

In your table structure i see

ID,BAD_WORD,REPLACE

The id field also needs a value so replace:

$db->query("INSERT INTO BAD_WORDS(BAD_WORD,REPLACE)VALUE('".$new_bad."','".$new_replace."')");

with:

$db->query("INSERT INTO BAD_WORDS(ID,BAD_WORD,REPLACE)VALUE('','".$new_bad."','".$new_replace."')");

if id is auto increment otherwise give id a value.

answered May 10 '12 at 07:51

Adam

1,684
14
18

id is auto increment so i didn't but it – SoNiC_H May 10 '12 at 08:05

mysql insert error in my form

2 Answers2