Issues with simple insert statement

Question

I am working on this code and i am using a simple insert statement and I cant figure out why its not working. If anyone could see what I am doing wrong please let me know. Thanks! This is the error I am getting:

You have an error in your SQL syntax; check the manual that corresponds 
to your MySQL     server version for the right syntax to use near 'long,comments) 
VALUES (2 ,2012-11-18 21:25:30, 39.3436984, -76.5856958, hh)' at line 1

here is the code:

 mysql_query ("INSERT INTO incidents (emergency_type,date_time,lat,long,comments)  
VALUES  (2 ,$catchDate, $catchLat, $catchLong, $catchDescription)") or die(mysql_error());   
 echo"<br /> Data inserted";

That was it, Thanks Laurence!!! – codenamejupiterx Nov 19 '12 at 17:00 — codenamejupiterx, Nov 19 '12 at 17:00

Laurence · Accepted Answer · 2012-11-18T22:11:59.303

2

Long is a reserved word, try `long` surrounded with backticks instead.

Reference https://dev.mysql.com/doc/refman/5.5/en/reserved-words.html

A quick browse around the docs reveals that you should be investigating PDO::prepare and PDO::execute to do this. Your current method appears to be vulnerable to SQL injection.

I'm not a PHP programmer, but something like:

$db = get a db handle from somewhere
$st = $db->prepare('Insert Into Incidents (emergency_type, date_time, lat, `long`, comments) Values (?, ?, ?, ?, ?)');
$st->execute(array(2 ,$catchDate, $catchLat, $catchLong, $catchDescription));

edited Nov 18 '12 at 22:11

answered Nov 18 '12 at 21:51

Laurence

10,896
1
25
34

And better yet, if this is your own table, change those column names to `longitude` and `latitude`. – BellevueBob Nov 18 '12 at 21:53

score 0 · Answer 2 · edited May 23 '17 at 11:43

0

INSERT INTO incidents (emergency_type,date_time,lat,`long`,comments)  
VALUES  (2 ,$catchDate, $catchLat, $catchLong, '$catchDescription')

LONG is on the list of MySQL Reserved Keywords. Escape it with backtick instead.

One more thing, values for date_time and comments must be enclosed with single quotes as they are not numeric.

and you query is now vulnerable with SQL Injection, please take time t read the article below

How can I prevent SQL injection in PHP?

edited May 23 '17 at 11:43

Community

1
1

answered Nov 18 '12 at 21:47

John Woo

258,903
69
498
492

Oh, is that interpolating strings rather than binding parameters? The poster should look for a different way of calling if that's the case. – Laurence Nov 18 '12 at 22:02
@Laurence yep,but at the moment, the asker is not parameterizing the query. – John Woo Nov 18 '12 at 22:08

score 0 · Answer 3 · answered Nov 18 '12 at 21:54

0

LONG is a keyword/reserved word in mysql. You can use backticks to escape it

INSERT INTO incidents (emergency_type,date_time,lat,`long`,comments)

Or change your table column name to longitude

answered Nov 18 '12 at 21:54

codingbiz

26,179
8
59
96

Issues with simple insert statement

3 Answers3