-1

I'm new to MySQL Queries. This is what I have so far what did I do wrong?

"INSERT INTO users (ip) WHERE id = '".$_SESSION["user"]["id"]."' 
VALUES ('$ip')"

EDIT

I just was asking about how my syntax was wrong. I understand the vulnerabilities, and did not paste them in my question. I am using the PDO library and mysql_real_string_escape WHENEVER I can...

Necro.
  • 987
  • 6
  • 17
  • 29

3 Answers3

4

INSERT query is wrong. I think you are updating something and you need to use UPDATE query

UPDATE users SET ip = '$ip' WHERE id = '".$_SESSION["user"]["id"]."'

Also work on fixing sql injection attacks.

Muthu Kumaran
  • 17,682
  • 5
  • 47
  • 70
  • How would I go about fixing the SQL injection? mysql real string escape? – Necro. Nov 26 '12 at 02:15
  • Yes, use mysql real string escape – Muthu Kumaran Nov 26 '12 at 02:18
  • use `PDO_MYSQL`, which is more safer than `mySQL`. [PDO_MYSQL](http://php.net/manual/en/ref.pdo-mysql.php) Also check this SO post form more info [MySQL versus PDO](http://stackoverflow.com/questions/866860/mysql-versus-pdo) – Nandakumar V Nov 26 '12 at 02:24
1
INSERT INTO users (ip) 
VALUES ('value to insert')

or

UPDATE users
SET ip = 'value to update'
WHERE ip = 'value to check'

Also, wrap your value to update and value to insert in a PHP mysqli_real_escape_string($DB,$val)

Tigger
  • 8,980
  • 5
  • 36
  • 40
0
  INSERT INTO table_name (column1, column2, column3,...)
  VALUES (value1, value2, value3,...)
  WHERE column_name operator value

sql injection info

nickhar
  • 19,981
  • 12
  • 60
  • 73
jsteinmann
  • 4,502
  • 3
  • 17
  • 21