INSERT SQL error

Question

i have this in my script:

$db->q("INSERT INTO 'keys' (key,grupo,dias) VALUES ('$key','VIP',$love);");

which generates sql like this

INSERT INTO 'keys' ('key','grupo','dias') VALUES ('35F3','VIP',28)

but i get

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''keys' ('key','grupo','dias') VALUES ('35F3','VIP',28)' at line 1

I'm adding screenshot of my table's structure: https://i.stack.imgur.com/luKfm.png

enter image description here

Thanks for ur help!

Also, you may _potentially_ open to SQL Injection, depending on where `$key` and `$love` are coming from. — Clockwork-Muse, Apr 05 '13 at 16:22
**You are leaving yourself wide open to SQL injection attacks.** Please learn about using parametrized queries, preferably with the PDO module, to protect your web app. http://bobby-tables.com/php has examples to get you started. — Andy Lester, Apr 05 '13 at 16:22
possible duplicate of [When to use single quotes, double quotes, and backticks?](http://stackoverflow.com/questions/11321491/when-to-use-single-quotes-double-quotes-and-backticks) — Michael Berkowski, Mar 13 '14 at 00:50

score 3 · Answer 1 · edited May 23 '17 at 12:13

3

Tables names are identfiers not string literals. So in the case that they are escape, you should use backticks,

INSERT INTO `keys` (`key`,`grupo`,`dias`) VALUES ('35F3','VIP',28)

edited May 23 '17 at 12:13

Community

1
1

answered Apr 05 '13 at 15:56

John Woo

258,903
69
498
492

You are so f**** fast it's unbelievable ... Do you get the questions before everyone else or something?? :) – What have you tried Apr 05 '13 at 15:57

INSERT SQL error

1 Answers1