My own SQL syntax error

Question

My code is.

$newModel = "INSERT INTO models (id," . 
    " firstname," .
    " lastname," .
    " email," .
    " password," .
    " group," .
    " phone," .
    " timeofday," .
    " dayofweek," .
    " address," .
    " city," .
    " state," .
    " zip," .
    " gender," .
    " hair," .
    " eye," .
    " birthday," .
    " birthmonth," .
    " birthyear," .
    " bustshirt," .
    " cup," .
    " waist," .
    " hips," .
    " waist," .
    " hips," .
    " weight," .
    " inches," .
    " dressjacket," .
    " workxp," .
    " twitter," .
    " facebook," .
    " joindate," .
    " instagram," .
    " imdb," .
    " parentid," .
    " error) VALUES (".
    PrepSQL($modelid) . ", " .
    PrepSQL($firstname) . ", " .
    PrepSQL($lastname) . ", " .
    PrepSQL($email) . ", " .
    PrepSQL($password) . ", " .
    PrepSQL($group) . ", " .
    PrepSQL($phone) . ", " .
    PrepSQL($timeofday) . ", " .
    PrepSQL($dayofweek) . ", " .
    PrepSQL($address) . ", " .
    PrepSQL($city) . ", " .
    PrepSQL($state) . ", " .
    PrepSQL($zip) . ", " .
    PrepSQL($gender) . ", " .
    PrepSQL($hair) . ", " .
    PrepSQL($eyes) . ", " .
    PrepSQL($bday) . ", " .
    PrepSQL($bmonth) . ", " .
    PrepSQL($byear) . ", " .
    PrepSQL($bust) . ", " .
    PrepSQL($cup) . ", " .
    PrepSQL($waist) . ", " .
    PrepSQL($hips) . ", " .
    PrepSQL($weight) . ", " .
    PrepSQL($height) . ", " .
    PrepSQL($dressjacket) . ", " .
    PrepSQL($workxp) . ", " .
    PrepSQL($twitter) . ", " .
    PrepSQL($facebook) . ", " .
    PrepSQL($joindate) . ", " .
    PrepSQL($instagram) . ", " .
    PrepSQL($imdb) . ", " .
    PrepSQL($parentid) . ", " .
    PrepSQL($error) . ")";

mysql_query($newModel) or die(mysql_error());

Its Shooting out an error:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'group, phone, timeofday, dayofweek, address, city, state, zip, gender, hair, eye' at line 1

just echo $newModel before query and print here, Y r u concating simple string — mukund, Apr 18 '13 at 05:18
@mukund so I could highlight all the rows of text and have it tell me how many variables at the bottom of Sublime Text 2. — Rick Bross, Apr 18 '13 at 14:32

score 7 · Accepted Answer · answered Apr 18 '13 at 05:16

7

group is a reserved word in MySQL. You must wrap it in backticks:

`group`,
phone

etc.

answered Apr 18 '13 at 05:16

Explosion Pills

188,624
52
326
405

score 4 · Answer 2 · edited May 23 '17 at 12:28

GROUP is a reserved keyword and happens to be the name of your column. To avoid syntax error, you need to escape it using backtick. eg,

`group`

MySQL Reserved Keywords List

If you have the privilege to alter the table, change the column name to which is not a reserved keyword to avoid problem from occurring again.

As a sidenote, the query is vulnerable with SQL Injection if the value(s) of the variables came from the outside. Please take a look at the article below to learn how to prevent from it. By using PreparedStatements you can get rid of using single quotes around values.

How to prevent SQL injection in PHP?

My own SQL syntax error

2 Answers2