1

Unknown column 'Abu' in 'field list' So here is a little comment box I am working on http://abu.cpvp.net/cupcakes.php WHen I put in my name and comment it won't work, however if I put in name for name field and comment for comment field it works???? Here is my script

$name=$_POST['name']; 
$comment=$_POST['comment']; 
$submit=$_POST['post'];
if($_POST['name'] && $_POST['comment']  && $submit) 
{ 
    $insert=mysql_query("INSERT INTO `comment (`name`,`comment`) 
                         VALUES ($name,$comment) " ) or die(mysql_error()); 
} 
else 
{ 
    echo "please fill out all fields"; 
}
John Woo
  • 258,903
  • 69
  • 498
  • 492
Abu
  • 124
  • 1
  • 1
  • 7

3 Answers3

2

if the data type of the columns are string, then the value should be wrapped with single quotes as they are string literals,

INSERT INTO comment (name,comment) VALUES ('$name','$comment')

As a sidenote, the query is vulnerable with SQL Injection if the value(s) of the variables came from the outside. Please take a look at the article below to learn how to prevent from it. By using PreparedStatements you can get rid of using single quotes around values.

Community
  • 1
  • 1
John Woo
  • 258,903
  • 69
  • 498
  • 492
  • 1
    Wow thanks! Yeah I would prefer using PDO but my host doesn't offer it. Sadly.. I will look into how to prevent SQL injections. Thanks for the link! – Abu May 02 '13 at 01:26
  • So my only question would with the SQL thing I just make it a non-direct entry? $dbconnection( ) – Abu May 02 '13 at 01:29
  • you can also use [mysql_real_escape_string](http://php.net/manual/en/function.mysql-real-escape-string.php) but this has been discourage since it will be deprecated on `PHP 5.5.0` – John Woo May 02 '13 at 01:32
  • I am going to use PDO, less hassle. Plus more simple. Personal rule keep it simple... – Abu May 02 '13 at 01:34
  • 1
    [KISS - Keep It Simple Sailor] `:)` – John Woo May 02 '13 at 01:35
0

You need to put strings in quotes:

$insert=mysql_query("INSERT INTO comment 
(name,comment) 
VALUES ($name,$comment) " )

should be

$insert=mysql_query("INSERT INTO comment 
(name,comment) 
VALUES ('$name','$comment') " )

Please, don't use mysql_* functions in new code. They are no longer maintained and are officially deprecated. See the red box? Learn about prepared statements instead, and use PDO or MySQLi - this article will help you decide which. If you choose PDO, here is a good tutorial.

You are also wide open to SQL injections

Community
  • 1
  • 1
John Conde
  • 217,595
  • 99
  • 455
  • 496
  • Yeah I'll make my code more modern. I am just getting back into coding PHP, and the last time I used was circa fall of '10. – Abu May 02 '13 at 01:31
0
INSERT INTO comment (name,comment) VALUES ('$name','$comment')

Will solve your issue.. But something the other developers might have noticed, but not pointed out.. You have not closed a backtick of your SQL Query: 

INSERT INTO `comment

Should be: 

INSERT INTO `comment`

there is nothing wrong in using backticks for column/table/schema names.. Infact they are recommended, to minimize the risk of running into a SQL Reserved Word.. Providing they are open/closed correctly

Daryl Gill
  • 5,464
  • 9
  • 36
  • 69
  • Not sure what an SQL Reserved word is, however done. Thanks for the tip – Abu May 02 '13 at 01:49
  • @user2288998 http://dev.mysql.com/doc/refman/5.0/en/reserved-words.html this reviews possible error messages and gives an oversight of what i mean by reserved words – Daryl Gill May 02 '13 at 01:50