0

I'm creating a very simple php forum system to integrate with my portal system (I tried to integrate some existent ones, but all I've found have lots of features I don't want, so I decided to create my own). The page bellow is just a start point from the board creation page, but when I click on submit, I just get the following error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'desc='Testing special characters á é ó ç ã ñ'' at line 1

<?php
 function renderForm($nome, $desc, $error)
 {

     $nome = htmlspecialchars($_POST['nome']);
 $desc = htmlspecialchars($_POST['desc']);

 ?>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
 <html>
 <head>
 <title>New Record</title>
 </head>
 <body>
 <?php 
 if ($error != '')
 {
 echo '<div style="padding:4px; border:1px solid red; color:red;">'.$error.'</div>';
 }
 ?> 

 <form action="" method="post">
 <div>
 <strong>Nome: *</strong> <input type="text" name="nome"  /><br/>
 <strong>Desc: *</strong> <input type="text" name="desc" /><br/>
 <p>* required</p>
 <input type="submit" name="submit" value="Submit">
 </div>
 </form> 
 </body>
 </html>
 <?php 
 }
include("../../config.php");

 if (isset($_POST['submit']))
 { 
 $nome = htmlspecialchars($_POST['nome']);
 $desc = htmlspecialchars($_POST['desc']);
 if ($nome == '' || $desc== '')
 {
 $error = 'ERROR: Please fill in all required fields!';

 renderForm($nome, $desc, $error);
 }
 else
 {

 mysql_query("INSERT forum_boards SET nome='$nome', desc='$desc'")
 or die(mysql_error()); 
 }

 }
 else
 {
 renderForm('','','');
 }
?>

What could be this?

Jimmy
  • 78
  • 1
  • 11
  • 1
    "*check the manual that corresponds to your MySQL server version*". I wonder if doing that would help... Be aware that you are using [an **obsolete** database API](http://stackoverflow.com/q/12859942/19068) and should use [a modern replacement](http://php.net/manual/en/mysqlinfo.api.choosing.php). – DCoder Jul 04 '13 at 15:54
  • 3
    `desc` is a MySQL reserved word; you need to wrap it in backticks in your SQL if you're using it as a column name – Mark Baker Jul 04 '13 at 15:55
  • 2
    oh that nasty `desc` word - a curse of all the php noobs (and endless source of the rep points for the SO haunters) – Your Common Sense Jul 04 '13 at 15:56
  • Thanks all of you (except Your Common Sense). I changed the "desc" column. – Jimmy Jul 04 '13 at 16:17

3 Answers3

2

Improper insert syntax. The proper form is:

INSERT INTO forum_boards (`nome`, `desc`) VALUES ('$nome', '$desc')

Also you need to escape your inputs to prevent SQL injection:

$nome = mysql_real_escape_string(htmlspecialchars($_POST['nome']));
$desc = mysql_real_escape_string(htmlspecialchars($_POST['desc']));

ALSO someone will complain that mysql_* functions are depreciated. I feel like a compiler!

beiller
  • 3,105
  • 1
  • 11
  • 19
  • 4
    Who on the earth upvoting it? – Your Common Sense Jul 04 '13 at 15:57
  • It sort of deserves one now that there are backticks in there – Bojangles Jul 04 '13 at 15:58
  • Hello common sense. Your comment adds nothing to this discussion and yet its been upvoted... ;) – beiller Jul 04 '13 at 16:03
  • Thank you, @beiller. It solved the sql problem (and thank you about the sql injection tip). – Jimmy Jul 04 '13 at 16:18
  • What's wrong with the syntax INSERT INTO table SET filed = value. Is much easier to read and modify. And why would you do htmlspecialchars before inserting data. The database should store the real data, not encoded data. Then while showing that data in some environment, example HTML you would escape them. – Nedret Recep Jul 04 '13 at 16:29
  • @NedretRecep you are correct about the htmlspecialchars function. Should only be used on output. I just left it as it was. The insert into table syntax you mention is also fine, but they were still missing the INTO keyword there. – beiller Jul 04 '13 at 17:38
0

Insert works like this:

INSERT forum_boards (colum_name1,column_name2,column_name3) VALUES($value1, $value2, $value3); etc.

Also take care your code is vulnerable to SQL-Injection http://en.wikipedia.org/wiki/SQL_injection

Also take care the mysql_* functions are officially deprecated!

gries
  • 1,135
  • 6
  • 29
  • please add a reason for the downvote so i can improve my next answer :) – gries Jul 04 '13 at 15:58
  • 1
    I suspect it's because you're not quoting either the column names or the values, which will mean that this won't actually fix this issue (desc needs to be quoted, as it's a reserved word); and will also break if there are strings being added. – andrewsi Jul 04 '13 at 16:00
0

Try to use single quotes in place of double quotes.
Execution speed of single quotes is more than double quotes.

Try to save query in variable, it is more readable

$query='INSERT INTO forum_boards (nome,desc) VALUES("'.$nome.'","'.$desc.'")';

//try to use mysqli,It is much advanced and always use prepared statement

mysqli_query($query);

Dr_Dang
  • 452
  • 6
  • 15