2

I am building a small Twitter clone for personal use, and I have so trouble with it. Fist, I want to show you my SQL structure of the table "poke_history":
http://puu.sh/3Sci0.png

This is the command I use to insert the values into a table (in PHP):

$insert = "INSERT INTO poke_history (id, from, time, reason) VALUES ('".$to_id."', '".$from_id."', '".$time."', '".$reason."')";
mysql_query($insert) or die(mysql_error());

This is the annoying error that I am getting:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'from, time, reason) VALUES ( '1'' at line 3.

Let me clarify some things.
$to_id is a number.
$from_id is a number.
$time is a number (coming from PHP's time()).
$reason is a text string.

I am using MySQL and PHP5.

BenMorel
  • 34,448
  • 50
  • 182
  • 322

6 Answers6

2

Try to quote your column identifiers like

INSERT INTO poke_history (`id`, `from`, `time`, `reason`) ...

Everything inside `` is considered to be a "identifier" not a language keyword. From the SQL-syntax it should be clear that after INSERT INTO tablename cannot come a FROM, but the MySQL sometimes needs this kind of guidance (and other sql parsers, too).

contradictioned
  • 1,253
  • 2
  • 14
  • 26
1

credit to mario as well:

from is a reserved keyword. Use backticks to escape them.

for example `from`

INSERT INTO table (`from`) ....

So your code would like this:

$insert = "INSERT INTO poke_history (`id`, `from`, `time`, `reason`) VALUES ('".$to_id."', '".$from_id."', '".$time."', '".$reason."')";
mysql_query($insert) or die(mysql_error());
Ishikawa91
  • 404
  • 4
  • 15
1
$insert = "INSERT INTO poke_history (`id`, `from`, `time`, `reason`) VALUES (".$to_id.", ".$from_id.", ".$time.", '".$reason."')";
mysql_query($insert) or die(mysql_error());

Numbers don't need to be quoted. Only strings. Also don't use mysql, it's deprecated. Better use PDO, with prepared statements, to avoid issues like this.

Aris
  • 4,643
  • 1
  • 41
  • 38
  • 3
    I didn't downvote this, but fwiw you must use the correct type of quotes for quoting identifiers. Use back-ticks with MySQL, not straight single-quotes. Single-quotes are for string literals and date literals. – Bill Karwin Aug 02 '13 at 22:00
0

You should try to use prepared statements to prevent SQL injection.

$query = "
    INSERT INTO
        poke_history (`id`, `from`, `time`, `reason`)
    VALUES
        (:id, :from, :time, :reason)";

$db = new PDO("mssql:host=sqlserver;dbname=database", "username", "password");

$statement = $db->prepare($query);

$parameters = array(
    ":id" => $name,
    ":from" => $from,
    ":time" => $time,
    ":reason" => $reason
);

$statement->execute($parameters);
kesimard
  • 19
  • 1
-1

I think that you forgot to add * in between INSERT and INTO, here is the fixed script:

$insert = "INSERT * INTO poke_history (id, from, time, reason) VALUES ('".$to_id."', '".$from_id."', '".$time."', '".$reason."')"; mysql_query($insert) or die(mysql_error());

Grobbed
  • 317
  • 2
  • 12
-1

The reason why you are getting the error is because you are trying to use a built in function name for one of your columns. Say you have the following CREATE TABLE...

CREATE TABLE customers
(
name varchar(80),
streetAddr varchar(160),
"from" varchar(60),
);

Notice that to create the table I had to put the column from in quotes. Now if you wanted to insert a row into this table, your insert statement should look like the following:

INSERT INTO ShoppingFun.dbo.customers
(
name, 
streetAddr, 
"from"
) 
VALUES 
(
'MRBubbleGum',
'1061 SW BubbleGumVillage St',
'yourmom'
)
user2647501
  • 1