mySQL error, that I can't find

Question

I'm writing because I simply can't find my error, I copied this code from another document and edited some few things, but then I have an error. I'm unable to see what it is.

The following error is:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'by,telefon,email) VALUES (987, , , , by, , )' at line 1

And my code is following:

 $taelf = mysql_result(mysql_query("SELECT COUNT(*) FROM `Firma` WHERE `navn` = '$navn'"),0); 
 if($taelf < 1){  
     mysql_query("INSERT INTO `Firma` (navn,cvr,Adresse,postnr,by,telefon,email)
                   VALUES ($_POST[navn], $_POST[cvr],
                           $_POST[adresse], $_POST[postnr],
                           by, $_POST[nummer], $_POST[email]
                          )"
                ) or die(mysql_error());  
    echo "<div id='success'>Vupti, firmaet er nu oprettet. '$_POST[navn]','$_POST[cvr]','$_POST[adresse]','$_POST[by]','$_POST[postnr]','$_POST[nummer]','$_POST[email]'</div>";

score 5 · Accepted Answer · edited May 23 '17 at 11:52

5

BY is a reserved word. If you are going to name a column with that name you must wrap it in ticks:

INSERT INTO `Firma` (navn,cvr,Adresse,postnr,`by`,telefon,email)

Also see Fabien Warniez's answer which explains that you also need to wrap your string values in quotes.

Please, don't use mysql_* functions in new code. They are no longer maintained and are officially deprecated. See the red box? Learn about prepared statements instead, and use PDO or MySQLi - this article will help you decide which. If you choose PDO, here is a good tutorial. You are also wide open to SQL injections

edited May 23 '17 at 11:52

Community

1
1

answered Jan 31 '14 at 23:41

John Conde

217,595
99
455
496

Oh, i didnt know. I just fixed that, but i end up with another error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' , , by, , )' at line 1 – user3259244 Jan 31 '14 at 23:42
AND you'll need to quote the values, like this: `INSERT INTO .... VALUES ('". $_POST['navn'] ."', '". $_POST['cvr'] ."', ... etc` While you're at it, look at [this post about sql injection](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – giorgio Jan 31 '14 at 23:44
@user3259244 You're also forgetting the values portion. You have to wrap the `by` after `VALUES` with quotations as well (along with the rest...) – sjagr Jan 31 '14 at 23:45
As the other answer states, you have to add quotes around your values, too, like this: '$_POST[postnr]', 'by', '$_POST[nummer]'... – BrettFromLA Jan 31 '14 at 23:46
I thought reserved words were, well, reserved. I learn things every day! – Fabien Warniez Jan 31 '14 at 23:47
1

It worked out fine John, yeah im gonna go into all that new stuff soon :-) Thanks for the fast help, how do i select the right answer? – user3259244 Feb 01 '14 at 00:01
@user3259244 Just click on the checkmark underneath the vote total – John Conde Feb 01 '14 at 00:19

score 3 · Answer 2 · answered Jan 31 '14 at 23:43

You need to add quotes around your string values:

mysql_query("INSERT INTO `Firma` (navn,cvr,Adresse,postnr,by,telefon,email)
    VALUES ('$_POST[navn]', '$_POST[cvr]', '$_POST[adresse]', '$_POST[postnr]',
    'by', '$_POST[nummer]', '$_POST[email])'") or die(mysql_error());

Please note that this should fix your syntax problem, but you really should escape the POST variables.

mySQL error, that I can't find

2 Answers2