1

Getting really confused surrounding this INSERT INTO. It should insert three fields into the table, userID, activateKey and isActivated.

The activateKey is a 25 letter randomly generated key such as 63n20kw24ba1mlox34e8n2awv

The userID comes from another table and is set by auto_increment.

The isActivated is always 0 at this stage.

It seems like quite a simple INSERT statement

if (!mysqli_query($con,"INSERT INTO activations (userID,activationKey,isActivated) VALUES (".$userID.",".$activateKey.",'0')"))
  {
    echo("Error description: " . mysqli_error($con));
  }

However it doesn't work when I include the $activateKey field. What it does is try to search the string variable $activateKey as a column name. The error I get is:

Error description: Unknown column '63n20kw24ba1mlox34e8n2awv' in 'field list'

Of course there is no such column as 63n20kw24ba1mlox34e8n2awv, this is the data I'm trying to insert, hence why it's in the VALUES section. Any ideas why it's trying to search this as the column name?

Edit to clarify: the var is activateKey, the column name is activationKey

Francesca
  • 26,842
  • 28
  • 90
  • 153
  • Sorry, I'll edit. The correct var is `activateKey`. The column name is `activationKey` - I changed them to be different to try and avoid confusion between the two but I seem to have done the opposite! – Francesca Oct 13 '14 at 22:36

5 Answers5

1

I would put the query in a different variable to avoid confusion, and PHP automatically substitutes variable names in strings in double quotes.

Try this:

<?php
  $query = "INSERT INTO activations (userID,activationKey,isActivated) VALUES($userID,'$activateKey','0')
  if (!mysqli_query($con,$query)
   {
     echo("Error description: " . mysqli_error($con));
   }
Jay S.
  • 1,318
  • 11
  • 29
1

You are not surrounding the values with quotes, that's why they get interpreted as variable names. Use single quotes, like this:

"INSERT INTO activations (userID,activationKey,isActivated) VALUES
   ('".$userID."','".$activateKey."','0')"

However, be aware that stringing together query strings exposes you to SQL injection attacks, if that's a concern in your code you should use parameterized queries. In fact, using parameterized queries is always better.

fvu
  • 32,488
  • 6
  • 61
  • 79
1

Change your query to this:

"INSERT INTO activations 
        (userID,activationKey,isActivated) 
 VALUES ('$userID','$activateKey','0')"

You dont need to use the concatenation (.) operator as variables will be interpolated into the string.

The single quotes tell mysql to treat the variables as literals instead of column names.

As a side note you would be better to use parameterized queries. See How can I prevent SQL injection in PHP?

Community
  • 1
  • 1
andrew
  • 9,313
  • 7
  • 30
  • 61
  • Thanks. This is the cleanest answer. I'll look into paramaterized queries, though it looks like this uses the OO approach to mysqli whereas I'm using procedural? – Francesca Oct 14 '14 at 08:13
  • It can be done oo or procedural style see [examples](http://php.net/manual/en/mysqli.prepare.php#refsect1-mysqli.prepare-examples) – andrew Oct 14 '14 at 11:23
0

Solved!

It was a case of not properly wrapping the dynamic fields (the vars in the VALUES section) in ticks:

if (!mysqli_query($con,"INSERT INTO activations (userID,activationKey,isActivated) VALUES ('".$userID."','".$activateKey."','0')"))

Instead of 

if (!mysqli_query($con,"INSERT INTO activations (userID,activationKey,isActivated) VALUES (".$userID.",".$activateKey.",'0')"))

Might be a difficult one to spot. The variables still need to be 'in ticks' or they won't register as strings.

Francesca
  • 26,842
  • 28
  • 90
  • 153
0

As activationKey is a string column, you must use single quotes for $activationKey.
Try with:

if (!mysqli_query($con,"INSERT INTO activations (userID,activationKey,isActivated)
     VALUES (".$userID.",'".$activateKey."','0')"))
matthias_h
  • 11,356
  • 9
  • 22
  • 40
Jorge Moreno
  • 11
  • 1