I don't understand this error

Question

Erreur de syntaxe près de ' , '196,000,000', '6357007', '6357006', '', 'mr. hasan', '', '', '' à la ligne 2

Here is my table create:

CREATE TABLE `comp` (
  `ID` int(11) NOT NULL AUTO_INCREMENT,
  `COMPANY_NAME` varchar(500) NOT NULL,
  `ACTIVITY` text NOT NULL,
  `CITY` varchar(150) NOT NULL,
  `NUM_COMPANY_FOLLOW` int(11) DEFAULT NULL,
  `NUM_BRANCH` int(11) DEFAULT NULL,
  `ASSETS` text,
  `PHONE1` varchar(100) NOT NULL,
  `PHONE2` varchar(100) DEFAULT NULL,
  `E_MAIL` varchar(250) DEFAULT NULL,
  `DIRECTOR_NAME` varchar(500) NOT NULL,
  `COMPANY_SITE` varchar(250) DEFAULT NULL,
  `COMPANY_ADDRESS` text,
  `HEAD_LOCATION` varchar(100) DEFAULT NULL,
  `HEAD_DIRECTORS_NAME` text NOT NULL,
  `VICE_HEAD_NAME` varchar(500) NOT NULL,
  `BOARD_MEMBER` text,
  `BRIEF_DESC` text,
  `EVALUE` varchar(250) DEFAULT NULL,
  `NOTES` text,
  `USERID_ADD` int(11) DEFAULT NULL,
  `IP_ADD` varchar(15) DEFAULT NULL,
  `DATE_ADD` int(11) DEFAULT NULL,
  `USERID_EDIT` int(11) DEFAULT NULL,
  `IP_EDIT` varchar(15) DEFAULT NULL,
  `DATE_EDIT` int(11) DEFAULT NULL,
  PRIMARY KEY (`ID`)
) ENGINE=InnoDB AUTO_INCREMENT=17 DEFAULT CHARSET=cp1256

Here is my code:

$sql = "INSERT INTO comp (ID, COMPANY_NAME, ACTIVITY, CITY, NUM_COMPANY_FOLLOW, NUM_BRANCH, ASSETS, PHONE1, PHONE2, E_MAIL, DIRECTOR_NAME, COMPANY_SITE, COMPANY_ADDRESS, HEAD_LOCATION, HEAD_DIRECTORS_NAME, VICE_HEAD_NAME,BOARD_MEMBER, BRIEF_DESC, EVALUE, NOTES, USERID_ADD, IP_ADD, DATE_ADD)  
            VALUES (NULL, '$COMPANY_NAME', '$ACTIVITY', '$CITY', $NUM_COMPANY_FOLLOW, $NUM_BRANCH, '$ASSETS', '$PHONE1', '$PHONE2', 
            '$E_MAIL', '$DIRECTOR_NAME', '$COMPANY_SITE', '$COMPANY_ADDRESS', '$HEAD_LOCATION', '$HEAD_DIRECTORS_NAME', '$VICE_HEAD_NAME',  
            '$ALL_BOARD_MEMBER', '$BRIEF_DESC', '$EVALUE', '$NOTES', $this_userID, '$IP_ADD', $DATE_ADD)";

$result = $db->Execute($sql);
echo mysql_error();

print sql :

INSERT INTO comp 
(
    ID, 
    COMPANY_NAME, 
    ACTIVITY, 
    CITY, 
    NUM_COMPANY_FOLLOW, 
    NUM_BRANCH, 
    ASSETS, 
    PHONE1, 
    PHONE2, 
    E_MAIL, 
    DIRECTOR_NAME, 
    COMPANY_SITE, 
    COMPANY_ADDRESS, 
    HEAD_LOCATION, 
    HEAD_DIRECTORS_NAME, 
    VICE_HEAD_NAME,
    BOARD_MEMBER, 
    BRIEF_DESC, 
    EVALUE, 
    NOTES, 
    USERID_ADD, 
    IP_ADD, 
    DATE_ADD
) 
VALUES 
(
    NULL, 
    'ANAAM', 
    'hello1', 
    'jeddah', 
    , 
    , 
    '', 
    '6357007', 
    '6357006', 
    '', 
    'mr mohammed', 
    '', 
    '', 
    '', 
    'mr adnan', 
    'mr naser', 
    '', 
    '', 
    '', 
    '', 
    1, 
    '127.0.0.1', 
    1415180296
)

place an echo $sql; before the $result statement. Then look carefully at your statement. There maybe a missing ' somewhere. — , Nov 05 '14 at 09:18

score 1 · Answer 1 · edited May 23 '17 at 10:30

1

Looks data-dependent and the best way to fix our code is to rewrite the statements using dprepared statements. This would also avoid the vulnerability to SQL-Injections. Have a look at the answer to this question: How can I prevent SQL injection in PHP?

edited May 23 '17 at 10:30

Community

1
1

answered Nov 05 '14 at 09:21

MBaas

7,248
6
44
61

sridesmet · Accepted Answer · 2014-11-05T09:59:23.560

If you look at the value part of your query:

(NULL, 'ANAAM', 'hello1', 'jeddah', , , '', '6357007', '6357006', '', 'mr mohammed', '', '', '', 'mr adnan', 'mr naser', '', '', '', '', 1, '127.0.0.1', 1415180296)

You'll see , , ,, that creates an error as the data is empty. So put brackets around the numeric values like with your ascii values. Or use a default value (0?).

Also, remove the ID value in your sql-query, it's auto-increment.

Editted code:

$sql = "INSERT INTO comp (COMPANY_NAME, ACTIVITY, CITY, NUM_COMPANY_FOLLOW, NUM_BRANCH, ASSETS, PHONE1, PHONE2, E_MAIL, DIRECTOR_NAME, COMPANY_SITE, COMPANY_ADDRESS, HEAD_LOCATION, HEAD_DIRECTORS_NAME, VICE_HEAD_NAME,BOARD_MEMBER, BRIEF_DESC, EVALUE, NOTES, USERID_ADD, IP_ADD, DATE_ADD)  
            VALUES ('$COMPANY_NAME', '$ACTIVITY', '$CITY', '$NUM_COMPANY_FOLLOW', '$NUM_BRANCH', '$ASSETS', '$PHONE1', '$PHONE2', 
            '$E_MAIL', '$DIRECTOR_NAME', '$COMPANY_SITE', '$COMPANY_ADDRESS', '$HEAD_LOCATION', '$HEAD_DIRECTORS_NAME', '$VICE_HEAD_NAME',  
            '$ALL_BOARD_MEMBER', '$BRIEF_DESC', '$EVALUE', '$NOTES', '$this_userID', '$IP_ADD', '$DATE_ADD')";

$result = $db->Execute($sql);
echo mysql_error();

Yes, it work now .I put brackets around the numeric values.Thanks so much Gudgip . And thanks for all . — Adnan7, Nov 05 '14 at 10:01
Glad I could help. If it helped you, check it as the answer ;) — sridesmet, Nov 05 '14 at 10:02

Ares Draguna · Answer 3 · 2014-11-05T09:32:26.993

0

This means that you have an error in your syntax near ' , '196,000,000', '6357007', '6357006', '', 'mr. hasan', '', '', '' at line 2. In other words, it's a SQL error

This is because of the brief description in your query. The value of the variable is most certainly containing bad characters. Make sure you escape the string, if you have things like apostrophes or stuff like that...

Hope this helps! :D

edited Nov 05 '14 at 09:32

answered Nov 05 '14 at 09:19

Ares Draguna

1,641
2
16
32

score 0 · Answer 4 · answered Nov 05 '14 at 09:32

0

We need definitely more code, like the echo of $sql.

But i've seen an additional error in the statement. You define the ID as NOT NULL, auto increment and primary key. In the query, you set NULL for id. That will return an error.

Remove the column "ID" from the statement.

answered Nov 05 '14 at 09:32

Giwwel

347
1
4

Setting a not null auto increment to null will just generate the next value in MySQL. I do this on most inserts (just to make it obvious when modifying the code in future that there is an ID field there) – Kickstart Nov 05 '14 at 10:07

I don't understand this error

4 Answers4