-3

I am running this sql in php 

$sql = "INSERT INTO ".TABLE_PREMIUM." (Installation_ID, Purchase_ID, Enabled, Expired, Updated) VALUES('$installation', '$product', '1','$expiry', now()) ON DUPLICATE KEY UPDATE Installation_ID='$installation, Purchase_ID='$product', Enabled = '1', Expired = '$expiry', Updated = now() ";

And I keep getting this error

INSERT INTO Premium (Installation_ID, Purchase_ID, Enabled, Expired,
Updated) VALUES('123456', '1111.22222222.3333.44444', '1','2016-05-13
11:10:09', now()) ON DUPLICATE KEY UPDATE Installation_ID='123456,
Purchase_ID='1111.22222222.3333.44444', Enabled = '1', Expired =
'2016-05-13 11:10:09', Updated = 2015-03-03 11:11:11

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1111.22222222.3333.44444', Enabled = '1', Expired = '2016-05-13 11:10:09', Updat' at line 1

What could be the issue? I can't decode it from this error

PM 77-1
  • 12,933
  • 21
  • 68
  • 111
Snake
  • 14,228
  • 27
  • 117
  • 250
  • you may be missing a quote right after '$installation -- before the comma --- causing data to be concatenated. – BWS May 06 '16 at 17:15
  • 1
    [Little Bobby](http://bobby-tables.com/) says [your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard May 06 '16 at 17:16
  • notice anything different between these two? `Expired = '2016-05-13 11:10:09', Updated = 2015-03-03 11:11:11` – Jay Blanchard May 06 '16 at 17:17
  • 1
    Do you see a problem now? Everything is color-coded. – PM 77-1 May 06 '16 at 17:18
  • 1
    Check you quotes. `Installation_ID` and `Updated` – Dan May 06 '16 at 17:18
  • Missing single quote here, `... Installation_ID='$installation, Purchase_ID= ...` – Rajdeep Paul May 06 '16 at 17:19
  • There are probably other problems with data types that we can't see without the table details. Some fields appear they should be numeric. – Julie Pelletier May 06 '16 at 17:23
  • it was the single quote missing from installation ID. :) I can't believe I couldnt see it. Not sure why people would downvote. It happens that someone would do silly mistake. It is not worth downvote. – Snake May 06 '16 at 21:26

2 Answers2

0

You are missing a ' (single quote) after UPDATE Installation_ID='$installation

calvinf
  • 3,754
  • 3
  • 28
  • 41
bns
  • 392
  • 2
  • 9
0

I think the purchase ID is too much long or it can be that you're missing a ' after installation_id = '$installation maybe that could be the problem.

Roland Barreto
  • 23
  • 1
  • 4
  • Yes the missing quote was it, but bns answered it before you so I accepted his answer. Thanks – Snake May 06 '16 at 21:24