I am using php to insert fields into an MySq table. My newest php script is failing with the following error

Question

The error is:

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '360-16s (pa_name, hd1, hd1_c, sf2, sf2_c, cc3, cc3_c, l4, l4_c, dsd5, dsd5_c, mt' at line 1

The script is:

<?php

include("../Includes/e360Vars.php");

include("../Includes/dbOpen1.php");

$pa_name = mysql_real_escape_string($_POST['pa_name']);
$hd1 = mysql_real_escape_string($_POST['hd1']);
$hd1_c = mysql_real_escape_string($_POST['hd1_c']);
$sf2 = mysql_real_escape_string($_POST['sf2']);
$sf2_c = mysql_real_escape_string($_POST['sf2_c']);
$cc3 = mysql_real_escape_string($_POST['cc3']);
$cc3_c = mysql_real_escape_string($_POST['cc3_c']);
$l4 = mysql_real_escape_string($_POST['l4']);
$l4_c = mysql_real_escape_string($_POST['l4_c']);
$dsd5 = mysql_real_escape_string($_POST['dsd5']);
$dsd5_c = mysql_real_escape_string($_POST['dsd5_c']);
$mt6 = mysql_real_escape_string($_POST['mt6']);
$mt6_c = mysql_real_escape_string($_POST['mt6_c']);
$p_p7 = mysql_real_escape_string($_POST['p_p7']);
$p_p7_c = mysql_real_escape_string($_POST['p_p7_c']);
$ip8 = mysql_real_escape_string($_POST['ip8']);
$ip8_c = mysql_real_escape_string($_POST['ip8_c']);
$m_i9 = mysql_real_escape_string($_POST['m_i9']);
$m_i9_c = mysql_real_escape_string($_POST['m_i9_c']);
$act10 = mysql_real_escape_string($_POST['act10']);
$act10_c = mysql_real_escape_string($_POST['act10_c']);
$gf11 = mysql_real_escape_string($_POST['gf11']);
$gf11_c = mysql_real_escape_string($_POST['gf11_c']);
$i12 = mysql_real_escape_string($_POST['i12']);
$i12_c = mysql_real_escape_string($_POST['i12_c']);
$isp13 = mysql_real_escape_string($_POST['isp13']);
$isp13_c = mysql_real_escape_string($_POST['isp13_c']);
$se14 = mysql_real_escape_string($_POST['se14']);
$se14_c = mysql_real_escape_string($_POST['se14_c']);
$br15 = mysql_real_escape_string($_POST['br15']);
$br15_c = mysql_real_escape_string($_POST['br15_c']);
$paos16 = mysql_real_escape_string($_POST['paos16']);
$paos16_c = mysql_real_escape_string($_POST['paos16_c']);
$sob17 = mysql_real_escape_string($_POST['sob17']);
$sob17_c = mysql_real_escape_string($_POST['sob17_c']);
$cs18 = mysql_real_escape_string($_POST['cs18']);
$cs18_c = mysql_real_escape_string($_POST['cs18_c']);
$ms19 = mysql_real_escape_string($_POST['ms19']);
$ms19_c = mysql_real_escape_string($_POST['ms19_c']);
$ate20 = mysql_real_escape_string($_POST['ate20']);
$ate20_c = mysql_real_escape_string($_POST['ate20_c']);
$sywtww21 = mysql_real_escape_string($_POST['sywtww21']);
$sywtww21_c = mysql_real_escape_string($_POST['sywtww21_c']);
$name2 = mysql_real_escape_string($_POST['Name2']);
$position = mysql_real_escape_string($_POST['Position']);
$sql = "INSERT INTO 360-16s (pa_name, hd1, hd1_c, sf2, sf2_c, cc3, cc3_c, l4, l4_c, dsd5, dsd5_c, mt6, mt6_c, p_p7, p_p7_c ,ip8, ip8_c, m_i9, 
m_i9_c, atc10, atc10_c, gf11, gf11_c, i12, i12_c, isp13, isp13_c, se14, se14_c, br15, br15_c,paos16, paos16_c, sob17, sob17_c, cs18, cs18_c, 
ms19, ms19_c, ate20, ate20_c, sywtww21, sywtww21_c, name2, position) VALUES ('$pa_name', '$hd1', '$hd1_c', '$sf2', '$sf2_c', '$cc3', '$cc3_c', 
'$l4', '$l4_c', '$dsd5', '$dsd5_c', '$mt6', '$mt6_c', '$p_p7', '$p_p7_c', '$ip8', '$ip8_c', '$m_i9', '$m_i9_c', '$atc10', '$atc10_c', '$gf11', 
'$gf11_c', '$i12', '$i12_c','$isp13', '$isp13_c', '$se14', '$se14_c', '$br15', '$br15_c', '$paos16', '$paos16_c', '$sob17', '$cs18', '$cs18_c', 
'$ms19', '$ms19_c', '$ate20', '$sywtww21', '$sywtww21_c', '$name2', '$position')"; 

if (!mysql_query($sql,$con)) 
  { 
  die('Error: ' . mysql_error()); 
  }

I have been unable to locate the problem area, so another set of eyes would help. And yes, I have attempted to use mysqli instead of MySQL however, this produces a different set of errors.

Any assistance would be appreciated.

Every time you use [the `mysql_`](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php) database extension in _meow_ code **[a Kitten is strangled somewhere in the world](http://2.bp.blogspot.com/-zCT6jizimfI/UjJ5UTb_BeI/AAAAAAAACgg/AS6XCd6aNdg/s1600/luna_getting_strangled.jpg)** it is deprecated and has been for years and is gone for ever in PHP7. If you are just learning PHP, spend your energies learning the `PDO` or `mysqli` database extensions. [Start here](http://php.net/manual/en/book.pdo.php) — RiggsFolly, Sep 05 '16 at 14:15
Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) — RiggsFolly, Sep 05 '16 at 14:16
FYI: `INSERT INTO 360-16s` - MySQL is interpreting that as `INSERT INTO 360 (minus) 16s`. — Funk Forty Niner, Sep 05 '16 at 14:29

score 2 · Answer 1 · edited Sep 05 '16 at 14:16

2

Check your table name convention it must be like 360_16s

Read the naming convention, http://dev.mysql.com/doc/refman/5.7/en/identifiers.html.

edited Sep 05 '16 at 14:16

chris85

23,846
7
34
51

answered Sep 05 '16 at 14:15

dev

496
1
5
18

3

OP also could use backticks. – chris85 Sep 05 '16 at 14:16
ya @chris85 good point – dev Sep 05 '16 at 14:21

score 0 · Answer 2 · answered Sep 05 '16 at 14:20

0

Check your table name or try to rename from 360-16s to 360_16s then escape it 360_16s and also escape your mysql field

answered Sep 05 '16 at 14:20

gettosin4me

3
1
1

alphanyx · Answer 3 · 2016-09-05T14:40:19.403

0

If you want to use the Table Name "360-16s" then you should escape the attribute name with ` characters

The Character - is an invalid Character for the Table Name, unless you escape it.

I suggest you wrap all columns and table names in these characters.

Example:

$sql = "INSERT INTO `360-16s` (`pa_name`, `hd1`...

edited Sep 05 '16 at 14:40

answered Sep 05 '16 at 14:21

alphanyx

1,647
2
13
18

*"The Character - is an invalid Character"* - Not necessarily. The hyphen is a valid character, it just has special meaning/usage. MySQL is interpreting that as `INSERT INTO 360 (minus) 16s` since the `-` is a mathematical operator. – Funk Forty Niner Sep 05 '16 at 14:30
If i want to use this character as part of the table name, it is indeed invalid. Without escaping it, it won't be possible to use the table name "360-16s". So i don't understand your argument.. – alphanyx Sep 05 '16 at 14:33
It isn't "invalid" per se. Read the documents yourself. I can't be explaining this anymore than I already have. – Funk Forty Niner Sep 05 '16 at 14:38
I've updated my answer. Hope you're satisfied with it now. – alphanyx Sep 05 '16 at 14:40

I am using php to insert fields into an MySq table. My newest php script is failing with the following error

3 Answers3