0

When parsing an xml file and adding it to the database, it displays an error during the script operation:

$sql->exec("INSERT INTO 'example' VALUES('$id', '$title', '$link')");

SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''example' VALUES('phpmysqljquery-przeciagnij-z-wy' at line 1

Can anyone say what is wrong?

Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
  • **WARNING**: This has some severe [SQL injection bugs](http://bobby-tables.com/) because user data is used inside the query. Whenever possible use **prepared statements**. These are quite straightforward to do in [`mysqli`](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and [PDO](http://php.net/manual/en/pdo.prepared-statements.php) where any user-supplied data is specified with a `?` or `:name` indicator that’s later populated using `bind_param` or `execute` depending on which one you’re using. **NEVER** put `$_POST`, `$_GET` or any user data directly in your query. – tadman Aug 22 '17 at 20:11
  • 2
    Possible duplicate of [When to use single quotes, double quotes, and backticks in MySQL](https://stackoverflow.com/questions/11321491/when-to-use-single-quotes-double-quotes-and-backticks-in-mysql) – aynber Aug 22 '17 at 20:11

1 Answers1

1

You're using the wrong quoting style. Database, table and column identifiers use a different approach:

INSERT INTO `example` VALUES (?,?,?)

Double and single quotes are only for strings. You can't insert stuff into a string.

tadman
  • 208,517
  • 23
  • 234
  • 262
  • That's technically a different question, but the trick there is to use `prepare` first, then `execute` second. See [the documentation](http://php.net/manual/en/pdo.prepared-statements.php) for more examples. – tadman Aug 22 '17 at 22:06
  • I rolled the question back. – Funk Forty Niner Aug 22 '17 at 23:10