You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 's stan',

Question

I have this error. I don't know where is mistake. Can anyone help me? Here is my code:

<?php
        include 'config.php';                   
        if ($tip_vesti == 'Vest') {
        $sql = "INSERT INTO `vesti`(`tip`, `naslov`, `uvod`, `vest_image`, `razrada`, `zakljucak`, `video`, `date`) 
                    VALUES ('$tip', '$naslov', '$uvod', '$vest_image', '$razrada', '$zakljucak', '$video', '$date')";
        } else if ($tip_vesti == 'Odaberi jedno') {
            $error = "Molimo odaberite tip vesti";
        } else if ($tip_vesti == 'Transfer') {
            $sql = "INSERT INTO `transferi`(`tip`, `naslov`, `uvod`, `vest_image`, `razrada`, `zakljucak`, `video`, `date`) 
                    VALUES ('$tip', '$naslov', '$uvod', '$vest_image', '$razrada', '$zakljucak', '$video', '$date')";
        } else {
            $sql = "INSERT INTO `blogovi`(`id_user`, `tip`, `naslov`, `uvod`, `vest_image`, `razrada`, `zakljucak`, `video`, `date`) 
                    VALUES ('$id_user', '$tip', '$naslov', '$uvod', '$vest_image', '$razrada', '$zakljucak', '$video', '$date')";
        }
?>

The error happens because one of your values contain the character `'` inside it, and you're not escaping the strings you're using in your SQL statements properly. Without knowing which SQL module you're using, it's hard to give you a proper solution, but try searching for "prepared statements" and the library (mysqli, mysql, pdo, etc.). — MatsLindh, Oct 22 '17 at 16:06
The passage "s stan" cited in the error message does not occur in the sql statements templates you provide. Therefore we cannot help. Either there is another statement that triggers that error or one of the variables contains text that does the triggering. The later would indicate a sql injection vulnerability of your code. — arkascha, Oct 22 '17 at 16:07

Franny · Answer 1 · 2020-11-12T02:52:49.180

0

Body there is not necessary use ` characters.

Otherwise, you should print final SQL query and execute at MariaDB console for see a real query error.

By the way, is a security risk execute a query directly from a variable, PHP provides prepared statements for sanitize all data you pass to query.

edited Nov 12 '20 at 02:52

answered Oct 22 '17 at 16:16

Franny

11
4

Thank so much for corrections headmax. – Franny Oct 22 '17 at 18:30

You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 's stan',

1 Answers1