0

i have the following code:

<!--ajouter une carte     -->
<?php
if($_POST["submit_dd"]){

    mysql_query("INSERT INTO data SET desc='".$_POST["carte_nom"]."' ") or die(mysql_error());



 }
?>

<b>Ajouter une carte:</b><br>
<form method="post">
<table>
<tr><td>nom</td><td><textarea name="carte_nom"/></textarea></td></tr>
<tr><td></td><td><input type="submit" name="submit_dd" value="Ajouter"/></td></tr>
</table>
</form>

i get an error from this very simple query:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'desc='dsfgsdfds'' at line 1

the database is very simple: id(primary, auto increment), desc(text)

regards

tetris
  • 4,302
  • 6
  • 28
  • 41

4 Answers4

4

I might be wrong, but you are probably getting an error because desc is a sql keyword. try wrapping it in back ticks `desc`

Brian Glaz
  • 15,468
  • 4
  • 37
  • 55
1

desc is a reserve keyword. Use "desc" instead

Ramesh Soni
  • 15,867
  • 28
  • 93
  • 113
0
mysql_query("INSERT INTO data (desc) VALUES('".$_POST["carte_nom"].")' ")
Cliff
  • 1,621
  • 1
  • 13
  • 22
  • yeah, I was just editing my answer to suggest placeholders and prepared statements, but I will just make a comment. – Cliff Oct 14 '11 at 04:22
0

Check the list of reserved keywords. "DESC" is one of them.

The following is valid in MySQL:

INSERT INTO data SET `desc` = 'post data';

You should rethink your script though. Having fields named the same as reserved keywords is a bad sign. As is the lack of sanitation before using the $_POST data.

Here's why desc is an ugly fieldname:

SELECT id, desc
FROM data
ORDER BY id desc;  #this is valid sql, but likely isn't going to do what you expect

Which look very much like

SELECT id, desc
FROM data
ORDER BY id, desc;   #not valid sql

And the obligatory injection reading: How does the SQL injection from the "Bobby Tables" XKCD comic work?

Community
  • 1
  • 1
Farray
  • 8,290
  • 3
  • 33
  • 37