-2

I've looked over this code a zillion times and can't see anything wrong with it. But it gives me the message, "Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'when, name, reporter, contacts, suggestions, remarks) VALUES ('Me again', 'me', ' at line 1"

HELP PLEASE!

Sorry, sorry, I'm so Sooooooory! Was in a hurry to get to a job, and I pasted the wrong code. Here is the correct line of code.

$sql="INSERT INTO one_on_one_reports (whenever, name, reporter, contacts, suggestions, remarks) VALUES ('$_POST[whenever]', '$_POST[name]', '$_POST[reporter]', '$_POST[contacts]', '$_POST[suggestions]', '$_POST[remarks]')";

I'm in between driving runs. And gotta run again. But again my apologies for the wrong paste. I'll consider the protection against injection later. This file is in a password protected folder if that makes any difference.

Bruce

Bruce Wilson
  • 71
  • 2
  • 9
  • 3
    There is *definitely* something wrong with this code: **you're not sanitizing your query parameters!!** Consider this as a partial answer too. – netcoder Feb 22 '12 at 22:19
  • 4
    Welcome to Stack Overflow! The code you show is vulnerable to [SQL injection](http://php.net/manual/en/security.database.sql-injection.php). Use the proper sanitation method of your library (like `mysql_real_escape_string()` for the classic mysql library), or switch to PDO and prepared statements. – Pekka Feb 22 '12 at 22:19
  • 1
    Are you sure that the error is associated with this particular query? I see fields in the error that are not in your query. – sooper Feb 22 '12 at 22:19
  • 1
    Can you post the full query, please? I'm thinking you're not properly escaping your data and it's causing you issues. – SenorAmor Feb 22 '12 at 22:20
  • Agree with all previous comments. The code you posted doesn't seem to be the correct bit. Where is `when, name, reporter, contacts, suggestions, remarks` in the insert list? – Martin Smith Feb 22 '12 at 22:21

5 Answers5

6

Looks like the error is not coming from the query you expect. The field names mentioned in the error are not listed:

when, name, reporter, contacts, suggestions, remarks

The error is quite simple, WHEN is a reserved keyword, you need to escape it.

`when`, name, reporter, contacts, suggestions, remarks

Speaking of escaping, you're not too strong on it, use the appropriate escape function on data to avoid SQL injections.

Louis-Philippe Huberdeau
  • 5,341
  • 1
  • 19
  • 22
3

WHEN is a reserved word in mySQL.

Either rename the column, or wrap it in backticks: 

`WHEN`
Pekka
  • 442,112
  • 142
  • 972
  • 1,088
  • This busted my balls when writing a web app that catalogued music Releases, turns out 'release' is also a reserved word :) Always good to be reminded! – Dean Thomas Feb 23 '12 at 20:48
2

http://dev.mysql.com/doc/refman/5.5/en/reserved-words.html

when is a reserved word

1

Try

$name = mysql_real_escape_string($_POST[name]);
$vote = mysql_real_escape_string($_POST[vote]) ;
$comments = mysql_real_escape_string($_POST[comments]) ;

$sql="INSERT INTO ms_poll (name, vote, comments) VALUES ('$name', '$vote', '$comments')";
Baba
  • 94,024
  • 28
  • 166
  • 217
0

try putting curly braces around the POST parameters - after sanitizing them of course

like this

$sql="INSERT INTO ms_poll (name, vote, comments) VALUES ('{$_POST['name']}', '{$_POST['vote']}', '{$_POST['comments']}')";

To sanitize your incoming data i recommend using native methods NOT addslashes() ( if you are mysql then probably mysql_real_escape_string() or a better idea is to use the improved extensions which would mean using mysqli_real_escape_string() )

Ben Duffin
  • 1,066
  • 10
  • 16
  • lol - i didnt spot the missing tables thing until looking at the post 4 mins ago - I too would start there! – Ben Duffin Feb 22 '12 at 22:27