0

I'm having a problem with my personal server where I'm trying to create a database for the decade old binders I have for the Yu-Gi-Oh! Trading Card Game (haven't played in years). In testing the INSERT INTO, I keep running across a particular problem...

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''Magic'(Name, Description, Card_ID, Pack, P_ID, Quantity) VALUES ('Post', 'Post ' at line 1

Now my code outputs properly when I comment out the query function and echo to my webpage, but I keep getting the above mysql_error() message being displayed.

My code snippet is as follows...

if(isset($_SESSION['username'])) {
mysql_connect("localhost", "my_username", "my_password") or die(mysql_error());
mysql_select_db("my_db") or die(mysql_error());

function clean_string($value) {
    if(get_magic_quotes_gpc() ) {
            $value = stripslashes($value);
    }
    return mysql_real_escape_string($value);
}

$Show = clean_string($_POST['show']);
$Table = clean_string($_POST['table']);
$Insert_M_T = $_POST['insert_magic_traps'];
$Insert_Monster = $_POST['insert_monster_effect'];

$Insert_Card_Type = clean_string($_POST['I_Type']);
$Insert_Card_Name = clean_string($_POST['I_Card_Name']);
$Insert_Description = clean_string($_POST['I_C_Description']);
$Insert_Card_ID = clean_string($_POST['I_Card_ID']);
$Insert_CardPack = clean_string($_POST['I_C_Pack']);
$Insert_PackID = clean_string($_POST['I_C_P_ID']);
$Insert_Quantity = clean_string($_POST['I_C_Quantity']);

if(isset($Insert_M_T)) {
    $sql = "INSERT INTO '$Insert_Card_Type'(Name, Description, Card_ID, Pack, P_ID, Quantity) VALUES ('$Insert_Card_Name', '$Insert_Description', '$Insert_Card_ID', '$Insert_CardPack', '$Insert_PackID', '$Insert_Quantity')";
    mysql_query($sql) or die(mysql_error());
    echo "<center><h2>Record added to Table: $Insert_Card_Type</h2></center>";
    echo "<center><table><tr><th>Name:</th><td>$Insert_Card_Name</td></tr><tr><th>Description:</th><td>$Insert_Description</td></tr><tr><th>Card ID:</th><td>$Insert_Card_ID</td></tr><tr><th>Pack:</th><td>$Insert_CardPack</td></tr><tr><th>Pack ID Number</th><td>$Insert_PackID</td></tr><tr><th>Quantity:</th><td>$Insert_Quantity</td></tr></table></center>";
}
?>
//more html and php code
<?php
} else {
    echo "<h1><center><font color=#ff0000 >ACCESS DENIED!!!</font></center></h1>";
    echo "<h2><center><a href=index.php >Login Here!</a></center></h2>";
}
?>

Any advice would be helpful. I've tried searching for how to get around this problem, but to no avail. I feel like this is a simple fix, but I'm missing it. Please advise.

Thank you in advance.

~DanceLink

Improve this question
1
  • 1
    you should switch to mysqli or pdo since mysql_ functions are deprecated. any tutorial on mysqli or pdo will clarify sanitizing Commented Jun 14, 2013 at 22:15

1 Answer 1

Reset to default
2 
INSERT INTO `$Insert_Card_Type` (Name, Description, Card_ID, Pack, P_ID, Quantity) 
  VALUES ('$Insert_Card_Name', '$Insert_Description', '$Insert_Card_ID', '$Insert_CardPack', '$Insert_PackID', '$Insert_Quantity')

Backticks around $Insert_Card_Type, not single quotes.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

+1 The MySQL error is returned because the tablename is enclosed in single quotes.
@zdhickman, you Sir (or Ma'am) are awesome! thank you that worked!
Also, to those who suggested mysqli, I will consider it, I have to research it though as I'm used to mysql. Thank you everyone! :D

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.