1

I'm having problems with an INSERT statement, and the error only says:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1

It's not helpful at all. The version I have tried so far and failed is:

mysql_query("INSET INTO `cos` VALUES ('".$_GET['prod']."','".$_GET['page']."')");

[needless to say that the two variables when printed show the right values] I've also tried versions with nothing around the table name, with ` or ', a million combinations really and nothing works. Not even with constants or into different tables. It just won't insert anything ever. I've checked the privileges (I'm logging into it with root), and it's all on.

I've tried similar stuff on two different machines with the same server (XAMPP 1.7.7) and it works. I'm completely baffled! What can it be?

Thank you for your time!

Improve this question

5 Answers 5

Reset to default
4

First and foremost, just type INSERT correctly.

Using _GET like that really opens you up to SQL INJECTIONS...

Do take a look into MySQL prepared statements.

It is also considered good practice to name the columns that you're inserting data into. That allows you to, latter on, insert extra-columns and keep application logic.

INSERT INTO cos(rowName1, rowName2) VALUES(?, ?)

Where ? would be prepared statements.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

Correct:

mysql_query("INSERT INTO `cos` VALUES ('".$_GET['prod']."','".$_GET['page']."')");

Have you tried passing the $link to mysql_query ?

Like:

mysql_query("INSERT INTO `cos` VALUES ('".$_GET['prod']."','".$_GET['page']."')", $link);

EDIT: And of course you must take some security measures before inserting anything into the database, maybe mysql_real_escape_string() or even prepared statements.

Improve this answer

3 Comments

You should point out that someone should never ever use user defined parameters directly in SQL statements.
@FloIancu If that solved your problem, click the check mark near the number on the left of my post.
Every one makes mistake! and did you got your answer
0

You are doing it wrong. Why aren't you escaping the values? Php.net documentation is providing some good and safe working examples:

$query = sprintf("SELECT firstname, lastname, address, age FROM friends 
    WHERE firstname='%s' AND lastname='%s'",
    mysql_real_escape_string($firstname),
    mysql_real_escape_string($lastname));

// Perform Query
$result = mysql_query($query);

So adapted to your code:

$query = sprintf("INSERT INTO `cos` VALUES (%s, %s);", 
        mysql_real_escape_string($_GET['prod']),
        mysql_real_escape_string($_GET['page']));
$result = mysql_query($query);

Please, always escape your values. And use INSERT, not INSET :)

Improve this answer

Comments

0

first this is you are using INSET make it correct with INSERT like

$pro = mysql_real_escape_string($_GET['prod']);
$page = mysql_real_escape_string($_GET['page']);
mysql_query("INSERT INTO `cos` (column1, column2)
             VALUES ('$pro', '$page')" );

you forget to set the column names...

Improve this answer

Comments

0

Try this:

$prod = $_GET['prod'];
$page = $_GET['page'];
mysql_insert("INSERT INTO 'cos' VALUES('$prod','$page)");

This should very well do it :)

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.