1

Here is a small sample of code that is giving me a MySQL Syntax Error. Connect.php is connecting to the correct database and can be used with other projects and code. I know as a fact that the code in connect.php is correct. It is giving me a MySQL Syntax Error about. It doesn't give any more detail than this:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'keys WHERE key='xxxxxxxxxxxx'' at line 1

I pulled this small sample of code from the main project and it still throws the error.

<?php
    require "connect.php";          
    $keyCheck = mysql_query("SELECT * FROM keys WHERE `key`='".$_POST['betakey']."'" , $con);

    if (!$keyCheck) {
        echo mysql_error();
        exit;
    } else {
        $keyRows = mysql_num_rows($keyCheck);
    if ($keyRows == 0) {
        echo "This key is invalid!";
        exit;
    }
?>

EDIT: I got the admin to rename the table and you guys helped me fix some potential security hazards.

Improve this question
4
  • try to change the ' to ` quotes where key = Commented Aug 31, 2012 at 14:19
  • Are you sanitizing your input? Commented Aug 31, 2012 at 14:20
  • 1
    This is such a nice example of why PHP is considered ugly and how to write code with security holes, please - try to use PDO to help yourself against getting hacked. Commented Aug 31, 2012 at 14:22
  • No not really. Yes he has a huge security hole but trust me I work in ASPX at work and people apply query string variables directly into their SQL statements there too. The issue with PHP is not that its 'ugly', its that a lot of people pick it up on their own using websites that tell them "hey, if you just insert this variable into the SQL statement, you can totally make your stuff reusable" Commented Aug 31, 2012 at 14:31

1 Answer 1

Reset to default
6

I'm fairly sure keys is a reserved word. In any case, you should always enclose database, table and column names in backticks. Not just "sometimes" as you have in this example. Always.

Source.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

It's better if reserved words aren't used when structuring the db rather than using backticks to rectify it.
@N.B. its caused me a few problems sometimes, but I wouldn't say don't use them at all. :p Just be careful. This made me put backticks around EVERYTHING in mysql queries and now my code is better/safer. :)
@ThomasClayson - personally, I try to avoid reserved words (don't know them all by heart), and I just find backticks terrible to work with (personal preference). I agree, backticks are a great way to be safe, however - using reserved words makes you think of backticks and if you forget the backticks once, you're going to be scratching your head about why the query isn't working when it looks just fine.. :)
@N.B. Yeah, I've done that so many times! Trying to figure out what's wrong. Backticks on a Mac aren't too bad, but on a Windows keyboard they're terrible! I suppose we don't have a dedicated hash key though, so its not all good!

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.