0

I'm creating a very simple php forum system to integrate with my portal system (I tried to integrate some existent ones, but all I've found have lots of features I don't want, so I decided to create my own). The page bellow is just a start point from the board creation page, but when I click on submit, I just get the following error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'desc='Testing special characters á é ó ç ã ñ'' at line 1

<?php
 function renderForm($nome, $desc, $error)
 {

     $nome = htmlspecialchars($_POST['nome']);
 $desc = htmlspecialchars($_POST['desc']);

 ?>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
 <html>
 <head>
 <title>New Record</title>
 </head>
 <body>
 <?php 
 if ($error != '')
 {
 echo '<div style="padding:4px; border:1px solid red; color:red;">'.$error.'</div>';
 }
 ?> 

 <form action="" method="post">
 <div>
 <strong>Nome: *</strong> <input type="text" name="nome"  /><br/>
 <strong>Desc: *</strong> <input type="text" name="desc" /><br/>
 <p>* required</p>
 <input type="submit" name="submit" value="Submit">
 </div>
 </form> 
 </body>
 </html>
 <?php 
 }
include("../../config.php");

 if (isset($_POST['submit']))
 { 
 $nome = htmlspecialchars($_POST['nome']);
 $desc = htmlspecialchars($_POST['desc']);
 if ($nome == '' || $desc== '')
 {
 $error = 'ERROR: Please fill in all required fields!';

 renderForm($nome, $desc, $error);
 }
 else
 {

 mysql_query("INSERT forum_boards SET nome='$nome', desc='$desc'")
 or die(mysql_error()); 
 }

 }
 else
 {
 renderForm('','','');
 }
?>

What could be this?

Improve this question
4
  • 1
    "check the manual that corresponds to your MySQL server version". I wonder if doing that would help... Be aware that you are using an obsolete database API and should use a modern replacement. Commented Jul 4, 2013 at 15:54
  • 3
    desc is a MySQL reserved word; you need to wrap it in backticks in your SQL if you're using it as a column name Commented Jul 4, 2013 at 15:55
  • 2
    oh that nasty desc word - a curse of all the php noobs (and endless source of the rep points for the SO haunters) Commented Jul 4, 2013 at 15:56
  • Thanks all of you (except Your Common Sense). I changed the "desc" column. Commented Jul 4, 2013 at 16:17

3 Answers 3

Reset to default
2

Improper insert syntax. The proper form is:

INSERT INTO forum_boards (`nome`, `desc`) VALUES ('$nome', '$desc')

Also you need to escape your inputs to prevent SQL injection:

$nome = mysql_real_escape_string(htmlspecialchars($_POST['nome']));
$desc = mysql_real_escape_string(htmlspecialchars($_POST['desc']));

ALSO someone will complain that mysql_* functions are depreciated. I feel like a compiler!

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

Who on the earth upvoting it?
It sort of deserves one now that there are backticks in there
Hello common sense. Your comment adds nothing to this discussion and yet its been upvoted... ;)
Thank you, @beiller. It solved the sql problem (and thank you about the sql injection tip).
What's wrong with the syntax INSERT INTO table SET filed = value. Is much easier to read and modify. And why would you do htmlspecialchars before inserting data. The database should store the real data, not encoded data. Then while showing that data in some environment, example HTML you would escape them.
|
0

Insert works like this:

INSERT forum_boards (colum_name1,column_name2,column_name3) VALUES($value1, $value2, $value3); etc.

Also take care your code is vulnerable to SQL-Injection http://en.wikipedia.org/wiki/SQL_injection

Also take care the mysql_* functions are officially deprecated!

Improve this answer

2 Comments

please add a reason for the downvote so i can improve my next answer :)
I suspect it's because you're not quoting either the column names or the values, which will mean that this won't actually fix this issue (desc needs to be quoted, as it's a reserved word); and will also break if there are strings being added.
0

Try to use single quotes in place of double quotes.
Execution speed of single quotes is more than double quotes.

Try to save query in variable, it is more readable

$query='INSERT INTO forum_boards (nome,desc) VALUES("'.$nome.'","'.$desc.'")';

//try to use mysqli,It is much advanced and always use prepared statement

mysqli_query($query);

Improve this answer

1 Comment

commom sense is uncommom in common people..!! huh

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.