2

Ok, when trying to insert into the database I'm getting this error

"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '@email.com, UT, 84505, NOW(), 69.169.186.192)' at line 1"

I can't figure out the problem. Here is the code for my insert statement.

$insert_query = sprintf("INSERT INTO contacts (first_name, last_name, email, state, zip, date, ip) VALUES (%s, %s, %s, %s, %s, NOW(), %s)",
                        $fname,
                        $lname,
                        $email,
                        $state,
                        $zip,
                        $ip);


$result = mysql_query($insert_query, $connection) or die(mysql_error());

My table has the following structure:

    id int(11)                              
    first_name  varchar(100)                                 
    last_name   varchar(100)                             
    email   varchar(100)                                 
    state   varchar(3)                               
    zip int(10)                             
    date    datetime                                
    ip  varchar(255)
Improve this question

3 Answers 3

Reset to default
2

You need to quote all the string-type columns in the insert statement. Replace %s with '%s' in the sprintf format.

Please read about SQL Injection if you haven't done so already.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Beautiful. That did the trick. Earlier in my code I'm using mysql_real_escape_string() on each of the variables. Is this not the correct way to do it?
Ok. Thank you very much for your help. I'm new to this whole programming thing. I'll read up more on SQL injection so I don't make this mistake again and keep my sites safe! I appreciate the quick responses from everyone.
0

This may help you..

$insert_query = "INSERT INTO contacts set first_name = '$fname', last_name = '$lname', email = '$email', state = '$state', zip = '$zip', date = ". time() .", ip = '$ip')";


$result = mysql_query($insert_query, $connection) or die(mysql_error());

if you want to check query

echo $insert_query;
Improve this answer

Comments

0

It would help if you could echo out the $insert_query, but it looks like you're not putting quotes around the parameters that are varchars.

$insert_query = sprintf("INSERT INTO contacts (first_name, last_name, email, state, zip, date, ip) VALUES ('%s', '%s', '%s', '%s', '%s', NOW(), '%s')",
                        $fname,
                        $lname,
                        $email,
                        $state,
                        $zip,
                        $ip);

By the way, you have an extra column in your insert - NOW doesn't appear related to a column. I'm assuming ZIP is a varchar column, not a number, by the way.

Improve this answer

3 Comments

This is the echo of $insert_query INSERT INTO contacts (first_name, last_name, email, state, zip, date, ip) VALUES (you, me, [email protected], AL, 12345, NOW(), 69.169.186.192)
Yeah, you need to do what Mat suggests. Will edit my answer to reflect.
Yes it is a varchar, you are right. And that fixed the error I was getting. Thanks for the answer.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.