CODEWITHSUNDEEP
phpmysqldatabaseinsert
Shady
Shady

Reputation: 1799

mysql error with insert command

So , am creating a password change table

When some 1 changes pass , i insert his username, newpass and the confirmation code in PassChange table, (so i send him a confirmation e-mail after) the idea is simple and here's the code i use

 $insertResult=mysql_query("INSERT INTO TempChangePass (UserName, NewPass, ConfirmationCode) VALUES ('$UserName', '$newPass', '$code')") or die (mysql_error());

though i get this error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'username'', '4da59df8d4007807e7230e0881fbf774', '16585482')' at line 1

NOTE: All the columns format in the table is set to varchar.

The connection to mysql database is fine, the table name is currect.

This problem is driving me crazy , i just can't figure out where the problem is, if anyone here can help me will be very thankful :)

and thanks in advance.

EDIT: I actually got it solved, and just for people who visit this post by searching for solutions, if you got similar problem with your sql command, try echo it, and see how exactly the string is moved to the database :-) , happy coding everyone.

And sorry if I wasted any of your time :) am just very new to php & mysql :D

Upvotes: 3

Views: 2058

Answers (6)

Xpleria
Xpleria

Reputation: 5873

try using a sanitizing script before you make the query.

use 

mysql_real_escape_string()

EDIT

You should now use the MySQLi version

mysqli_real_escape_string()

or OOP method

mysqli::real_escape_string()

Why use MySQLi instead of MySQL?

Upvotes: 1

woozy
woozy

Reputation: 148

Try this: 

$insertResult=mysql_query("INSERT INTO TempChangePass(UserName, NewPass, ConfirmationCode) VALUES('$UserName', '$newPass', '$code')") or die (mysql_error());

You have some extra spaces in your SQL.

Upvotes: 1

ametren
ametren

Reputation: 2246

It looks like you have single quotes in your actual username -- you're actually passing in 'username' instead of just username. Try removing those, see if it will work after that.

The recommended way to deal with this issue (and prevent SQL injection) is to use prepared statements, however if you really want to, you could probably do this inline using mysql_real_escape_string($UserName) (reference)

Upvotes: 1

etm124
etm124

Reputation: 2140

Remove the single quotes around your variables. PHP is interpreting them as strings.

 $insertResult=mysql_query("INSERT INTO TempChangePass (UserName, NewPass, ConfirmationCode) VALUES ('" . $UserName. "', '" . $newPass. "', '" . $code . "')") or die (mysql_error());

Additionally, you might want to do something like this:

$sql = "INSERT INTO TempChangePass (UserName, NewPass, ConfirmationCode) VALUES ('" . $UserName. "', '" . $newPass. "', '" . $code . "')";

echo $sql;

Take that echo, and try to manually run it.

Upvotes: 1

KittyKris
KittyKris

Reputation: 41

Did you try to do the Query one column by one ?

i mean : 

INSERT INTO TempChangePass (UserName) values ( '$UserName' );

then add it up ?

Works for me mostly when I get errors ;)

Just an idea.

Upvotes: 1

Cito
Cito

Reputation: 1709

Looks something like sql inyection. I'm quite sure your $username is $username = "username'". Look at the single quote. So the query became:

$insertResult=mysql_query("INSERT INTO TempChangePass (UserName, NewPass, ConfirmationCode) VALUES ('username*''*, '4da59df8d4007807e7230e0881fbf774', '16585482')") or die (mysql_error());

Upvotes: 1

Related Questions