CODEWITHSUNDEEP
phpmysqlsql
Abu
Abu

Reputation: 124

Unknown column?

Unknown column 'Abu' in 'field list' So here is a little comment box I am working on http://abu.cpvp.net/cupcakes.php WHen I put in my name and comment it won't work, however if I put in name for name field and comment for comment field it works???? Here is my script

$name=$_POST['name']; 
$comment=$_POST['comment']; 
$submit=$_POST['post'];
if($_POST['name'] && $_POST['comment']  && $submit) 
{ 
    $insert=mysql_query("INSERT INTO `comment (`name`,`comment`) 
                         VALUES ($name,$comment) " ) or die(mysql_error()); 
} 
else 
{ 
    echo "please fill out all fields"; 
}

Upvotes: 1

Views: 183

Answers (3)

John Conde
John Conde

Reputation: 219814

You need to put strings in quotes:

$insert=mysql_query("INSERT INTO comment 
(name,comment) 
VALUES ($name,$comment) " )

should be

$insert=mysql_query("INSERT INTO comment 
(name,comment) 
VALUES ('$name','$comment') " )

Please, don't use mysql_* functions in new code. They are no longer maintained and are officially deprecated. See the red box? Learn about prepared statements instead, and use PDO or MySQLi - this article will help you decide which. If you choose PDO, here is a good tutorial.

You are also wide open to SQL injections

Upvotes: 0

Daryl Gill
Daryl Gill

Reputation: 5524

INSERT INTO comment (name,comment) VALUES ('$name','$comment')

Will solve your issue.. But something the other developers might have noticed, but not pointed out.. You have not closed a backtick of your SQL Query: 

INSERT INTO `comment

Should be: 

INSERT INTO `comment`

there is nothing wrong in using backticks for column/table/schema names.. Infact they are recommended, to minimize the risk of running into a SQL Reserved Word.. Providing they are open/closed correctly

Upvotes: 0

John Woo
John Woo

Reputation: 263723

if the data type of the columns are string, then the value should be wrapped with single quotes as they are string literals,

INSERT INTO comment (name,comment) VALUES ('$name','$comment')

As a sidenote, the query is vulnerable with SQL Injection if the value(s) of the variables came from the outside. Please take a look at the article below to learn how to prevent from it. By using PreparedStatements you can get rid of using single quotes around values.

Upvotes: 2

Related Questions