You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' )' at line 1

Question

$q = "INSERT INTO subjects (menu_name, position, visible) VALUES ('{$mname}', {$pos}, {$vis}) ";
    if(mysql_query($q)) {
        header("Location: content.php");
    }
    else {
        echo mysql_error();
    }

Here, $mname is a string. $pos and $vis are integers. Where is the mistake?

Answer 1

You cannot name a column name whenever you run something through MySQL. One way to check is to run the query within HeidiSQL. MySQL functions will be highlighted blue, so you know if the column name becomes blue to not use it. Also; Here's a quick run of PDO to make things a little bit better; I'd suggest looking further into it as well.

public function MakeMenu() {
      $q = <<<SQL
      INSERT INTO subjects (menu_name,_position,visible)
      VALUES(":menu_name","_position","visible")
SQL;
      $resource = $this->db->prepare( $query );
      $resource->execute( array (
      'menu_name' => $_POST['menu_name'],
      '_position' => $_POST['position'],
      'visible'   => $_POST['visible'],
));
}

To make things easy enough you can just make a call.php page as well. Make the calls.php page require your class page and add a hidden input to your form. IE

<input type=hidden" id="process" value="make_menu">

Then within the calls.php page add

if ( isset($_POST['process']) )
{
   switch ($_POST['process'])
   {
      case 'make_menu':
        $class->MakeMenu();
        break;

I know this isn't just a quick answer, but I'm hoping you'll look further into what's happening here and move away from mysql functions. I have seen posts from people running IIS servers and not having any luck with any of the deprecated functions. Not sure how long it will be until Apache follows suite, but don't waste your time with something that's being deprecated as we speak.

Answer 2

If you're going to use braces to try and prevent the greedy nature of variable expansion, you should use them properly.

The string "{$pos}", when $pos is 42, will give you "{42}", which is clearly not a valid integer in terms of your SQL statement. What you're looking for is instead:

${pos}

In this case, of course, you don't actually need the braces since the characters following the variable name cannot be part of a variable name - they are, respectively, ', , and ).

You only need to use braces when the following character could be part of a variable name. For example, consider:

$var  = "pax";
$vara = "diablo";

In that case, $vara will give you diablo while ${var}a will give you paxa.

And I give you the same advice I seem to give weekly here :-) If you have a query that's not working, print it out! You'll find that the problem will usually become immediately obvious once you see the query in the final form you're passing to the DBMS.

And, as per best practices, I'll advise against using this method of creating queries. Anyone that's investigated SQL injection attacks (google for sql injection or, my favourite, little bobby tables) soon learns that they should use parameterised queries to prevent such attacks.

Answer 3

try to use only single quote to query variable rather pseudo(i think pseudo variable needs to be also quoted for query) like

$q= "INSERT INTO subjects (menu_name, position, visible) VALUES ('$mname', '$pos', '$vis')";

Answer 4

you are missing ' sign as the error says.

 $q = "INSERT INTO subjects (menu_name, position, visible) VALUES ('$mname', '$pos', '$vis') ";

The value will be stored to table. Just make datatype to int in mysql table if you want it to be integer and make validation not to enter string while inserting.