CODEWITHSUNDEEP
phpmysql
Brandon
Brandon

Reputation: 11

Mysql Insert Problem

It works perfectly fine when the values inserted contain only numbers such as "728011955", but it fails to insert if the values contain any letters such as "1lKw7Rcc1iM8WB9c".

Below is the query that fails. 

  $query = ("INSERT INTO $tbl_name VALUES ($key, $timestamp, $use)");

The mysqlerror() output is below. 

Unknown column '1lKw7Rcc1iM8WB9c' in 'field list'

Help! :)

Upvotes: 0

Views: 55

Answers (2)

Stephane Gosselin
Stephane Gosselin

Reputation: 9148

Not to be nitpicking but why the outer parentheses? Ie this would work just as well and be easier to read:

$query = "INSERT INTO $tbl_name VALUES ('$key', '$timestamp', '$use')";

As for your error, numeric values should not be quoted (like maybe your key and timestamp values), same for the table name. String types on the other hand need quotes.

While others have mentioned parameter binding and prepared statements to make your sql more secure, yet another possibility is to use sprintf.

Upvotes: 0

Cfreak
Cfreak

Reputation: 19319

You have to quote your parameters.

$query = ("INSERT INTO $tbl_name VALUES ('$key', '$timestamp', '$use')");

However you read up on SQL injection attacks as this query is likely vulnerable to them if those variables are coming from outside your program.

Upvotes: 7

Related Questions