#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2013
    Posts
    4
    Rep Power
    0

    PHP Mysql error - please help


    Hello I keep getting this error
    Code:
    You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'desc, board) VALUES ('hi', 'hi', 'Proxies')' at line 1

    This is my php code

    Code:
    if ( isset( $_POST['submit'] ) ) { 
    
    
    $title = htmlentities($_POST['title']);
    $desc = htmlentities($_POST['content']);
    $board_id = $_GET["title"];
    
    mysql_connect("host","user","pass");
    mysql_select_db("db");
    
    mysql_query("INSERT INTO thread (title, desc, board)
    VALUES ('$title', '$desc', '$board_id')");
    echo mysql_error();
    }
    why am I getting that error?
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Dec 2004
    Posts
    2,971
    Rep Power
    375
    is desc not a KEYWORD in mysql.. you should optionally put ` around your field so `title` etc..
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2013
    Posts
    4
    Rep Power
    0
    Originally Posted by paulh1983
    is desc not a KEYWORD in mysql.. you should optionally put ` around your field so `title` etc..
    Thank you it works now
  6. #4
  7. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    Hi,

    actually, you shouldn't use keywords at all. This backticks workaround is pretty ugly and error-prone.

    And the usual sermon:

    The MySQL extension you're using is obsolete since almost 10 years and will be officially deprecated in the next PHP version. This means every call to mysql_connect(), mysql_query() etc. will generate a warning.

    If you have any chance to switch to one of the “new” extensions, do it! They have several new features. Most importantly, they support prepared statements to prevent SQL injections (which your code is vulnerable against).

    The old extension was written for MySQL 3. Those days are long gone. It's the 21. century now.

    Also check the link in my signature to avoid security holes.htmlentities() does not protect against SQL injections, it makes absolutely no sense in this context.

    Comments on this post

    • Strider64 agrees
    The 6 worst sins of securityHow to (properly) access a MySQL database with PHP

    Why can’t I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".

IMN logo majestic logo threadwatch logo seochat tools logo