开发者

Not adding to database

问答 作者:

I can't for the life of me figure out why this isn't working. Every time it throws up an error:

$GROUPCREATE = 开发者_如何学编程$_POST['GROUPCREATE'];
$USER = $_POST['USER'];
mysql_connect ("localhost", "XXXX", "XXXX") or die ('Error: ' . mysql_error());
mysql_select_db ("XXXX");
$query="INSERT INTO contacts_groups (id, GROUP, USER)VALUES ('NULL','".$GROUPCREATE."','".$USER."')";
mysql_query($query) or die ('Error updating database' . mysql_error());
header( 'Location: add_done.php' ) ;

I get the following error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'GROUP, USER)VALUES ('NULL','Group Name','Username')' at line 1

I can't figure it out! The code looks all right and is pretty much identical to one I have used on another (fully working) form.

GROUP is a protected keyword in MySQL, which means if you absolutely have to use it as a field identifier, you will have to put it in backticks like this 

`GROUP`

The better version would be to just avoid protected keywords. You can get a list of them all at http://dev.mysql.com/doc/refman/5.1/en/reserved-words.html

GROUP is a reserved word in mysql. You'll have to "escape" it with backticks:

INSERT INTO contacts_groups (id, `GROUP`, USER) ...

Your code is also vulnerable to SQL injection, so better take care of that.

Because GROUP is reserved word in MySQL (GROUP BY). You should change the name of your field of add quotes like it ` .

GROUP is a MySQL reserved keyword so it is breaking your query. You need to escape it with back ticks like so:

`GROUP`

See the MySQL Reserved Words manual page.

So your code should be something like:

$query="INSERT INTO `contacts_groups` (`id`, `GROUP`, `USER`)
        VALUES ('NULL','$GROUPCREATE','$USER')";

You will also noticed that I have removed the unnecessary string concatenation you had in your query.

You should also be careful what you are putting into your SQL queries to prevent SQL injection occurring. As a bare minimum you should be running the following before your query:

$GROUPCREATE = mysql_real_escape_string($GROUPCREATE);

On all the PHP variables you are going to drop into your query.

Ideally you would be using PHPs PDO classes and using place holders so that your data/variables is/are automatically escaped.

继续阅读:php

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9