I am really pulling my hair out on this one. I got a simple comment section on my self-built php app and I simply want to add a new row if I catch a $_GET parameter. But no matter how I build the MySQL insert request, I get an error.
This is what I have so far:
if(isset($_GET['r'])){
$replyid = mysql_real_escape_string($_GET['r']);
$sentnow = date("Y-m-d H:i:s");
mysql_query("INSERT INTO eis_inbox (messageid, toid, from, contact, seen, message, date) VALUES (NULL, '".$replyid."', 'TESTUSER', 'CONTACTINFO', '0', 'MESSAGE', '".$sentnow."'") or die(mysql_error());
echo '<meta http-equiv="refresh" content="0;/messages">';
}
My MySQL DB fields are called exactly the same: messageid (auto_increment), toid(int11), from(varchar255), contact(varchar255), seen(int3), message(text) and date(timestamp/CURRENT_TIMESTAMP).
Executing the above page with let’s say “index.php?r=777” should, as I see it, populate my MySQL with a new row as such:
messageid = (AUTO_INCREMENT)
toid = 777
from = TESTUSER
contact = CONTACTINFO
seen = 0
message = MESSAGE
date = 2013-01-17 11:50:01
Instead, I get the following error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'from, contact, seen, message, date) VALUES (NULL, '1', 'TESTUSER', 'CONTACTINFO'' at line 1
Same error shown with “error_reporting(E_ALL)”.
I have looked into this for several days now, and I just can’t find the error… Perhaps I am blind and miss a comma or closing tag or something. Any ideas?
There are some syntax errors in here :
fromanddateare reserved keywords, enclose them in `.seenandtoidare notvarcharfields, and therefore their values shouldn’t be enclosed in'.Try :
Warning : this is vulnerable to SQL injections. Don’t use
mysql_*commands, tryPDOoumysqliinstead. Prepared statements will help avoiding them.