Home/ Questions/Q 7937807
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-03T22:37:09+00:00

I get this error when I execute this statement in PHP: $sql = mysql_real_escape_string(INSERT

  • 0

I get this error when I execute this statement in PHP:

    $sql = mysql_real_escape_string("INSERT INTO `locations`(`id`,`anchor_url`,`anchor_title`) 
    VALUES (1,`http%3A%2F%2Fmaps.google.com%2Fmaps%2Fms%3Fmsid%3D210426849026628615459.0004bd6aaf4e431aab7f9%26msa%3D0%26output%3Dembed`, `Se "Mar Menor" på kartet`)");

I figure it has something to do with the quotes, but I’ve tried different quotes, which has provided me with another error saying I have an error in the SQL syntax (single quote).

The error that is thrown when the above query is executed is:

Unknown column ‘http%3A%2F%2Fmaps.google.com%2Fmaps%2Fms%3Fmsid%3D210426849026628615459.0004bd6aaf4e431aab7f9%26msa%3D0%26output%3Dembed’ in ‘field list’

EDIT:

Answer was accepted but only for some of it as I did not test the other info provided: I used PDO to query the database instead with prepared statements.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You cannot call mysql_real_escape_string on the whole query; you must call it on each one variable separately.

    Example:

    // THIS IS AN EXAMPLE ONLY -- NOT A BEST PRACTICE!
$sql = "INSERT INTO `locations`(`id`,`anchor_url`,`anchor_title`) VALUES ".
       "(1, '".mysql_real_escape_string('http://...')."', ".
       "'".mysql_real_escape_string('whatever')."')";

    You also have to pay attention to the single quotes around the values that mres produces; these are absolutely critical.

    Now of course the above looks extremely ugly, so you can pretty it up a little:

    // THIS IS AN EXAMPLE ONLY -- NOT A BEST PRACTICE!
$sql = sprintf("INSERT INTO `locations`(`id`,`anchor_url`,`anchor_title`) VALUES ".
               "(1, '%s', '%s')",
               mysql_real_escape_string('http://...'),
               mysql_real_escape_string('whatever'));

    The above is pretty much the bare minimum that you have to do to sanitize input to the database. But it would be much better if you used prepared statements instead (either with the mysqli or the PDO extensions).

    • 0