Home/ Questions/Q 7604853
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-31T00:01:00+00:00

So, I’m not exactly sure what the problem is, but, when I try to

  • 0

So, I’m not exactly sure what the problem is, but, when I try to INSERT into a table, it doesn’t work.

All the variables are working. I’ve echoed and tested them, they are working.

$username = $_SESSION['username'];
$update = $_GET['update'];
mysql_query("INSERT INTO updates (username, update) VALUES ('$username', '$update')");

So it must be a problem with my mySQL query. This mySQL query is one of two in the .php folder. If that makes any difference.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Error in SQL

    There is an error in your SQL. You cannot use MySQL keywords in column names without quoting them.

    In this case update needs to be enclosed in backticks:

    $query = "INSERT INTO updates (`username`, `update`) 
                       VALUES ('$username', '$update')";

    SQL injection

    Your code is susceptible to SQL injection attacks. You should escape quoted strings that are placed into an SQL statement with mysql_real_escape_string() or bind your data using PHP PDO prepared statements.

    $username = mysql_real_escape_string($_SESSION['username']);
$update = mysql_real_escape_string($_GET['update']);

    Putting it together

    $username = mysql_real_escape_string($_SESSION['username']);
$update = mysql_real_escape_string($_GET['update']);
$query = "INSERT INTO updates (`username`, `update`) 
                       VALUES ('$username', '$update')";

    I have written little SQLFiddle for you so you can see this in action: http://sqlfiddle.com/#!2/c25b1/1

    • 0