The following code is responsible for the MySQL error Error In Insert-->Unknown column 'expert manager' in 'field list'. If I remove the code below it will solve the MySQL error. Do you know what’s wrong with this piece of code?
$l=0;
$source = 'expertmanager';
mysql_query("DELETE FROM `student_questions` WHERE user_id=".$userId."");
for($i=0; $i < $count; $i++)
{
mysql_query("INSERT INTO `student_questions` (`user_id`, `checked_id`, `category_id`, course_id, `question`, `exe_order`, `time`,course_code, year, school, status, close, source) VALUES ('".$userId."', '".$_POST['checkbox'][$i]."', ".$this->cat.", ".$course_id.",'".$_SESSION['question']."','".(++$l)."', '".$time."', '".$course_code."', '".$year."', '".$school."', 1, ".$close.", ".$source.")") or die("Error In Insert-->".mysql_error());
}
Thanks!
What is wrong with this piece of code:
Too short variable names
Don’t use variable names that are shorter than 3-5 chars. Every variable name should describe the value(s) you want to store inside.
Concatenation of queries
Don’t concatenate queries, it’s a bad practice that leads to errors, insecure applications, etc. Don’t use the mysql API either, it’s outdated, insecure and will be deprecated. Use PDO and prepared statements instead.
Usage of die()
I see it all the time, and I see people telling other people to do that all the time. It’s plain simply bad practice and it’s time that people start to understand this. You cannot catch the error in any way. You cannot log the error. You cannot control whether it should be output to the screen or not. It’s okay to do that in a development environment, but certainly not in a production environment.
You’re vulnerable to SQL injection attacks
NEVER, NEVER include user data (session, get, post, cookie, etc.) unfiltered/unescaped into your queries.
And finally the smallest thing that’s wrong and the one that created your error