Click here to Skip to main content
15,794,795 members
Please Sign up or sign in to vote.
1.44/5 (2 votes)
See more:
INSERT INTO `liceo1`(`rut`, `admin`, `lname`, `fname`, `password`, `email`, `work`, `profesion`, `ciudad`, `phone`, `yearin`, `cursoin`, `profein`, `yearout`, `cursoout`, `profeout`, `comments`, `created`) VALUES (208090801,0,Sepda,Lautaro,Qwert123,ivan.sepdagmail.com,estudent, chief,nunoa,940429390,1950,4toB,ssss, 1960,6F,zaqw,ivanismeagain, 23/01/18 )
#1054 - Unknown column 'Sepda' in 'field list' using PHPADMIN

I fixed the email with no @ and eliminated all spaces and then it didn't like my lname...
Executing my PHP I get
Fatal error: Uncaught mysqli_sql_exception: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '@gmail.com,estudent, chief,nunoa,940429390...' at line 4 in C:\xampp\htdocs\liceo1\include\liceoFuncs.php:118 Stack trace: #0 C:\xampp\htdocs\liceo1\include\liceoFuncs.php(118): mysqli_query(Object(mysqli), 'INSERT INTO `li...') #1 C:\xampp\htdocs\liceo1\reglogcontact.php(21): register_exalumno(Object(mysqli)) #2 {main} thrown in C:\xampp\htdocs\liceo1\include\liceoFuncs.php on line 118


What I have tried:

I fixed the email with no @ and eliminated all spaces in between columns variablesand then it didn't like my lname..
Posted
Updated 18-Jan-23 4:12am
Comments
Member 15627495 18-Jan-23 9:11am    
you have to surround all the String Type with escape double quotes
... values (\"" .$string_1. "\" , \"" .$string_2. "\",\"" .$string_3. "\" , ". $integer_1 .",.... ) ; 

1 solution

It's saying that that "Sepda" is a column name - which it is, because it's not delimited by the quotes that indicate it's a string value.

But your problem is worse than that: Never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Always use Parameterized queries instead.

When you concatenate strings, you cause problems because SQL receives commands like:
SQL
SELECT * FROM MyTable WHERE StreetAddress = 'Baker's Wood'
The quote the user added terminates the string as far as SQL is concerned and you get problems. But it could be worse. If I come along and type this instead: "x';DROP TABLE MyTable;--" Then SQL receives a very different command:
SQL
SELECT * FROM MyTable WHERE StreetAddress = 'x';DROP TABLE MyTable;--'
Which SQL sees as three separate commands:
SQL
SELECT * FROM MyTable WHERE StreetAddress = 'x';
A perfectly valid SELECT
SQL
DROP TABLE MyTable;
A perfectly valid "delete the table" command
SQL
--'
And everything else is a comment.
So it does: selects any matching rows, deletes the table from the DB, and ignores anything else.

So ALWAYS use parameterized queries! Or be prepared to restore your DB from backup frequently. You do take backups regularly, don't you?

Change the whole query in your PHP to use parameters (and do every other query in your app at the same time) and the problem will disappear.
 
Share this answer
 
Comments
Ivan Sepulveda 18-Jan-23 10:44am    
I use variables for my Inserts/updates...I previouly sent the contents of the variables: $sql="INSERT INTO `liceo1`(`rut`, `admin`, `lname`, `fname`, `password`, `email`, `work`,
`profesion`, `ciudad`, `phone`, `yearin`, `cursoin`, `profein`,
`yearout`, `cursoout`, `profeout`, `comments`, `created`)
VALUES ($rutv,$admin,$lname,$fname,$pwd,$email,$work,
$grado,$ciudad,$phone,$yin,$cursoin,$profein,
$yout,$cursoout,$profeout,$story, $date )";
$date=$date = date('y/m/d h:i:s');
echo INSERT INTO `liceo1`(`rut`, `admin`, `lname`, `fname`, `password`, `email`, `work`, `profesion`, `ciudad`, `phone`, `yearin`, `cursoin`, `profein`, `yearout`, `cursoout`, `profeout`, `comments`, `created`) VALUES (208090801,0,Sepulveda,Lautaro,Qwert1234,test@gmail.com,baby, chief,nunoa,940429390,2016,4toB,ssss, 2022,6 F,ssss,test, 23/01/18 04:39:35 )
Richard Deeming 19-Jan-23 6:28am    
Read the solution again. By inserting the variables directly into the query, your code is vulnerable to SQL Injection[^]. NEVER use string concatenation/interpolation to build a SQL query. ALWAYS use a parameterized query.

PHP: SQL Injection - Manual[^]
Ivan Sepulveda 18-Jan-23 10:46am    
PHPADMIN: MySQL said: Documentation

#1064 - You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '@gmail.com,baby, chief,nunoa,940429390,2016,4toB,ssss, 2022,6 F,ssss,test, 23...' at line 1
Ivan Sepulveda 18-Jan-23 10:50am    
I added double quotes for my date and now complains in #1064 - You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '@gmail.com,baby, chief,nunoa,940429390,2016,4toB,ssss, 2022,6 F,ssss,test, "2...' at line 1

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900