0

It works perfectly fine when the values inserted contain only numbers such as "728011955", but it fails to insert if the values contain any letters such as "1lKw7Rcc1iM8WB9c".

Below is the query that fails. 

  $query = ("INSERT INTO $tbl_name VALUES ($key, $timestamp, $use)");

The mysqlerror() output is below. 

Unknown column '1lKw7Rcc1iM8WB9c' in 'field list'

Help! :)

Improve this question

2 Answers 2

Reset to default
7

You have to quote your parameters.

$query = ("INSERT INTO $tbl_name VALUES ('$key', '$timestamp', '$use')");

However you read up on SQL injection attacks as this query is likely vulnerable to them if those variables are coming from outside your program.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

We have a winner! It works now! Thank you, Cfreak! High five!
It's generally better to use parameter binding than to interpolate the values directly into the query.
@Ted Hopp or prepared statements.
Yes prepared statements are definitely the way to go.
0

Not to be nitpicking but why the outer parentheses? Ie this would work just as well and be easier to read:

$query = "INSERT INTO $tbl_name VALUES ('$key', '$timestamp', '$use')";

As for your error, numeric values should not be quoted (like maybe your key and timestamp values), same for the table name. String types on the other hand need quotes.

While others have mentioned parameter binding and prepared statements to make your sql more secure, yet another possibility is to use sprintf.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.