PHP SQL Insert Error

Question

I have an error when inserting into the database.

Code:

dbquery("INSERT INTO site_news_comments (articleid,title,short,comment,timestamp,userid,main,type,topstory) VALUES ($article,'".clean($commentss['title'])."','','".mysql_real_escape_string($_POST['comment'])."',current_timestamp,'".USER_ID."','0','".$commentss['type']."','')");

Ignore the dbquery, works exactly as mysql_query.

The error I am receiving is:

 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''title','short','

No idea why this error is being thrown!

Answer 1

EDIT
I read too quickly the first time around; The error does not appear to be in the column list, it looks like it's in the value list. The only place the query can have a syntax error is if $article is empty (or un-sanitized data, such as non-numeric). Try adding quotes around it in the query and/or verifying it has at least a default value:

$article = (empty($article) || !is_numeric($article)) ? 0 : $article;
dbquery("... VALUES ('".$article."', '".clean($commentss['title'])."', '', '".mysql_real_escape_string($_POST['comment'])."', current_timestamp, '".USER_ID."', '0', '".$commentss['type']."', '')");

Original Answer

There is a list of reserved words used by MySQL that, if you use them for column names, you have to escape them with backticks.

Try updating all of them to fix:

dbquery("INSERT INTO site_news_comments (`articleid`, `title`, `short`, `comment`, `timestamp`, `userid`, `main`, `type`, `topstory`) VALUES ...

Answer 2

Teaching a man how to fish.

If a query fails, the first thing you should do is to echo the query you're about to send:

$sql = "INSERT INTO site_news_comments (articleid,title,short,comment,timestamp,userid,main,type,topstory) VALUES ($article,'".clean($commentss['title'])."','','".mysql_real_escape_string($_POST['comment'])."',current_timestamp,'".USER_ID."','0','".$commentss['type']."','')";

echo $sql;

It's usually pretty obvious what's wrong with the final query; pay particular attention to the dynamic stuff in your query and generally around the area where MySQL complains about.

If that still looks okay, then you look for words that might need escaping, such as the reserved words .

Conclusion

Having looked at the code mysql, I would have to conclude that the problem lies with $article and it causes problems in your query. You should probably escape it as well, just in case :)

Recommendation

You should learn about PDO / mysqli and using prepared statements:

// PDO example
$stmt = $db->prepare('INSERT INTO site_news_comments (articleid, title, short, comment, timestamp, userid, main, type, topstory) VALUES (:article, :title, :short, :comment, CURRENT_TIMESTAMP, :user, :main, :type, :topstory)');
$stmt->execute(array(
    ':article' => $article,
    ':title' => $commentss['title'],
    ':short' => '',
    ':comment' => $_POST['comment'],
    ':user' => USER_ID,
    ':main' => 0,
    ':type' => $commentss['type'],
    ':topstory' => '',
));

Answer 3

Thanks for the help guys! But I fixed the problem!

It seems that the cause of the problem was of the "URL". The URL was

news/1/&page=2

So when I inserted the $article, it came as '1/', this was because it thought that the ID was 1/ , not 1 because of the URL.

So I've just changed it to

news/1&page=2

Thanks!

Answer 4

//change this line :
dbquery("INSERT INTO site_news_comments (articleid,title,short,comment,timestamp,userid,main,type,topstory) VALUES ($article,'".clean($commentss['title'])."','','".mysql_real_escape_string($_POST['comment'])."',current_timestamp,'".USER_ID."','0','".$commentss['type']."','')");

//to this : (surround $articleid with single quote)
dbquery("INSERT INTO site_news_comments (articleid,title,short,comment,timestamp,userid,main,type,topstory) VALUES ('".$article."','".clean($commentss['title'])."','','".mysql_real_escape_string($_POST['comment'])."',current_timestamp,'".USER_ID."','0','".$commentss['type']."','')");