Invalid column name in mysql PHP query

Question

I had the following form working properly and populating MySQL DB. I had since added on a new field 'type' to my database and also added it to the form. However now when I try to add a new entry it says "Invalid column name 'type'". Any help would be greatly appreciated.

<script>
      $(document).ready(function() {
        $("#datepicker").datepicker();
      });
      </script>

  <script>
$(document).ready(function() {
$("#datepicker2").datepicker();
});
</script>

 </head>
 <body>
 <?php 
 // if there are any errors, display them
 if ($error != '')
 {
 echo '<div style="padding:4px; border:1px solid red; color:red;">'.$error.'</div>';
 }
 ?> 

  <form action="" method="post">
 <div>
 <label for="Posted"><strong>Posted: </strong> </label>
 <input id="datepicker"  name="posted" value="<?php echo $Posted; ?>" /><br/><br/>

 <label for="Ends"><strong>Ends: </strong> </label>
 <input id="datepicker2"  name="ends" value="<?php echo $Ends; ?>" /><br/><br/>

 <label for="Position"><strong>Position: </strong></label>
  <input type="text" name="position" value="<?php echo $Position; ?>" /><br/><br/>

  <label for="Location"><strong>Location: </strong> </label>
 <select name="location">
  <option value=" ">Select...<?php echo $Location; ?></option>
  <option value="Fargo">Fargo</option>
  <option value="Grand Forks">Grand Forks</option>
</select><br/><br/>

<label for="Application Type"><strong>Application Type: </strong> </label>
  <select name="type">
  <option value=" ">Select...<?php echo $Type; ?></option>
  <option value="Driver">Driver</option>
  <option value="Employee">Employee</option>
</select><br/><br/>

 <label for="Hours"><strong>Hours: </strong> </label>
 <input type="text" name="hours" value="<?php echo $Hours; ?>" /><br/><br/>

 <label for="Pay"><strong>Pay: </strong> </label>
 <input type="text" name="pay" value="<?php echo $Pay; ?>" /><br/><br/>

 <label for="Benefits"><strong>Benefits: </strong> </label>
 <textarea cols="60" rows="2" name="benefits" value="<?php echo $Benefits; ?>" ><?php echo $Benefits; ?></textarea><br/><br/>

 <label for="Description"><strong>Description: </strong> </label>
 <textarea cols="60" rows="3" name="description" value="<?php echo $Description; ?>" ><?php echo $Description; ?></textarea><br/><br/>


 <input type="submit" name="submit" value="Submit">
 </div>
 </form> 
 </body>
 </html>
 <?php 
 }




 // connect to the database
 include('connect-db.php');

 // check if the form has been submitted. If it has, start to process the form and save it to the database
 if (isset($_POST['submit']))
 { 
 // get form data, making sure it is valid

 function ms_escape_string($data) {
        if ( !isset($data) or empty($data) ) return '';
        if ( is_numeric($data) ) return $data;

        $non_displayables = array(
            '/%0[0-8bcef]/',            // url encoded 00-08, 11, 12, 14, 15
            '/%1[0-9a-f]/',             // url encoded 16-31
            '/[\x00-\x08]/',            // 00-08
            '/\x0b/',                   // 11
            '/\x0c/',                   // 12
            '/[\x0e-\x1f]/'             // 14-31
        );
        foreach ( $non_displayables as $regex )
            $data = preg_replace( $regex, '', $data );
        $data = str_replace("'", "''", $data );
        return $data;
    }

    ms_escape_string($_POST);


     $posted=$_POST['posted'];
     $ends=$_POST['ends'];
     $type=$_POST['type'];
     $position=$_POST['position'];
     $location=$_POST['location'];
     $hours=$_POST['hours'];
     $pay=$_POST['pay'];
     $benefits=$_POST['benefits'];
     $description=$_POST['description'];

 // check to make sure all fields are entered
 if ($posted == '' || $ends == '' || $type == '' || $position == '' || $location == '' || $hours == '' || $pay == '' || $benefits == '' || $description == '')
 {
 // generate error message
 $error = 'ERROR: Please fill in all required fields!';

 // if any fields are blank, display the form again
 renderForm($posted, $ends, $type, $position, $location, $hours, $pay, $benefits, $description, $error);
 }
 else
 {
 // save the data to the database
    $SQL = "INSERT INTO JobPosting (posted, ends, type, position, location, hours, pay, benefits, description) VALUES ('$posted', '$ends', '$type', '$position', '$location', '$hours', '$pay', '$benefits', '$description')";

     $result = mssql_query($SQL) 
        or die (mssql_get_last_message());  

 // once saved, redirect back to the view page
 header("Location: view.php"); 
 }
 }
 else
 // if the form hasn't been submitted, display the form
 {
 renderForm('','','','','','','','','','');
 }

Answer 1

You will need to escape the column name type in the query ie type since type is a reserved work in MySQL sytax.

How the hell do you escape ` marks anyway?

Answer 2

type is a reserved word in MS SQL. This means that it is used in other MS SQL operations. Similarly, you would run into trouble if you had a column named select or group

You can escape reserved words by using brackets: []

$SQL = "INSERT INTO JobPosting (posted, ends, [type], position, location, hours, pay, benefits, description) VALUES ('$posted', '$ends', '$type', '$position', '$location', '$hours', '$pay', '$benefits', '$description')";