i have the following code:
<!--ajouter une carte -->
<?php
if($_POST["submit_dd"]){
mysql_query("INSERT INTO data SET desc='".$_POST["carte_nom"]."' ") or die(mysql_error());
}
?>
<b>Ajouter une carte:</b><br>
<form method="post">
<table>
<tr><td>nom</td><td><textarea name="carte_nom"/></textarea></td></tr>
<tr><td></td><td><input type="submit" name="s开发者_StackOverflowubmit_dd" value="Ajouter"/></td></tr>
</table>
</form>
i get an error from this very simple query:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'desc='dsfgsdfds'' at line 1
the database is very simple: id(primary, auto increment), desc(text)
regards
I might be wrong, but you are probably getting an error because desc
is a sql keyword. try wrapping it in back ticks `desc`
desc
is a reserve keyword. Use "desc"
instead
mysql_query("INSERT INTO data (desc) VALUES('".$_POST["carte_nom"].")' ")
Check the list of reserved keywords. "DESC" is one of them.
The following is valid in MySQL:
INSERT INTO data SET `desc` = 'post data';
You should rethink your script though. Having fields named the same as reserved keywords is a bad sign. As is the lack of sanitation before using the $_POST data.
Here's why desc
is an ugly fieldname:
SELECT id, desc
FROM data
ORDER BY id desc; #this is valid sql, but likely isn't going to do what you expect
Which look very much like
SELECT id, desc
FROM data
ORDER BY id, desc; #not valid sql
And the obligatory injection reading: How does the SQL injection from the "Bobby Tables" XKCD comic work?
精彩评论