current community

your communities

more stack exchange communities

Stack Exchange
tour help
stack overflow careers
Take the 2-minute tour ×
Stack Overflow is a question and answer site for professional and enthusiast programmers. It's 100% free, no registration required.
up vote 0 down vote favorite

MySQL claims I have a syntax error in my query, but I cannot seem to fix it completely. Any ideas?

The error states: "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '..'','0',''..', '..'','','','','','','')' at line 2"

The line is here:

$savequery = "INSERT INTO search (title, description, url, keywords, type, mod_url, developer, v162, v164, v172)
            VALUES ('$name', '$desc', '$url', '$keywords', '$type', '$link', '$dev', '$v162', '$v164', '$v172')";

Also, here's the "run or die" variable for that query:

$save = $dbsave->query($savequery) or die(mysqli_error($dbsave));

UPDATE:

Because it has been requested, here's my variable sanitation:

$name = mysql_real_escape_string($name);
$desc = mysql_real_escape_string($desc);
$url = mysql_real_escape_string($url);
$keywords = mysql_real_escape_string($keywords);
$type = mysql_real_escape_string($type);
$link = mysql_real_escape_string($link);
$dev = mysql_real_escape_string($dev);
$v162 = mysql_real_escape_string($v162);
$v162 = mysql_real_escape_string($v164);
$v162 = mysql_real_escape_string($v172);
$id = mysqli_real_escape_string($id);
share|improve this question
    
Yes, but did you bother sanitizing and encoding the data for storage? –  Ignacio Vazquez-Abrams Dec 21 '13 at 0:37
1  
One of your variables contains an apostroph. Read up on parametrized queries. –  Niels Keurentjes Dec 21 '13 at 0:37
    
Please post the value of $savequery. It looks like you haven't escaped the values properly. –  Barmar Dec 21 '13 at 0:38
    
@IgnacioVazquez-Abrams Yep, all of my variables are sanitized above the query. –  swiftsly Dec 21 '13 at 0:39
1  
You should use $mysqli->real_escape_string($varHere); on every one of those variables. I would use a loop. –  PHPglue Dec 21 '13 at 0:41

1 Answer 1

up vote 2 down vote accepted

You should use $mysqli->real_escape_string($varHere); on every one of those variables. I would use a loop:

$vars = array($name, $desc, $url, $keywords, $type, $link, $dev, $v162, $v164, $v172);
foreach($vars as $v){
  $qA[] = $mysqli->real_escape_string($v); // Object Oriented Style
}
$savequery = "INSERT INTO search (title, description, url, keywords, type, mod_url, developer, v162, v164, v172) VALUES ('$qA[0]', '$qA[1]', '$qA[2]', '$qA[3]', '$qA[4]', '$qA[5]', '$qA[6]', '$qA[7]', '$qA[8]', '$qA[9]')";

If you don't like those Array variables then you can use list().

share|improve this answer

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.