MySQL Syntax error. Can't solve it

Question

I wanna insert 0 to some db table\'s fields but can\'t get it work. The piece of code from my signup php script looks like that.

...

if (isset($type))
{         


        

Answer 1

group is a reserved word. rename your field or put it within backticks (`)

Answer 2

4 things,

1. escape your values: mysql_real_escape_string
2. properly add php vars to a string: sprintf or for array notation use curly braces "{$data['var']}"
3. backtick around group (or every field name to be certain)
4. Don't enclose NULL or NOW() in ticks, quotes etc.. (you are actually OK on this, just wanted to make sure you kept it)

<?php

$sql= sprintf("INSERT INTO `users`
    (`level`,`fname`, `mname`, `lname`, `dob`, `age`, `reg_date`, `phone`, `email`, `login`, `pwd`, `type`, `group`, `region`, `school`, `class`, `ip`, `subject`, `ban`, `university`, `profession`) 
    VALUES
    ('1','%s','%s','%s','%s','%s',now(),'%s','%s','%s','%s','%s','%s','%s','%s','%s','%s', NULL,'%s','%s')",
    mysql_real_escape_string($data['fname']), 
    mysql_real_escape_string($data['mname']), 
    mysql_real_escape_string($data['lname']), 
    mysql_real_escape_string($dob), 
    mysql_real_escape_string($age),
    mysql_real_escape_string($data['phone']), 
    mysql_real_escape_string($email), 
    mysql_real_escape_string($login), 
    mysql_real_escape_string($pwd), 
    mysql_real_escape_string($data['type']), 
    mysql_real_escape_string($data['region']), 
    mysql_real_escape_string($data['school']), 
    mysql_real_escape_string($data['class']),  
    mysql_real_escape_string($ip), 
    mysql_real_escape_string($subject),
    mysql_real_escape_string($university), 
    mysql_real_escape_string($profession));

Answer 3

Given your edit, you've mis-quoted the word group. YOu can't use single quotes to turn a reserved word into an "acceptable" word, it has to be backticks:

INSERT ....., `group`, ... VALUES ....
              ^-----^--- note the backticks

Single quotes turn anything into a string, but you can't use a string for a field name.

In the future, if you'r getting an SQL syntax error, show us the actual query that's causing the error. Generally the PHP that's building the query is not necessary - we want to see what MySQL is complaining about. Only after we figure out what the actual problem is can we tell you how to change your code to fix the problem.

Answer 4

You miss ' quote after $age. Also you should use {$data['lname']} instead of $data[lname] in quotes.

Answer 5

Group is a keyword, it needs to be wrapped around quotes. Also, it doesn't really look like you're doing any sanitisation, if not, you should.