0

I have this query to insert into tbl_userprofile:

$SQL = "INSERT INTO tbl_userprofile (userId, name, surname, gender, nationality, address,  mobile, department, email, question, answer)
SELECT tbl_user.Id , '$name', '$surname', '$gender', '$nationality', '$address','$mobile',  '$department', '$email', '$question', '$answer'
FROM tbl_user
WHERE username = '$uname'";

I'm getting a syntax error saying: "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'pet-peeve', 'dirt' FROM tbl_user WHERE username = 'alex'' at line 2"

NOTE: pet-peeve and dirt are the question and answer. I dont know how i'm getting a syntax error. Please where is my syntax error? Thanks

dhani
  • 127
  • 2
  • 5
  • 9
  • try to code your inser statement with explicit values to have a test and run it from a mysql query client. – gpicchiarelli May 18 '13 at 15:34
  • I can't see any error on your syntax except for the statement to be vulnerable with sql injection. Can you please echo your query before executing it on the database? – John Woo May 18 '13 at 15:35
  • 1
    There might be some plain text in those two last field so maybe there are quote around, better to use [addslashes()](http://php.net/manual/en/function.addslashes.php) to your `$question` and `$answer` variables – Fabio May 18 '13 at 15:42
  • I believe the problem would lie with the $email field seeing as $question and $answer both look ok, but yes, other than that, everything here. – Paul Stanley May 18 '13 at 15:55
  • @Fabio thats right. It worked after using addslashes() on the variables. Thanks – dhani May 18 '13 at 16:03
  • @dhani You welcome, i just added answer so people in the future could know what is the correct fix and be helped, don't forget to accept and upvote it! – Fabio May 18 '13 at 16:09

1 Answers1

1

There might be some plain text in those two last field so maybe there are quote around, better to use addslashes() to your $question and $answer variables

'$email', '".addslashes($question)."', '".addslashes($answer)."' FROM tbl_user
Fabio
  • 23,183
  • 12
  • 55
  • 64