SQL Syntax error in Insert and Select nested Query

Question

I have this query:

$FullName = mysql_real_escape_string($_REQUEST['name']);
$EmailAdd = mysql_real_escape_string($_REQUEST['email_address']);
$City = mysql_real_escape_string($_REQUEST['city']);
$State = mysql_real_escape_string($_REQUEST['state']);

$SqlEInsert= "INSERT INTO `td_email` VALUES ((SELECT ownerid FROM 'td_events' where event_id = '$EvID'),'$EmailAdd','$FullName', '$City'  ,'$State')";

$RsEmail = mysql_query($SqlEInsert) or die('Error :' . mysql_error());

but I'm getting the following error when I run the application

Error :You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''td_events' where event_id = '394'),'[email protected]','Full Name', 'Atl' at line 1

Why not select the values first, then insert them? You're trying too much with that query. — Brendan Lesniak
– Brendan Lesniak, Commented Jul 1, 2012 at 16:04
Please use MySQLi or PDO; The MySQL extension is deprecated and should no longer be used. — Bojangles
– Bojangles, Commented Jul 1, 2012 at 16:08

René Höhle · Accepted Answer · 2012-07-01 16:09:00Z

1

You don't need ' for the table name when you want to use quotes then you have to use `

$SqlEInsert= "INSERT INTO td_email VALUES ((SELECT ownerid FROM td_events WHERE event_id = '$EvID'),'$EmailAdd','$FullName', '$City'  ,'$State')";

And please take a look at SQL Injections and Security

$SqlEInsert= "INSERT INTO td_email VALUES ((SELECT ownerid FROM td_events WHERE event_id = '".(int)$EvID."'),'".mysql_real_escape_string($EmailAdd)."','".mysql_real_escape_string($FullName)."', '".mysql_real_escape_string($City)."'  ,'".mysql_real_escape_string($State)."')";

answered Jul 1, 2012 at 16:09

René Höhle

27.4k22 gold badges78 silver badges91 bronze badges

Sign up to request clarification or add additional context in comments.

Comments

Nikolay Dutchuk · Accepted Answer · 2012-07-01 16:08:20Z

1

The td_event is a field name rather than a value. Escape it with an apostrophe.

$SqlEInsert= "INSERT INTO `td_email` VALUES ((SELECT ownerid FROM `td_events` where event_id = '$EvID'),'$EmailAdd','$FullName', '$City'  ,'$State')";

answered Jul 1, 2012 at 16:08

Nikolay Dutchuk

7132 gold badges6 silver badges12 bronze badges

Comments

Micah Carrick · Accepted Answer · 2012-07-01 16:05:29Z

0

Make sure your values are escaped. You can run them through: mysql_real_escape_string() to do so.

answered Jul 1, 2012 at 16:05

Micah Carrick

10.3k3 gold badges34 silver badges43 bronze badges

Collectives™ on Stack Overflow

SQL Syntax error in Insert and Select nested Query

3 Answers 3

Comments

Comments

Comments

Your Answer

Hot Network Questions

Collectives™ on Stack Overflow

3 Answers 3

Comments

Comments

Comments

Your Answer

Sign up or log in

Post as a guest

Related