SQL syntax error, I just can't see it

Question

Here is my code:

<?php
$con = mysql_connect("localhost","solidarity","password");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db("database", $con);

$sql="INSERT INTO show_reviews (username, date, content, show) VALUES (".addslashes($_POST[username]).",".addslashes($_POST[date]).",".addslashes($_POST[content]).",".addslashes($_POST[show]).")";

if (!mysql_query($sql,$con))
  {
  die('Error: ' . mysql_error());
  }
echo "1 record added";

mysql_close($con);
?>

So I have used fsprint and now I have just used the w3schools code and this is my output with both pieces of code:

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'show) VALUES (Solidarity, 17:02 - Wed, 1st Aug 2012,Testing,kr1971)' at line 1

I use a very similar syntax for a commenting system and do not have this problem. If it helps also, I have tried on a local sql server and remote also, still no luck.

Please help me :(.

Answer 1

Put the values inside of single quotes:

$sql=" INSERT INTO show_reviews (username, date, content, show) 
       VALUES ('".addslashes($_POST[username])."','".addslashes($_POST[date])."','".addslashes($_POST[content])."','".addslashes($_POST[show])."')";

Additionally, as others have said show is a reserved keyword in MySQL. You can see the full list of reserved keywords for MySQL 5.5 at http://dev.mysql.com/doc/refman/5.5/en/reserved-words.html

You can quote reserved words using the backtick in order to be able to use them:

INSERT INTO show_reviews (username, date, content, `show`)

Quoting Identifiers: http://dev.mysql.com/doc/refman/5.5/en/identifiers.html

And finally, to summarize the comments about using addslashes() for escaping. I will let Chris Shiflett explain why it is bad: http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string

You really should be jumping aboard the prepared statements/parameterized queries bandwagon with PDO or at minimum, MySQLi. Here is an example of how you query could look:

$dbh = new PDO($connection_string);
$sql = "INSERT INTO show_reviews (username, date, content, show) VALUES (?, ?, ?, ?)"; 
$stmt = $dbh->prepare($sql);
$stmt->execute(array($_POST['username'],
                    $_POST['date'],
                    $_POST['content'],
                    $_POST['show']
));
while ($row = $stmt->fetch()) {
   print_r($row);
}

This is purely an example, it is still a good idea to do your sanitizing of $_POST variables and do your best to ensure the data you received is exactly what you were trying to get. These prepared statements take care of escaping for you properly and, if using PDO, the proper way for your specific database engine.