What is wrong with this DB insert, place holder problem?

awohld has asked for the wisdom of the Perl Monks concerning the following question:

I'm inserting info into a DB:

#!/usr/bin/perl -wT
use strict;
use CGI;
use DBI;
use CGI::Carp qw(fatalsToBrowser);

my $upload_dir = "/home/mine/upload";

my $query = new CGI;

my $filename = $query->param("filename");
my $to = $query->param("to");
my $from = $query->param("from");
my $expire = $query->param("expire");
my $comments = $query->param("comments");

my $uldate = time;

my $expdate;

if ($expire eq 1) {$expdate = $uldate + 86400;}
if ($expire eq 2) {$expdate = $uldate + 172800;}
if ($expire eq 3) {$expdate = $uldate + 259200;}
if ($expire !~m/^(1|2|3)$/)
{
 print "Content-type: text/html\n\nDon't tamper with me!";
 die;
}

$filename =~ s/.*[\/\\](.*)/$1/;

##Start database connections ##############################
my $database = "live_databox";
my $db_server = "localhost";
my $user = "user";
my $password = "pass";

##Connect to database, insert statement, & disconnect #####
my $sth;
my $dbh = DBI->connect("DBI:mysql:$database:$db_server", $user, $passw
+ord);


my $statement = "INSERT INTO databox (filename,to,from,comments,uldate
+,expdate) VALUES (?,?,?,?,?,?)";

   $sth = $dbh->prepare($statement) or die "Couldn't prepare the query
+: $sth->errstr";

my $rv = $sth->execute($filename,$to,$from,$comments,$uldate,$expdate)
+ or die "Couldn't execute query: $dbh->errstr";

$sth->finish;
$dbh->disconnect;

#########################################################

my $upload_filehandle = $query->upload("filename");

open UPLOADFILE, ">$upload_dir/$filename";

binmode UPLOADFILE;

while ( <$upload_filehandle> )
 {
   print UPLOADFILE;
 }

close UPLOADFILE;
[download]

I'm getting an error telling me:

"Couldn't execute query: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 'to,from,comments,uldate,expdate) VALUES ('image.jpg','Bob','Judy','t','1 at upload.pl line 60.

Is there something wrong with the way I'm using place holders? I have other scripts almost identical to this and they run fine.

UPDATE: I figured it out, to and from are SQL keywords! This caused the SQL statement to be completely wrong and error out. Changed 'to' to 'data_to' and 'from' to 'data_from'. Now this script works!!!

Comment on What is wrong with this DB insert, place holder problem? Select or Download Code

Replies are listed 'Best First'.
Re: What is wrong with this DB insert, place holder problem? by CountZero (Bishop) on May 14, 2005 at 08:23 UTC
But you can use reserved words, you only have to quote them: http://dev.mysql.com/doc/mysql/en/legal-names.html: An identifier may be quoted or unquoted. If an identifier is a reserved word or contains special characters, you must quote it whenever you refer to it. (...) The identifier quote character is the backtick ('`'): mysql> SELECT FROM `select` WHERE `select`.id > 100;* [download] If the server SQL mode includes the ANSI_QUOTES mode option, it is also allowable to quote identifiers with double quotes: `mysql> CREATE TABLE "test" (col INT); ERROR 1064: You have an error in your SQL syntax. (...) mysql> SET sql_mode='ANSI_QUOTES'; mysql> CREATE TABLE "test" (col INT); Query OK, 0 rows affected (0.00 sec)` [download] CountZero "If you have four groups working on a compiler, you'll get a 4-pass compiler." - Conway's Law	[reply] [d/l] [select]
Re: What is wrong with this DB insert, place holder problem? by Animator (Hermit) on May 14, 2005 at 10:41 UTC
Also note that your error handling is incorrect. Your code: `$sth = $dbh->prepare($statement) or die "Couldn't prepare the query +: $sth->errstr"; my $rv = $sth->execute($filename,$to,$from,$comments,$uldate,$expdate) + or die "Couldn't execute query: $dbh->errstr";` [download] What will happen when `$dbh->prepare` fails? then `$sth` will be undefined, and then you go on to the 'or', which calls `$sth->errstr`. Do you really think this make sense? :) It would be better to replace `$sth->errstr` with `$dbh->errstr` in your first statement, and in your second `$sth->errstr` would be better... Update: also why don't you put `$expdate = $uldate + 86400 * $expire` (after the `$expire !~ m/...`?) instead of those three if-statements	[reply] [d/l] [select]
Re^2: What is wrong with this DB insert, place holder problem? by awohld (Hermit) on May 15, 2005 at 02:55 UTC
How about this: `$sth = $dbh->prepare($statement) or die "Couldn't prepare the query: " +.$DBI::errstr; my $rv = $sth->execute($filename,$to,$from,$comments,$uldate,$expdate) + or die "Couldn't execute query: ".$DBI::errstr;` [download] Is using $DBI::errstr just as good?	[reply] [d/l]
Re: What is wrong with this DB insert, place holder problem? by bradcathey (Prior) on May 14, 2005 at 13:12 UTC
I feel your pain. As I was learning SQL 50% of my errors were do to reserved words. I now have Treatment of Reserved Words in MySQL bookmarked. —Brad "The important work of moving the world forward does not wait to be done by perfect men." George Eliot	[reply]