SQL Help

I am hopeless when it comes to databases, especially when I can’t get feedback in the form of errors.

[lua]
function StoreData(object, ply, value)
local r = sql.Query(“SELECT “…object…” FROM Players WHERE steam = '” … sql.SQLStr(ply:SteamID()) … “’;”)
if r then
sql.Query(“UPDATE Players SET “…object…” = " … sql.SQLStr(value) … " WHERE steam = '” … sql.SQLStr(ply:SteamID()) … “’;”)
ply:ChatPrint(sql.Query(“SELECT “…object…” FROM Players WHERE steam = '” … sql.SQLStr(ply:SteamID()) … “’;”))
else
sql.Query(“INSERT INTO Players(‘steamid’, '”…object…"’) VALUES(’"…sql.SQLStr(ply:SteamID())…"’, ‘"…sql.SQLStr(value)…"’);")
ply:ChatPrint(sql.Query(“SELECT “…object…” FROM Players WHERE steam = '” … sql.SQLStr(ply:SteamID()) … “’;”))
end
end
[/lua]

I have this, so I can modularly save data. The only thing is, it doesn’t save. I added the ChatPrint stuff to see if it was even saving the data, and it says
[ERROR] gamemodes/testing/gamemode/saves.lua:76: attempt to concatenate a nil value

I call it as [lua]StoreData(“kills”, attacker, attacker:Frags())[/lua]

What am I doing wrong? Also, that code is probably really inefficient, so how would I make it better?

[lua]
function StoreData(object, ply, value)
local r = sql.Query(“SELECT "..object.." FROM Players WHERE steam = '” … ply:SteamID() … “’;”)
if r then
sql.Query(“UPDATE Players SET "..object.." = " … sql.SQLStr(value) … " WHERE steam = '” … ply:SteamID() … “’;”)
else
sql.Query(“INSERT INTO Players(steamid, “…object…”) VALUES(’”…ply:SteamID()…"’, ‘"…sql.SQLStr(value)…"’);")
end
end
[/lua]

steamids are already sql safe

[editline]29th September 2013[/editline]

also it might help to look into this but its more or less optional

http://dev.mysql.com/doc/refman/5.0/en/insert-on-duplicate.html

Are they supposed to be the little ` gravemarks, or the ’ single quotes?

Tables and columns use ` and values use ’

Escape everything, including SteamIDs. There was a time when SteamIDs could be spoofed, and there’s an age-old saying in the computer science world to never trust user-input/data. Because, if something does happen where spoofed SteamIDs happen again, and that segment of your DB is not-protected, and vulnerable to injection exploits, goodbye database! Escape it!

You really don’t need the `'s for tables / columns. I do use " or 's for data though.

Definitely this.

You should, for example in a case where the name of your column conflicts with an SQL keyword.

As long you use table/column prefixes you should be fine.