Mysqli Syntax Error keeps coming up

Question

CreatorZeus 0 Light Poster

8 Years Ago

My Error info isnt being clear enough for me to understand the problemIs there anything worng here so i can continue on lookng for the probelm:

$sql = "INSERT INTO boards (
    title, genre, creator, tagline, intro, remessage, visability, recruitment, reqsheet, reqdice, reqgroup, ppweek)
    VALUES (
    $title, $genre, $creator, ". $tagline . ", $scene, $message, $vis, $rcrt, $sheet, $dice, $group, $ppw)";

    if ($conn->query($sql) === TRUE) 
    {
        echo "New record created successfully";
    } 
    else 
    {
        echo "<br>Error: " . $sql . "<br>" . $conn->error;
    }

mysql php sql

3 Contributors
4 Replies
414 Views
1 Hour Discussion Span
Latest Post 8 Years Ago Latest Post by diafol

diafol

8 Years Ago

Enclose fieldnames in backticks and non-numerical values (some of your variables) in single quotes.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

cereal 1,524 Nearly a Senior Poster Featured Poster · Answer 1 · 2016-08-17T09:14:46+00:00

// ops! I just saw your reply Diafol! :D

Hi,

can you share the error with us? Also: are you using MySQLi or PDO? The former returns boolean TRUE for successful inserts, the latter instead will return an object and your IF statement would fail because you're using the identical comparison operator === rather than the equal comparison operator ==.

See:

CreatorZeus 0 Light Poster · Answer 2 · 2016-08-17T09:27:23+00:00

IT WORKED!
@diafol if you dont mind, can you tell me why i needed those? for future reference.

diafol · Answer 3 · 2016-08-17T10:53:54+00:00

OK. Sometimes fieldnames or tablenames for that matter share their names with reserved words:

https://dev.mysql.com/doc/refman/5.7/en/keywords.html

In this case, it could be ambiguous to the query parser, so we enclose fieldnames and tablenames in backticks.

Also, text-based fields, could break the query if they contained certain types of punctuation, especially commas. For this reason, all non-numericals are required to be enclosed with quotes.

It is vitally important that when you are using a bog-standard mysqli_query that all your variables are santized, or it could lead to SQL injection - very serious.

Consider using prepared statements, where this issue will not occur. I created a tutorial of various issues withregard to mysql here:

https://www.daniweb.com/programming/web-development/tutorials/499320/common-issues-with-mysql-and-php

I should state, that most examples use PDO, but mysqli has equivalents.