insert values in database

Question

shivya_1 0 Newbie Poster

7 Years Ago

I am new here...

I am facing a problem in inserting data into database through php.
"Connection is established properly."
Error is:-error in your sql syntax, correct your query.

$firstName = $_POST['firstName'];
$lastname = $_POST['lastname'];
$contact =$_POST['contact'];
$sex = $_POST['gender'];
$dob = $_POST['dob'];
$email = $_POST['email'];
$country = $_POST['country'];
$expr = $_POST['expr'];
$education = $_POST['education'];

$sql = "insert into Login(Firstname, Lastname, Contact, Sex, DOB, E-mail, Country, Experience, Education) values($firstName, $lastname, $contact, $sex, $dob, $email, $country, $expr, $education)";

$result = $conn->query($sql);

if ($result == true)
{
    echo "Registered.";
}
else
{
     echo "Error: " . $sql . "<br>" . $conn->error;
}

this is my code

php

7 Contributors
10 Replies
404 Views
2 Weeks Discussion Span
Latest Post 7 Years Ago Latest Post by inthewind

Reverend Jim 4,968 Hi, I'm Jim, one of DaniWeb's moderators.

7 Years Ago

I suspect the problem is with the field named E-mail. Either put delimeters around it like [E-mail] or, better yet, rename the field to email.

AndrisP 193 Posting Pro in Training

7 Years Ago

First step - check your input parameters, e.g. in line 10 put: print_r($_POST); exit();
Second step - allways use backticks for all parameter names - it will protect you from conflicts to MySQL reserved names and others (read @diafol comment)
Third step - I strongly recommend use PHP function filter_input() or filter_input_array() - it will help you to avoid from incorrect user input
Fourth step - I strongly recommend use prepared statement, then bind variables and then execute statement - it will protect you from MySQL injection

AndrisP 193 Posting Pro in Training

7 Years Ago

... and paste here SQL error message

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

shivya_1 0 Newbie Poster · Answer 1 · 2017-05-02T08:21:57+00:00

shivya_1 0 Newbie Poster

7 Years Ago

Thanx

kayla_95 · Answer 2 · 2017-05-02T09:04:31+00:00

you have this $sex = $_POST['gender'];
but in ur $sql is

insert into Login(Firstname, Lastname, Contact, **Sex**, DOB, E-mail, Country, Experience, Education)

isn't it supposed to be gender?

diafol · Answer 3 · 2017-05-02T09:46:49+00:00

isn't it supposed to be gender?

That info has not been shared. The "sex/gender" field could be called anything in the DB. The query suggests sex.

BTW - a more serious issue is that of SQL injection. POST variables have not been sanitized and you are not using a prepared statement.

It's good practice to backtick your fieldnames. In addition, if you are going to place variables directly into your sql, then you need to use quotes around non-numerical field values:

$sql = "INSERT INTO Login(`Firstname`, `Lastname`, `Contact`, `Sex`, `DOB`, `E-mail`, `Country`, `Experience`, `Education`) VALUES ('$firstName', '$lastname', '$contact', '$sex', '$dob', '$email', '$country', '$expr', '$education')";

Always an idea to echo this if you are getting errors:

echo $sql;

If it still looks ok, copy and paste it and run it in phpMyAdmin and see what you get

vsmash 14 Dinosaur · Answer 4 · 2017-05-02T20:19:18+00:00

all the above good advice,
also helpful if you paste the $sql value from the error here

shivya_1 0 Newbie Poster · Answer 5 · 2017-05-13T12:36:43+00:00

I have changed my fieldname E-mail to email. and followed all the steps one by one but my problem is not resolved.

score 1 · Answer 6 · 2017-05-13T21:55:08+00:00

This may be the same thing as 1Third Step from above (I'm not a PHP user) but if any of your fields contain special characters it could screw up the SQL syntax. For example, if the name you are inserting is something like O'Brian then the embedded apostrophe would be the culprit. That's why you should be using parameterized queries.

inthewind · Answer 7 · 2017-05-18T21:48:30+00:00

All good advice above.

As others said, I think you need to make sure the input is cleaned and look to make sure there is a valid response in the field. This will help check it is not somebody's attempt at doing an SQL injection attack as well.

if (!(isset($firstname))) {
  print 'error - nothing entered';
  exit();
}

$value = escape_data($_POST['field_name']);

If you want to ensure the code is pulling the value from the form, I would echo it as soon as it is submitted.

$value = escape_data($_POST['field_name']);
echo "value " . $value;

OR even

echo $_POST['field_name'];

I would strongly suggest that you never use a hyphen in a value or field name because this is what the compiler sees... A-B (a mathematic expression). Try A_B instead it's safer.

What I do is establish a pattern in naming and use it consistently to avoid confusion. E.G.

$FirstName = $_POST['FirstName'];
// not //
$Firstname = $_POST['firstName'];

It's too easy to forget the names of var's even when you have a pattern.

Then as suggested, echo the SQL statement to show you what is being selected. Copy and paste that into your SQL query box on the MySQL server and see what the DB error is directly.