0

I am new here...

I am facing a problem in inserting data into database through php.
"Connection is established properly."
Error is:-error in your sql syntax, correct your query.

$firstName = $_POST['firstName'];
$lastname = $_POST['lastname'];
$contact =$_POST['contact'];
$sex = $_POST['gender'];
$dob = $_POST['dob'];
$email = $_POST['email'];
$country = $_POST['country'];
$expr = $_POST['expr'];
$education = $_POST['education'];

$sql = "insert into Login(Firstname, Lastname, Contact, Sex, DOB, E-mail, Country, Experience, Education) values($firstName, $lastname, $contact, $sex, $dob, $email, $country, $expr, $education)";

$result = $conn->query($sql);

if ($result == true)
{
    echo "Registered.";
}
else
{
     echo "Error: " . $sql . "<br>" . $conn->error;
}

this is my code

7
Contributors
10
Replies
107
Views
6 Months
Discussion Span
Last Post by inthewind
Featured Replies
  • I suspect the problem is with the field named `E-mail`. Either put delimeters around it like `[E-mail]` or, better yet, rename the field to `email`. Read More

  • This may be the same thing as 1`Third Step` from above (I'm not a PHP user) but if any of your fields contain special characters it could screw up the SQL syntax. For example, if the name you are inserting is something like `O'Brian` then the embedded apostrophe would be … Read More

1

I suspect the problem is with the field named E-mail. Either put delimeters around it like [E-mail] or, better yet, rename the field to email.

0

you have this $sex = $_POST['gender'];
but in ur $sql is

insert into Login(Firstname, Lastname, Contact, **Sex**, DOB, E-mail, Country, Experience, Education)

isn't it supposed to be gender?

Edited by kayla_95

0

isn't it supposed to be gender?

That info has not been shared. The "sex/gender" field could be called anything in the DB. The query suggests sex.

BTW - a more serious issue is that of SQL injection. POST variables have not been sanitized and you are not using a prepared statement.

It's good practice to backtick your fieldnames. In addition, if you are going to place variables directly into your sql, then you need to use quotes around non-numerical field values:

$sql = "INSERT INTO Login(`Firstname`, `Lastname`, `Contact`, `Sex`, `DOB`, `E-mail`, `Country`, `Experience`, `Education`) VALUES ('$firstName', '$lastname', '$contact', '$sex', '$dob', '$email', '$country', '$expr', '$education')";

Always an idea to echo this if you are getting errors:

echo $sql;

If it still looks ok, copy and paste it and run it in phpMyAdmin and see what you get

Edited by diafol

0

I have changed my fieldname E-mail to email. and followed all the steps one by one but my problem is not resolved.

1
  1. First step - check your input parameters, e.g. in line 10 put: print_r($_POST); exit();
  2. Second step - allways use backticks for all parameter names - it will protect you from conflicts to MySQL reserved names and others (read @diafol comment)
  3. Third step - I strongly recommend use PHP function filter_input() or filter_input_array() - it will help you to avoid from incorrect user input
  4. Fourth step - I strongly recommend use prepared statement, then bind variables and then execute statement - it will protect you from MySQL injection
1

This may be the same thing as 1Third Step from above (I'm not a PHP user) but if any of your fields contain special characters it could screw up the SQL syntax. For example, if the name you are inserting is something like O'Brian then the embedded apostrophe would be the culprit. That's why you should be using parameterized queries.

0

All good advice above.

As others said, I think you need to make sure the input is cleaned and look to make sure there is a valid response in the field. This will help check it is not somebody's attempt at doing an SQL injection attack as well.

if (!(isset($firstname))) {
  print 'error - nothing entered';
  exit();
}

$value = escape_data($_POST['field_name']);

If you want to ensure the code is pulling the value from the form, I would echo it as soon as it is submitted.

$value = escape_data($_POST['field_name']);
echo "value " . $value; 

OR even

echo $_POST['field_name'];

I would strongly suggest that you never use a hyphen in a value or field name because this is what the compiler sees... A-B (a mathematic expression). Try A_B instead it's safer.

What I do is establish a pattern in naming and use it consistently to avoid confusion. E.G.

$FirstName = $_POST['FirstName'];
// not //
$Firstname = $_POST['firstName'];

It's too easy to forget the names of var's even when you have a pattern.

Then as suggested, echo the SQL statement to show you what is being selected. Copy and paste that into your SQL query box on the MySQL server and see what the DB error is directly.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.