Sql query is not properly working: You have an error in your SQL syntax; check the manual

Question

i am new to php and trying to make login form, but its showing an error

Failed to query databaseYou have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'form signup-form where email = 'mail@mail.com' AND psw = '12345'' at line 1

 <?php

    $con = mysql_connect("localhost" , "root" , "");
    $db = mysql_select_db("jobportal" , $con);
    if(!$db)
      {         
        echo mysql_error();
      }
    if(isset($_POST['login']))
      {
        $email = $_POST['email'];
        $psw = $_POST['psw'];

        $query = mysql_query("select * form signup-form where email = '$email' 
          AND   psw = '$psw'") or die ("Failed to query database".mysql_error());

        $row = mysql_fetch_array($query);
        if($email=="$email" && $psw=="$psw")

        header('location:index.php');                  

       }

  ?>

Provide the query you are running. We will not be able to provide you an answer without that — Arun, Jan 10 '18 at 12:21
Don't post (that much) code in the comments, edit your post and paste it there please — brombeer, Jan 10 '18 at 12:39
Use mysqli prepared statements with placeholders because your query is insecure. — mickmackusa, Jan 10 '18 at 12:51
Possible related: [Escape table name MySQL](https://stackoverflow.com/q/11004768/8097737) — , Jan 11 '18 at 06:28
Is there a reason why the question is tagged `mysql` instead of `mariadb`? — , Jan 11 '18 at 06:52

score 1 · Answer 1 · answered Jan 10 '18 at 12:25

1

You have spelling mistake in your query

Change

select * form signup-form where email = '$email' AND psw = '$psw'

To

select * from signup-form where email = '$email' AND psw = '$psw'

You used form instead of from

answered Jan 10 '18 at 12:25

Arun

3,640
7
44
87

i'hv correct the spelling mistake but still seeing this error – Umar Jan 10 '18 at 12:48
For typo questions, flag/close the question as a typo. Moving 1 character by 1 position is off-topic on SO. – mickmackusa Jan 10 '18 at 12:50

score 0 · Answer 2 · 2018-01-12T07:01:46.530

There are two mistakes:

Thanks to @Arun

You used form instead of from
You use a table-name with a - therefore you need to quote this table-name with a backtick `.

So your query should be:

select * from `signup-form` where email = '$email' AND psw = '$psw'

Or try (with SQL_MODE = ANSI_QUOTES)

select * from "signup-form" where email = '$email' AND psw = '$psw'

From a similar question the OP wrote that adding the database-name helped, so you can also try:

select * from databasename.`signup-form` where email = '$email' and psw = '$psw'

(Replace databasename with your proper database-name for the table)

Please note: the shown sql-querys and your code are vulnerable to SQL-Injection, which will lead to errors and unintended behaviors based on the invalid/faulty user-input.

Please read How can I prevent SQL injection in PHP?

From the MariaDB Knowledge Base: Identifier Names:

The following characters are valid, and allow identifiers to be unquoted:

ASCII: [0-9,a-z,A-Z$_] (numerals 0-9, basic Latin letters, both lowercase and uppercase, dollar sign, underscore)

Extended: U+0080 .. U+FFFF

(...)

Quote Character

The regular quote character is the backtick character - `, but if the ANSI_QUOTES SQL_MODE option is specified, a regular double quote - " may be used as well.

@Umar is the error message exact the same? Also try to execute the query directly on the database without php or replace the parameters with fixed values. — , Jan 11 '18 at 06:50
working but sometimes says shows error,,,better than before...thnx — Umar, Jan 12 '18 at 05:56
@Umar The errors must be triggered by the input from the user. Please read: [How can I prevent SQL injection in PHP?](https://stackoverflow.com/q/60174/8097737) — , Jan 12 '18 at 06:48

Sql query is not properly working: You have an error in your SQL syntax; check the manual

2 Answers2