Syntax error inserting contents into table

Question

I keep getting a syntax error and I don't know whats wrong. Can I not call a predetermined string?

$sqlstring= "INSERT INTO friends (friend_id , friend_email , password , profile_name , date_started , num_of_friends)
                        VALUES (NULL , $email, $password, $name, CURDATE() , 0);";

score 2 · Accepted Answer · edited May 23 '17 at 12:27

if $email, $password, $name are all varchar or string,you need to wrap themwith single quote.

$sqlstring= "INSERT INTO friends (friend_id , friend_email , password , 
                                 profile_name , date_started , num_of_friends)
            VALUES (NULL , '$email', '$password', '$name', CURDATE() , 0)";

your query is vunerable with SQL Injection, please take time to read the article below to protect from SQL Injction

How can I prevent SQL injection in PHP?

score 1 · Answer 2 · answered Oct 29 '12 at 11:24

Remove the last semicolon and surround values with quotes.

$sqlstring= "INSERT INTO friends (friend_id , friend_email , password , profile_name , date_started , num_of_friends)
                    VALUES (NULL , '$email', '$password', '$name', CURDATE() , 0)";

score 0 · Answer 3 · answered Oct 29 '12 at 11:31

If you are accepting user input into your query, it is highly dangerous to simply add it into your SQL statement.

If you are using modern PHP, you would use PDO to prepare your statement...

$sth = $dbh->prepare('INSERT INTO friends (friend_id , friend_email , password , profile_name , date_started , num_of_friends)
                    VALUES (NULL , ?, ?, ?, CURDATE() , 0)');
$sth->execute(array($email, $password, $name));

Or if you want to stick old school, escape them:

$sqlstring = sprintf('INSERT INTO friends (friend_id , friend_email , password , profile_name , date_started , num_of_friends) VALUES (NULL , %s, %s, %s, CURDATE() , 0)',
    mysql_real_escape_string($email),
    mysql_real_escape_string($password),
    mysql_real_escape_string($name)
);

score 0 · Answer 4 · answered Oct 29 '12 at 11:34

0

Your updated Query is:

$sqlstring = "INSERT INTO friends (friend_id , friend_email , password , profile_name , date_started , num_of_friends) VALUES (NULL , '$email', '$password', '$name', CURDATE() , 0)";

answered Oct 29 '12 at 11:34

NKM

304
2
7
13

Syntax error inserting contents into table

4 Answers4