MySQL error at line 1 when I try to insert values

Question

PHP Script:

<?php
include('connect.php');

if (isset($_POST['project_name'])){
    $name = $_POST['project_name'];
    $date = $_POST['date'];
    $amount = $_POST['amount'];
    $curr = $_POST['curr'];
    $spec = $_POST['spec'];
    $SQL = "INSERT INTO projects (name, date, currency, amount, specifications) VALUES '$name','$date','$amount','$curr','$spec'" or die(mysql_error()."update failed");
    $insert = mysql_query($SQL);    
    if($insert){
echo "Successful";
echo "<BR>";
echo "<a href='insert.php'>Back to main page</a>";
} else {
?>
A HTML FORM HERE
<?php
}
?>

NOTE: The connect.php file is working ok since I've used it before on other scripts but on the same server.

Every time I try to submit the form (method = post), I get this error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''sad','08/13/2013','244','dollars','sdasd'' at line 1 32767

What could be the problem?

Please, before you write **any** more SQL interfacing code, you must read up on [proper SQL escaping](http://bobby-tables.com/php) to avoid severe [SQL injection bugs](http://bobby-tables.com/). Also, `mysql_query` should not be used in new applications. It's a deprecated interface that's being removed from future versions of PHP. A modern replacement like [PDO is not hard to learn](http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/) and will make your database code easier to get right. — tadman, Aug 07 '13 at 18:23

score 0 · Answer 1 · answered Aug 07 '13 at 18:00

0

INSERT INTO projects (name, date, currency, amount, specifications) VALUES( '$name','$date','$amount','$curr','$spec'")

Add ( after values

answered Aug 07 '13 at 18:00

Akhil

2,602
23
36

score 0 · Accepted Answer · edited May 23 '17 at 12:05

While inserting, VALUES for a given row have to be enclosed in parenthesis.

INSERT INTO projects (name, date, currency, amount, specifications) VALUES  
    ('$name','$date','$amount','$curr','$spec')

In order to remember that, you simply have to remember that INSERT allow to add several rows, that's why each row has to be delimited by those parenthesis:

-- Just for the example, insert 3 time the same row
INSERT INTO projects (name, date, currency, amount, specifications) VALUES
    ('$name','$date','$amount','$curr','$spec'),
    ('$name','$date','$amount','$curr','$spec'),
    ('$name','$date','$amount','$curr','$spec');

BTW, please note that using string interpolation to build your query is a major risk of SQL injection. Please see How can I prevent SQL injection in PHP? for the details.

Please, if you're going to point out the problem with SQL injection, add the escape calls to fix the problem. — tadman, Aug 07 '13 at 18:19

score 0 · Answer 3 · answered Aug 07 '13 at 18:01

0

You are forgetting the ( & ) in your insert statement:

 $SQL = "INSERT INTO projects (name, date, currency, amount, specifications) 
         VALUES 
        ('$name','$date','$amount','$curr','$spec')" or die(mysql_error()."update failed");

answered Aug 07 '13 at 18:01

Icarus

63,293
14
100
115

score 0 · Answer 4 · answered Sep 24 '22 at 14:13

0

You should pass the name value like 'sad' not ''sad'. Hope you can find the problem.

answered Sep 24 '22 at 14:13

Abul Bashar Sobuj

29
8

MySQL error at line 1 when I try to insert values

4 Answers4