INSERT INTO problems

Question

Wonder if anyone could help. Im trying to collect data from a form and insert it into a database, how ever I keep getting this error:

Parse error: syntax error, unexpected '' (T_ENCAPSED_AND_WHITESPACE), expecting identifier (T_STRING) or variable (T_VARIABLE) or number (T_NUM_STRING) in C:\xampp\htdocs\test\form.php on line 49 The table consists of id, name, email columns.

The form is as follows:

<form  action="" method="post">
    Name *: <input type="text" name="name"><br/>
    Email *: <input type="text" name="email"><br/>
    <input  type="submit"  value="Submit">
</form>

PHP Script:

<?php
if (isset($_POST['submit'])) {
    $con = mysql_connect('localhost', 'root', '****');
    if($con) {
        die("Can\'t connect");
    }
    mysql_select_db('email_database', $con);

    $sql = "INSERT INTO client_data (id, name, email) VALUES ('', '$_POST['name']', '$_POST['email']')";
    mysql_query($sql, $$con);
    mysql_close($con);
}
?>

I dont know what im doing wrong :/ Thanks in advance

Suggestion, [**Don't use `mysql_*` functions in new code**](http://bit.ly/phpmsql). They are no longer maintained [and are officially deprecated](http://j.mp/XqV7Lp). See the [**red box**](http://j.mp/Te9zIL)? Learn about [*prepared statements*](http://j.mp/T9hLWi) instead, and use [PDO](http://php.net/pdo) or [MySQLi](http://php.net/mysqli) - [this article](http://j.mp/QEx8IB) will help you decide which. If you choose PDO, [here is a good tutorial](http://j.mp/PoWehJ). — Lawrence Cherone, Aug 23 '13 at 10:42

GautamD31 · Answer 1 · 2013-08-23T10:47:09.820

1

Try like

$sql = "INSERT INTO client_data (id, name, email)  
        VALUES (NULL, '".$_POST['name']."', '".$_POST['email']."')";

If it is an auto increment field then no need to mention it like

 $sql = "INSERT INTO client_data (name, email)  
        VALUES ('".$_POST['name']."', '".$_POST['email']."')";

And try to avoid mysql_* statements due to the entire ext/mysql PHP extension, which provides all functions named with the prefix mysql_*, is officially deprecated as of PHP v5.5.0 and will be removed in the future.

There are two other MySQL extensions that you can better Use: MySQLi and PDO_MySQL, either of which can be used instead of ext/mysql.

edited Aug 23 '13 at 10:47

answered Aug 23 '13 at 10:41

GautamD31

28,552
10
64
85

the problem is in the quoting – donald123 Aug 23 '13 at 10:42
Might be an idea to ensure the column is auto_increment before inserting with a null value – Anigel Aug 23 '13 at 10:44
Shall look into the mysql extensions, that did the trick, tho the data is still not being transferred into the table. hmmm – user2682649 Aug 23 '13 at 11:02
Thanks all for you quick responses.. Tho now it seems like it doesnt want to connect, throws a "Cant connect", which is obviously the message i want to display if it cant.. Ive checked my databse name, password, ect. hmmm – user2682649 Aug 23 '13 at 12:34

score 0 · Answer 2 · edited Aug 29 '13 at 09:38

0

Syntax in the query is incorrect!

Write like this:

'".$_POST["name"]."'

Hope it helps!

edited Aug 29 '13 at 09:38

Navnath Godse

2,233
2
23
32

answered Aug 23 '13 at 10:45

Pooja

170
1
1
10

score 0 · Answer 3 · answered Aug 23 '13 at 10:46

You can't use assoc arrays like that! You have to do it like this:

$sql = "INSERT INTO client_data (id, name, email) VALUES ('', '".$_POST['name']."', '".$_POST['email']."')"

better would be:

$sql = "INSERT INTO client_data (id, name, email) VALUES ('', '".mysql_real_escape_string($_POST['name'])."', '".mysql_real_escape_string($_POST['email'])."')"

to prevent injection

score 0 · Answer 4 · answered Aug 23 '13 at 10:48

You've got an issue with your single and double quotes.

But also, is id an auto_increment because if it is, then you should exclude that field all together

ie:

$sql = "INSERT INTO client_data (name, email) VALUES ('" . mysql_real_escape_string($_POST['name']) . "', '" . mysql_real_escape_string($_POST['email']) . "')";

if not:

$sql = "INSERT INTO client_data (id, name, email) VALUES ('', '" . mysql_real_escape_string($_POST['name']) . "', '" . mysql_real_escape_string($_POST['email']) . "')";

mysql_real_escape_string should be used on any user inputted or editable data.

However, as others may mention: you should really look at upgrading your mysql calls to something like mysqli_* or PDO_MYSQL

score 0 · Answer 5 · edited May 25 '19 at 14:18

Apart from the obvious syntax error and the SQL injection/escaping problem, your not validating user input or error handling.

Unfortunately as it stands with this no protection approach; your find your database quickly fills with viagra, cheap watches, and clothing keywords and XSS codes in no time.

Here is a port/example using PDO prepared query's using much safer code, to make any form even safer you should add a captcha:

<?php 
session_start();

try {
    $db = new PDO('mysql:host=127.0.0.1;dbname=email_database','root','****');
    $db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
    $db->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
    $db->exec("SET CHARACTER SET utf8");
} catch(PDOException $e) {
    echo 'Database connection error :' . $e->getMessage();
}

if($_SERVER['REQUEST_METHOD'] === 'POST'){
    //csrf token
    if(!isset($_SESSION['token']) || !isset($_POST['token']) || $_SESSION['token'] != $_POST['token']) 
    exit('Invalid request token');

    //Validate input values
    $error = array();
    //Name
    if(empty($_POST['name'])){
        $error['name'] = "Your name is required";
    }
    //Email
    if(!empty($_POST['email'])){
        if(!filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)){
            $error['email'] = "A Valid email is required";
        }
    }else{
        $error['email'] = "Your email is required";
    }

    //ok no error lets insert
    if(empty($error)){
        $sql = 'INSERT INTO client_data (name, email) VALUES (:name, :email)';
        $stmt = $db->prepare($sql);
        $stmt->bindParam(':name',  $_POST['name']);
        $stmt->bindParam(':email', $_POST['email']);
        $stmt->execute();
    }

    //Token used for this request, remove
    unset($_SESSION['token']);
}

//set csrf token
$_SESSION['token'] = hash('sha256', uniqid());
?>

<form action="" method="POST">
    <input type="hidden" name="token" value="<?php echo $_SESSION['token'];?>"/>
    Name *: <input type="text" name="name"/> <?php echo isset($error['name']) ? $error['name'] : null;?><br/> 
    Email *: <input type="text" name="email"/> <?php echo isset($error['email']) ? $error['email'] : null;?><br/> 
    <input type="submit" value="Submit"/> 
</form>

Don't use mysql_* functions in new code. They are no longer maintained and are officially deprecated. See the red box? Learn about prepared statements instead, and use PDO, or MySQLi - this article will help you decide which. If you choose PDO, here is a good tutorial.

score 0 · Answer 6 · answered Mar 27 '14 at 07:10

Use MySQLi instead of deprecated MySQL:

Your PHP Script should look like this:

<?php

if (isset($_POST['submit'])) {

$con=mysqli_connect("localhost","root","****","email_database");

if(mysqli_connect_errno()){

echo "Error".mysqli_connect_error();
}

mysqli_query($con,"INSERT INTO client_data (id, name, email) VALUES ('', '$_POST[name]', '$_POST[email]')"); /* YOU SHOULD HAVE REMOVED THE SINGLE QUOTE (') INSIDE $_POST[] */
}

?>

score -1 · Answer 7 · 2013-08-26T06:34:38.490

Your query should like this,

<?php
$sql = "INSERT INTO client_data (id, name, email) VALUES ('', '".$_POST['name']."', '".$_POST['email']."')";       
?>

And it is better to make ID field as auto increment field. So then your query would be like,

<?php
    $sql = "INSERT INTO client_data (name, email) VALUES ('".$_POST['name']."', '".$_POST['email']."')";       
?>

INSERT INTO problems

7 Answers7