Database error in PHP

Question

Here is my code:

$sql="INSERT INTO reg ('name','email','add',c_no,'user_name','pass','mess')
VALUES
('$_POST[name]','$_POST[email]','$_POST[add]','$_POST[number]','$_POST[user]','$_POST[pass]','$_POST[comment]')";

The error I get is:

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''name','email','add',c_no,'user_name','pass','mess') VALUES ('admin','swapni' at line 1

Answer 1

You can't use ' sign in column names, instead use backtick ` or skip it if field name is not reserved keyword.

Also instead of putting $_POST variables into sql, read about prepared statements and always check input data.

Answer 2

First of all, your code is vulnerable to SQL Injection: How can I prevent SQL injection in PHP?

And your field names are encapsulated with ', they should be with ` or nothing if they don't match MySQL reserved words.

Third mysql_* are deprecated: Why shouldn't I use mysql_* functions in PHP?

Fourth: "...('$_POST['something']','..." is very bad practice, I don't think that it'll work in the latest PHP and you should strongly consider to write it like "...('" . $text_to_insert . "','..."

Solution to all of this problems in MySQLi:

$db=new mysqli("server","username","password","database");
$insert_stmt=$db->prepare("INSERT INTO reg (name,email,add,c_no,user_name,pass,mess) VALUES (?,?,?,?,?,?,?)");
$insert_stmt->bindParam("sssisss",$_POST["name"],$_POST["email"],$_POST["add"],$_POST["c_no"],$_POST["user_name"],$_POST["pass"],$_POST["mess"]);
$is_successful=$insert_stmt->execute();

Answer 3

Column names should be encapsulated with backticks, not quotes.

$sql="INSERT INTO reg (`name`,`email`,`add`,`c_no`,`user_name`,`pass`,`mess`)
VALUES ('$_POST[name]','$_POST[email]','$_POST[add]','$_POST[number]','$_POST[user]','$_POST[pass]','    $_POST[comment]')";

Answer 4

Hey i am using between operator for the fetching data from date to date.

Query is....

SELECTcustomer.*,feedback.*,feedback.idas fid FROM (feedback) LEFT OUTER JOINcustomerONcustomer.feedbackID=feedback.id WHEREfeedback.spa_id= '1' ANDfeedback.Overall_rating!= '' ANDfeedback.fb_dateBETWEEN "2014-06-01" and "2015-10-30"

using this query i am unable to fetch the data for the date "2015-10-30"

Thank You.

Answer 5

$name = mysql_real_escape_string($_POST['name']);
$email = mysql_real_escape_string($_POST['email']);
$add = mysql_real_escape_string($_POST['add']);
$c_no = mysql_real_escape_string($_POST['c_no']);
$user_name = mysql_real_escape_string($_POST['user_name']);
$pass = mysql_real_escape_string($_POST['pass']);
$mess = mysql_real_escape_string($_POST['mess']);

$sql= "INSERT INTO reg (`name`,`email`,`add`,`c_no`,`user_name`,`pass`,`mess`) 
VALUES($name,$email,$add,$c_no,$user_name,$pass,$mess)";