PHP insert error 1064

Question

I keep getting an error on my php page. When I submit my form it says I don't have authorisation to see the php page and when I put it into sql query test it says it's error #1064. I keep getting this error message and I have no idea why. In the query test I'm only putting the info between . Can someone please help fix this?

<html>
<head>
<meta charset="utf-8">
<title>Enquiry</title>
</head>

<body> 
<?php

$name=$_POST['name'];
$email=$_POST['email'];
$phone = $_POST['phone'];
$radio = $_POST['radio'];
$enquiry = $_POST['enquiry'];

$user="root";
$password="";
$database="test";

mysql_connect('localhost',$user,$password) or die("Unable to connect to server"); 
mysql_select_db($database) or die("Unable to select database"); 
$query = "INSERT INTO Enquiry VALUES ('','$name','$email','$phone','$radio','$enquiry')";
mysql_query($query); 
mysql_close(); 

?>
</body>
</html>

Could you post the full error message? It will tell you exactly what's up. Do you know what will happen if you get an enquiry from Mr O'Connor, by the way? — andrewsi, Dec 10 '13 at 17:14
Side note : Please consider upgrading to mysqli as mysql is not supported anymore, and have a look at SQL injection — Pascamel, Dec 10 '13 at 17:15
FYI, you are also wide open to [SQL injections](http://stackoverflow.com/q/60174) — John Conde, Dec 10 '13 at 17:16
SQL query: $name = $_POST[ 'name']; MySQL said: Documentation #1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '$name=$_POST['name']' at line 1 This is the error message from the query test. And the security isn't a big deal right now I just need the database to work for a uni project. — user3086696, Dec 10 '13 at 17:18
@user3086696 - it sounds like your server configuration isn't at all happy, if you're getting an authorization error. Are you running this through a webserver? — andrewsi, Dec 10 '13 at 17:23
are you using a form to submit the fields you're getting with the $_POST['']; function? — iam-decoder, Dec 10 '13 at 17:28
From what I saw in [**your other question**](http://stackoverflow.com/questions/20493806/php-create-table-error-1064) `id int(6) NOT NULL auto_increment` therefore remove `'',` in `VALUES ('','$name'` **that's the problem right there**, IF your `id` column is still set to `AUTO_INCREMENT` — Funk Forty Niner, Dec 10 '13 at 17:30
For debug just output query in end of script. After mysql_query(); — newman, Dec 10 '13 at 17:34
I'm not getting the authorization error anymore. I don't know why it just went away. My id column is still auto_increment and I've removed '', from VALUES('','$name' etc but the form still isn't linking to the table and I still have the 1064 error message. — user3086696, Dec 10 '13 at 17:41
@user3086696 - if you put @ in front of someone's name, they'll get a prompt to come back to the question. Can you try `echo $query` and see what it produces? Does it work when you run it directly in the database? You could also try `mysql_query($query) or die (mysql_error())` to see if there's an error when you run the code, too. — andrewsi, Dec 10 '13 at 17:49
Please, before you write **any** more SQL interfacing code, you must read up on [proper SQL escaping](http://bobby-tables.com/php) to avoid severe [SQL injection bugs](http://bobby-tables.com/). Also, `mysql_query` should not be used in new applications. It's a deprecated interface that's being removed from future versions of PHP. A modern replacement like [PDO is not hard to learn](http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/). A guide like [PHP The Right Way](http://www.phptherightway.com/) will help you avoid making mistakes like this. — tadman, Dec 10 '13 at 18:29

score 0 · Answer 1 · edited Dec 10 '13 at 17:23

0

Assuming your first column in the DB is your primary key that auto increments, you'll need to change your SQL to this:

$sql = "
    INSERT INTO Enquiry (
        name,
        email,
        phone,
        radio,
        enquiry
    ) VALUES (
        '$name',
        '$email',
        '$phone',
        '$radio',
        '$enquiry'
    )
    ";

edited Dec 10 '13 at 17:23

brasofilo

25,496
15
91
179

answered Dec 10 '13 at 17:18

iam-decoder

2,554
1
13
28

black · Accepted Answer · 2013-12-10T19:46:20.863

0

<?php
$con= mysql_connect("localhost","root","") or die('Unable to connect to server:'mysql_error());
mysql_select_db("test",$con);
if(isset($_POST['submit']))  
{

$name=test_input($_POST['name']);
$email=test_input($_POST['email']);
$phone = test_input($_POST['phone']);
$radio = test_input($_POST['radio']);
$enquiry = test_input($_POST['enquiry']);
$sql = "
"INSERT INTO `Enquiry`"." (
    name,
    email,
    phone,
    radio,
    enquiry
)". "VALUES". "(
    "$name",
    "$email",
    "$phone",
    "$radio",
    "$enquiry"
)
";
 $res=mysql_query($sql);

if(!$res){
die('Could not enter data: ' . mysql_error());
}
echo 'your successfull msg goes here';

function test_input($data)
{
$data = trim($data);
$data = stripslashes($data);
$data = mysql_real_escape_string($data);
return $data;
}


?>

assuming that primaryid is auto increment as said . try this block of code

edited Dec 10 '13 at 19:46

answered Dec 10 '13 at 17:49

black

729
5
13
28

1

If you like [SQL injection bugs](http://bobby-tables.com/) this is the way to do it. – tadman Dec 10 '13 at 18:30
ehee the person trying to insert into db while getting errors i think is not the right customer to push him to sql injection while he is also not asking for tht .. thn y trouble?? – black Dec 10 '13 at 18:37
1

Ignorance is no excuse for not escaping it properly, it's a reckless development practice that hurts everyone. PHP is by far the worst offender here compared to other languages. Do it correctly to help set an example for others if you know how. – tadman Dec 10 '13 at 18:38
facing it in real and thn asking it in here for preventing sql injection by prepared statement or escape string i think will lead to serious learning process rather than just simply copy paste from the given code without even knowing it wht is it for. though yeah u r right man. – black Dec 10 '13 at 18:44
1

Writing SQL code **is** serious. You get this wrong you could destroy someone's company or your own career. Do not think this is a joke. How happy do you think the developers at Sony were [after their massive data breach](http://www.reuters.com/article/2011/04/26/us-sony-stoldendata-idUSTRE73P6WB20110426) caused by simple problems like this? If you take a casual attitude to this now, you'll screw up in the hugest possible way when your code goes into production full of problems like this. – tadman Dec 10 '13 at 18:46
feels great when someone accept the answer though.. use mysql_real_escape_string as said by @tad or prepared statement to prevent injection, like $name=mysql_real_escape_string($_POST['name']); to all – black Dec 10 '13 at 18:50
2

While this may "only be a uni project" (presumably a homework assignment), as others have said, it's never too casual a project to not be thinking about security. At the very, very least, add comments like "In a real (production) system, I would do such-and-such here to protect against SQL injection attack, etc." even if you don't actually do the coding. It will impress your instructor/grader that you're at least _thinking_ about such real-world issues. They would be even _more_ impressed if you took a few minutes to actually do the coding. – Phil Perry Dec 10 '13 at 19:42
I see you edited your answer but also sort of broken it at the same time: `stripslashes` is an anachronism to deal with misconfigured servers that have the deprecated "magic quotes" feature turned on, it should not be used for this sort of thing and will damage data if you're using it all over the place. It's best to leave the ugly `mysql_real_escape_string` in the query so it's obvious things are being escaped correctly, otherwise these wrapper functions are prone to error. Thanks for trying to fix it up, though. – tadman Dec 10 '13 at 20:24

PHP insert error 1064

2 Answers2