Inserting data into MySQL table with only one column

Question

Here's my HTML code:

<html>
<body>
<form action="insert.php" method="post">
Script Name: <input type="text" name="scriptname">
<input type="submit">
</form>
</body>
</html>

Here's my PHP code:

<?php
$con=mysqli_connect("localhost","escalate_test","database88","escalate_test");
// Check connection
if (mysqli_connect_errno())
  {
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
  }

$sql="INSERT INTO appslist (listall)
VALUES
('$_POST[scriptname]";

if (!mysqli_query($con,$sql))
  {
  die('Error: ' . mysqli_error($con));
  }
echo "1 record added";

mysqli_close($con);
?>

What I'm trying to do is insert in the table appslist into the column listall (the only column in that database).

But I keep getting this error:

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''43things clone script' at line 3

Your brackets are not looking balanced at `$sql="INSERT INTO appslist (listall) VALUES ('$_POST[scriptname]";` — Akshat Singhal, Dec 25 '13 at 18:17
it's this `'$_POST[scriptname]` and btw, don't use that. Read this => http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php — Funk Forty Niner, Dec 25 '13 at 18:18
`('$_POST[scriptname]";` is 1. missing a closing `')` and 2. an invitation to SQL injection. — Eugen Rieck, Dec 25 '13 at 18:18
Wouldn't it be nice with an API that considered unparameterized queries a syntax error... :) — Joachim Isaksson, Dec 25 '13 at 18:20
Use [`this method`](http://stackoverflow.com/a/60442/1415724) instead (under the mysqli method), if you're going to use `mysqli_` — Funk Forty Niner, Dec 25 '13 at 18:23
I replaced `$scriptname=mysqli_real_escape_string($con,$scriptname);` with `$scriptname=mysqli_real_escape_string($con, $_POST['scriptname']);` in [my answer](http://stackoverflow.com/a/20775714/1415724) below. Details are all in there. — Funk Forty Niner, Dec 25 '13 at 19:41

score 2 · Answer 1 · answered Dec 25 '13 at 18:18

2

You must close your brackets here:

"INSERT INTO appslist (listall)
VALUES
('$_POST[scriptname]')";

answered Dec 25 '13 at 18:18

MillaresRoo

3,808
1
31
37

5

NO NO NO => http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php – Funk Forty Niner Dec 25 '13 at 18:18
1

Yes, but he is asking about his syntactic problem, not about sql injection or any other troubles. – MillaresRoo Dec 25 '13 at 18:20
Your answer is not wrong and can be marked correct, but it's always good to mention injection vulnerabilities. Then again, some people just need to learn the hard way ;) – Steve Robbins Dec 25 '13 at 18:22
1

As someone told me yesterday in an answer about a similar problem: "Berating people about mysqli versus mysql is tedious & ineffective. The scope of the question itself has issues that should be addressed." – MillaresRoo Dec 25 '13 at 18:22

score 2 · Answer 2 · edited Jun 20 '20 at 09:12

Here, do use the following which is a safer method.

To point out where you made your mistake, it was a missing quote ' and a bracket ) in ('$_POST[scriptname] which should have read as ('$_POST[scriptname]') (EDIT: As Dan Bracuk pointed out in his comment, thank you Dan.) however, using this method is prone to SQL injection.

Also wrapping your table name with backticks is suggested.

EDIT:

Use the the following (inside commented code below) if you haven't declared your variable.

$scriptname=mysqli_real_escape_string($con, $_POST['scriptname']);

Instead of: (Both are in the code below. Simply use the one you need)

$scriptname=mysqli_real_escape_string($con,$scriptname);

PHP

<?php
$con=mysqli_connect("localhost","escalate_test","database88","escalate_test");
// Check connection
if (mysqli_connect_errno())
  {
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
  }

// use the commented one below if you haven't declared your variable.
// $scriptname=mysqli_real_escape_string($con, $_POST['scriptname']);
$scriptname=mysqli_real_escape_string($con,$scriptname);

$sql="INSERT INTO `appslist` (listall) 
VALUES ('$scriptname')";

if (!mysqli_query($con,$sql))
  {
  die('Error: ' . mysqli_error($con));
  }
echo "1 record added";

mysqli_close($con);
?>

You're right, AND a missing quote. I'll fix that, thanks for pointing that out to me. @DanBracuk — Funk Forty Niner, Dec 25 '13 at 18:50
I've made a mention about that in an Edit (comment). @DanBracuk Your contribution is appreciated, thanks again Dan. — Funk Forty Niner, Dec 25 '13 at 18:53
Feel free to retract your downvote, since this has been corrected. @DanBracuk otherwise, no biggie. Live & Learn, I always say. Merry Xmas ;-) — Funk Forty Niner, Dec 25 '13 at 18:58

score 0 · Answer 3 · answered Dec 25 '13 at 18:19

0

use this:

$var = mysql_real_escape_string($_POST['scriptname']);
$sql="INSERT INTO appslist (listall) VALUES ('$var')";

instead of this:

$sql="INSERT INTO appslist (listall)
VALUES
('$_POST[scriptname]";

You missed ') at the end of statement and ' ' in $_POST variable

answered Dec 25 '13 at 18:19

Lavneet

516
5
19

Then, use this: $var = mysql_real_escape_string($_POST['scriptname']); $sql="INSERT INTO appslist (listall) VALUES ('$var')"; – Lavneet Dec 25 '13 at 18:22
OP is using `mysqli_` and you're using `mysql_real_escape_string` – Funk Forty Niner Dec 25 '13 at 18:22

Muhammad Rashid · Answer 4 · 2013-12-25T18:32:12.440

0

try this

<?php
    $con=mysqli_connect("localhost","escalate_test","database88","escalate_test");
    // Check connection
    if (mysqli_connect_errno())
      {
      echo "Failed to connect to MySQL: " . mysqli_connect_error();
      }
    $scriptname = stripslashes($_POST['scriptname']);
    $sql="INSERT INTO appslist (listall) VALUES('$scriptname')";

    if (!mysqli_query($con,$sql))
      {
      die('Error: ' . mysqli_error($con));
      }
    echo "1 record added";

    mysqli_close($con);
    ?>

edited Dec 25 '13 at 18:32

answered Dec 25 '13 at 18:22

Muhammad Rashid

563
1
6
25

I saw that, which is why I deleted my comment. – Funk Forty Niner Dec 25 '13 at 18:28

Inserting data into MySQL table with only one column

4 Answers4

EDIT: