Problems with adding information to DataBase

Question

I have a problem with adding infromatiion to databse using SQL query. I cheked many times query, Tried to change something, but nothing shanged.... Please help me, I will be very grateful.

My HTML form:

<form action="functions.php" method="post">
        <div id="form" class="fleft">
            <div class="field">
                <label for="fname">Имя: </label>
                <input type="text" name="fname"/>
            </div>
            <div class="field">
                <label for="sname">Фамилия: </label>
                <input type="text" name="sname"/>
            </div>
            <div class="field">
                <label for="email">Ваш E-mail: </label>
                <input type="email" name="email"/>
            </div>
            <div class="field">
                <label for="message">Сообщение: </label>
                <input type="text" name="message">
            </div>
            <div class="field">
                <input type="submit" name="submit"/>
            </div>
        </div>
</form>

Functions.php:

<?php
include "db_connect.php";
if(isset($_POST['submit']))
{

    $connection = db_connect();
    if($connection) echo "connect <br>";
    else echo "no connect";

    $fname = $_POST['fname'];
    $sname = $_POST['sname'];
    $email = $_POST['email'];
    $message = $_POST['message'];

    $query = "INSERT INTO `mail` (`id`,`fname`,`sname`,`email`,`message`) VALUES ('',$fname,$sname,$email,$message)";

    $result = mysql_query($query);

    if($result) echo "success!";
    else echo mysql_error();
}
?>

db_connect.php :

<?php
    function db_connect()
        {
            $host = 'localhost';
            $user = 'root';
            $password = '';
            $db = 'web';

            $connection = mysql_connect($host, $user, $password);
            mysql_query("SET NAMES utf8");
            if(!$connection || !mysql_select_db($db)){
                return false;
            }
                return $connection;
        }
?>

DataBase:

Error:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '@gmail.com,vsjo OK)' at line 1

Answer 1

Your VALUES are not escaped, meaning you have no quotes around your VALUES

Use the following:

$query = "INSERT INTO `mail` (`id`,`fname`,`sname`,`email`,`message`) VALUES ('','$fname','$sname','$email','$message')";

However, since your id column is set to AUTO_INCREMENT take out the first values and use the following in its place:

$query = "INSERT INTO `mail` (`fname`,`sname`,`email`,`message`) VALUES ('$fname','$sname','$email','$message')";

The id column will take care of itself.

You should also consider moving over to mysqli_* functions and prepared statements. mysql_* functions are deprecated and will be removed from future releases.

Read the following: How can I prevent SQL injection in PHP?

---

Should you decide to continue using mysql_* functions:

(Borrowed from https://stackoverflow.com/a/60442/)

$unsafe_variable = $_POST["user-input"];
$safe_variable = mysql_real_escape_string($unsafe_variable);
mysql_query("INSERT INTO table (column) VALUES ('" . $safe_variable . "')");

---

MySQLi method: Should you decide to use mysqli_* functions later on: (highly recommended)

$fname = mysqli_real_escape_string($connection,$_POST['fname']);
$sname = mysqli_real_escape_string($connection,$_POST['sname']);
$email = mysqli_real_escape_string($connection,$_POST['email']);
$message = mysqli_real_escape_string($connection,$_POST['message']);

---

Yet, using MySQLi with prepared statement or PDO are also recommended.