PHP mysql can't insert database and error

Question

Need help here...

I receive an error code saying...

SQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''students' (Lastname, Firstname, Middleinitial, Course, Year, Section, Studentnu' at line 1

by the way, i put add function in php using these codes...

$Lastname = $_POST['Lastname'];
$Firstname = $_POST['Firstname'];
$Middleinitial = $_POST['Middleinitial'];
$Course = $_POST['Course'];
$Year = $_POST['Year'];
$Section = $_POST['Section'];
$Studentnumber = $_POST['Studentnumber'];
$Violation = $_POST['Violation'];
$Punishment = $_POST['Punishment'];
$Violationdate = $_POST['Violationdate'];
$Punishmentstartdate = $_POST['Punishmentstartdate'];
$CSlength = $_POST['CSlength'];
$Add = $_POST['add'];

$records = mysql_connect('localhost', 'root', '') or die(mysql_error());

mysql_select_db('records', $records);

$sql = ("INSERT INTO 'students' (Lastname, Firstname, Middleinitial, Course, Year, Section, Studentnumber, Violation, Punishment, Violationdate, Punishmentstartdate, CSlength) VALUES('$Lastname', '$Firstname', '$Middleinitial', '$Course', '$Year', '$Section', '$Studentnumber', '$Violation', '$Punishment', '$Violationdate', '$Punishmentstartdate', '$CSlength')");

$result = mysql_query($sql, $records);

if (!$result) 
die("SQL Error: ".mysql_error());

echo "Success";

thanks for the answer.... :))

Look into `SQL Injection`, you code is very vulnerable to an attack — TMH, Mar 17 '14 at 14:53
When you not sure if query is working or not, dump the query string into the browser, copy-paste it into the SQL editor and run it in the editor. Easy to debug — Andrew, Mar 17 '14 at 14:55
Also look into PDO/MySQLi. Prepared statements will make this many variables easy to insert. — Justin E, Mar 17 '14 at 14:55
@Andrew how can i do that? can you give me an example. i'd love to finish this project. but im stuck here. thanks — Xthiahn29, Mar 17 '14 at 15:12

score 2 · Answer 1 · edited May 23 '17 at 12:20

2

Get rid of the quotes around students. Either use ticks or nothing at all:

$sql = ("INSERT INTO `students` (Lastname, Firstname, Middleinitial, Course, Year, Section, Studentnumber, Violation, Punishment, Violationdate, Punishmentstartdate, CSlength) VALUES('$Lastname', '$Firstname', '$Middleinitial', '$Course', '$Year', '$Section', '$Studentnumber', '$Violation', '$Punishment', '$Violationdate', '$Punishmentstartdate', '$CSlength')");

FYI, you are wide open to SQL injections.

edited May 23 '17 at 12:20

Community

1
1

answered Mar 17 '14 at 14:50

John Conde

217,595
99
455
496

im not very familiar with that. im a begginer. so what i suppose to do? – Xthiahn29 Mar 17 '14 at 15:17

score 1 · Answer 2 · answered Mar 17 '14 at 15:29

Try this

$Lastname = $_POST['Lastname'];
$Firstname = $_POST['Firstname'];
$Middleinitial = $_POST['Middleinitial'];
$Course = $_POST['Course'];
$Year = $_POST['Year'];
$Section = $_POST['Section'];
$Studentnumber = $_POST['Studentnumber'];
$Violation = $_POST['Violation'];
$Punishment = $_POST['Punishment'];
$Violationdate = $_POST['Violationdate'];
$Punishmentstartdate = $_POST['Punishmentstartdate'];
$CSlength = $_POST['CSlength'];
$Add = $_POST['add'];

 $records = mysql_connect('localhost', 'root', '') or die(mysql_error());

 mysql_select_db('records', $records);


$sql = ("INSERT INTO students (Lastname, Firstname, Middleinitial, Course, Year, Section, Studentnumber, Violation, Punishment, Violationdate, Punishmentstartdate, CSlength) VALUES('$Lastname', '$Firstname', '$Middleinitial', '$Course', '$Year', '$Section', '$Studentnumber', '$Violation', '$Punishment', '$Violationdate', '$Punishmentstartdate', '$CSlength')");


  $result = mysql_query($sql, $records);

  if (!$result) 
  die("SQL Error: ".mysql_error());

  echo "Success";

score 1 · Accepted Answer · answered Mar 23 '14 at 08:47

You just have to modify you code like this!

$Lastname = $_POST['Lastname'];
$Firstname = $_POST['Firstname'];
$Middleinitial = $_POST['Middleinitial'];
$Course = $_POST['Course'];
$Year = $_POST['Year'];
$Section = $_POST['Section'];
$Studentnumber = $_POST['Studentnumber'];
$Violation = $_POST['Violation'];
$Punishment = $_POST['Punishment'];
$Violationdate = $_POST['Violationdate'];
$Punishmentstartdate = $_POST['Punishmentstartdate'];
$CSlength = $_POST['CSlength'];
$Add = $_POST['add'];

$records = mysql_connect('localhost', 'root', '') or die(mysql_error());

mysql_select_db('records', $records);

$sql = "INSERT INTO students (Lastname, Firstname, Middleinitial, Course, Year, Section, Studentnumber, Violation, Punishment, Violationdate, Punishmentstartdate, CSlength) VALUES('$Lastname', '$Firstname', '$Middleinitial', '$Course', '$Year', '$Section', '$Studentnumber', '$Violation', '$Punishment', '$Violationdate', '$Punishmentstartdate', '$CSlength')";

$result = mysql_query($sql, $records);

if (!$result) 
die("SQL Error: ".mysql_error());

echo "Success";

score 0 · Answer 4 · answered Mar 17 '14 at 17:38

Remove the brackets around the INSERT statement as well as put the table and column names inside the backtick, change it as below

$sql = "INSERT INTO `students` (`Lastname`, `Firstname`, `Middleinitial`, `Course`, `Year`, `Section`, `Studentnumber`, `Violation`, `Punishment`, `Violationdate`, `Punishmentstartdate`, `CSlength`) VALUES('$Lastname', '$Firstname', '$Middleinitial', '$Course', '$Year', '$Section', '$Studentnumber', '$Violation', '$Punishment', '$Violationdate', '$Punishmentstartdate', '$CSlength')";

Since your code is too much vulnerable to SQL injection, it is better to use mysql prepared statements.Use MySQLi or PDO class to achieve it.

PHP mysql can't insert database and error

4 Answers4