1

So my code:

$productname = $_GET['productname'];
$productprice = $_GET['productprice'];
$productimage = $_GET['productimage'];
$productcat = $_GET['cat'];

$query = "INSERT INTO $tbl_name ('name, img, price, category') VALUES ('$productname,   $productimage, $productprice, $cat')";

mysql_query($query);

$productprice = 1.99, the type on phpMyAdmin is set to decimal (2,2). When the query runs it isn't put in the db. I tired running as SQL on the db which returns;

SQL-query:

INSERT INTO products( name, img, price, category ) 
VALUES (

black pens, 007.jpg, **1.99**, stationary
)

MySQL said: Documentation

1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'pens, 007.jpg, 19, stationary)' at line 1

Isaac Bennetch
  • 11,830
  • 2
  • 32
  • 43
RyanH898
  • 21
  • 3
  • 1
    phpMyAdmin is not a data base –  May 04 '14 at 21:37
  • Nor is this a Microsoft SQL Server error message. – Isaac Bennetch May 10 '14 at 15:08
  • As @GolezTrol said in the answers, you need to put quotes around your non-numeric data. Also, you are wide open to [**SQL injection**](https://www.owasp.org/index.php/SQL_Injection). Please [don't use `mysql_*`](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php?rq=1); the `mysql_*` functions are outdated, [deprecated](http://us3.php.net/manual/en/intro.mysql.php), and insecure. Use [`MySQLi`](http://us3.php.net/manual/en/book.mysqli.php) or [`PDO`](http://us3.php.net/manual/en/intro.pdo.php) instead, and use prepared statements to address the injection risk. – elixenide May 10 '14 at 15:13

2 Answers2

1

The problem is in the string data before it. It should be quoted:

INSERT INTO products( name, img, price, category ) 
VALUES (

  'black pens', '007.jpg', 1.99, 'stationary'
)
GolezTrol
  • 114,394
  • 18
  • 182
  • 210
  • Worked a treat! Just had to incorporate the quotes into my php code around variables, thank you! – RyanH898 May 04 '14 at 20:57
  • You're welcome. :) One more general advise: You now use `mysql` functions. If you switch to `mysqli` or `PDO`, you can use parameters. Once you get the hang of it, you can make queries like this safer and easier. For instance, you can insert values that have quotes in them without breaking your query. See: http://www.rudivisser.com/Article/tutorials/when-to-use-mysql-vs-mysqli-vs-pdo-in-php – GolezTrol May 04 '14 at 21:02
0

Remove the single quotes from your query

$query = "INSERT INTO $tbl_name (name, img, price, category) VALUES ($productname, $productimage, $productprice, $cat)";
defiant91
  • 59
  • 4
  • This didn't work, I had to add single quotes around all the variables bar the price, thanks anyways! – RyanH898 May 04 '14 at 20:56