how to fix this error in sql syntax

Question

I am receiving the following error:

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '','ax@yahoo.com','132344545','y8khoob5')' at line 3

Here is my code:

<?php
if (!isset($_POST['submit'])) {
    $link = mysql_connect("localhost","root","");
if (!$link)
  {
  die('Could not connect: ' . mysql_error());
  }
mysql_select_db("sh", $link);
    function createRandomPassword() {
    $chars = "abcdefghijkmnopqrstuvwxyz023456789";
    srand((double)microtime()*1000000);
    $i = 0;
    $pass = '' ;
    while ($i <= 7) {
        $num = rand() % 33;
        $tmp = substr($chars, $num, 1);
        $pass = $pass . $tmp;
        $i++;
    }
    return $pass;
}
$confirmation = createRandomPassword();
    $datein = $_POST['start'];
    $dateout = $_POST['end'];
    $name = $_POST['name'];
    $address = $_POST['address'];;
    $email = $_POST['email'];
    $contact = $_POST['contact'];
    $status= 'Active';


    $sql="INSERT INTO reservation (datein, dateout, name, address, email, contact, confirmation)
VALUES
('$datein','$dateout','$name',$address','$email','$contact','$confirmation')";
mysql_query("INSERT INTO resinvent (datein, dateout, confirmation, status) VALUES ('$datein','$dateout','$confirmation','$status')");

if (!mysql_query($sql,$link))
  {
  die('Error: ' . mysql_error());
  }

}
mysql_close($link)
?>

**WARNING**: This is terrifyingly insecure because those parameters are not [properly escaped](http://bobby-tables.com/php). You should **NEVER** put `$_POST` data directly into the query: it creates a gigantic [SQL injection bug](http://bobby-tables.com/). `mysql_query` is an obsolete interface and should not be used, it's being removed from PHP. A modern replacement like [PDO is not hard to learn](http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/). A guide like [PHP The Right Way](http://www.phptherightway.com/) explains best practices. — tadman, Dec 09 '14 at 17:04

score 4 · Accepted Answer · edited May 23 '17 at 11:57

4

You're missing a quote for $address'

in

VALUES ('$datein','$dateout','$name', $address',
                                     ^ right there

so do:

VALUES ('$datein','$dateout','$name','$address',

Your present code is open to SQL injection. Use mysqli with prepared statements, or PDO with prepared statements, they're much safer.

edited May 23 '17 at 11:57

Community

1
1

answered Dec 09 '14 at 16:54

Funk Forty Niner

74,450
15
68
141

ohh yeahh.. i missing that code. thankyou very much.. i take a few hours to find out the error. and didnt see that.. :) and thanks for suggestion. – Mi Ra Dec 09 '14 at 16:58
1

okay @Rizier123, but it take a few min to tick it. thanks for remind :) – Mi Ra Dec 09 '14 at 17:04
1

@MiRa While your waiting these minutes you could take a tour here: http://stackoverflow.com/tour if you want ;D it's very short, but good! – Rizier123 Dec 09 '14 at 17:08

how to fix this error in sql syntax

1 Answers1