PHP insert into not inserting any data

Question

I have a php statement to insert a bit of information into my mySQL database. the connection works perfectly. The problem I am having is I am getting the following error code:

Error: INSERT INTO tasks ('taskName', 'requestedBy', 'details', 'dateAdded') VALUES ('test1' ,'test3' ,'test3', 2015-01-05') You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''taskName', 'requestedBy', 'details', 'dateAdded') VALUES ('test1' ,'test3' ,'te' at line 1

the function is as follows

if(isset($_POST["submitTask"])){
    insertTask();
};

function insertTask(){
    $servername = "localhost";
    $username = "tasktrack";
    $password = "";
    $dbname = "tasktrack";

// Create connection
$conn = mysqli_connect($servername, $username, $password, $dbname);
// Check connection
if (!$conn) {
    die("Connection failed: " . mysqli_connect_error());
}

$taskname = $_POST["task_name"];
$requestedby= $_POST["requested_by"];
$details = $_POST["details"];
$datenow = date("Y-m-d");

$sql = "INSERT INTO tasks ('taskName', 'requestedBy', 'details', 'dateAdded') VALUES ('$taskname' ,'$requestedby' ,'$details', $datenow')";

if (mysqli_query($conn, $sql)) {
    echo "New record created successfully";
} else {
    echo "Error: " . $sql . "<br>" . mysqli_error($conn);
}

mysqli_close($conn);
};

I have tried multiple different solution with the $sql line as seen below

$sql = "INSERT INTO tasks ('taskName', 'requestedBy', 'details', 'dateAdded') VALUES ('$taskname' ,'$requestedby' ,'$details', $datenow')";

$sql = "INSERT INTO tasks (taskName, requestedBy, details, dateAdded) VALUES ($taskname ,$requestedb ,$details, $datenow)";

$sql = "INSERT INTO tasks (`taskName`, `requestedBy`, `details`, `dateAdded`) VALUES (`$taskname` ,`$requestedb` ,`$details`, `$datenow`)";

Now I am just stuck and can't think of any more things to try.

All your 3 attempts are wrong. The first one, just remove the quotes for the columns and you will be jumping with joy ;-) and missing quote for `$datenow'` in the first. — Funk Forty Niner, Jan 05 '15 at 16:05
You need backticks for the column- and table names (if any...) and straight single or double quotes for the values. And you should escape your values or use a prepared statement to avoid sql injection. — jeroen, Jan 05 '15 at 16:06
Backticks are for table and field names. Single (or double) quotes are for string values. — gen_Eric, Jan 05 '15 at 16:06
Your code is vulnerable to SQL injections; you should read on [how to prevent them in PHP](http://stackoverflow.com/q/60174/53114). — Gumbo, Jan 05 '15 at 16:07
Also based on your code example you are currently missing a ' around `$datenow`. I see `$datenow'` — Diemuzi, Jan 05 '15 at 16:08
Just for clarification: ` - backtick, ' - single-quote. And you should really do something about those sql injections, remember little Bobby Tables, http://xkcd.com/327/ — VolkerK, Jan 05 '15 at 16:09

score 2 · Accepted Answer · answered Jan 05 '15 at 16:07

2

$sql = "INSERT INTO tasks (taskName, requestedBy, details, dateAdded) VALUES ('$taskname' ,'$requestedby' ,'$details', '$datenow')";

// Removed quotes from columns, and added missing quote on datenow

Please note, this technique for adding values into the database is very insecure, and is prone to SQL injection attacks.

answered Jan 05 '15 at 16:07

Blake

308
3
11

not asking about the vulnerability because it will only ever be on my laptop locally as it is a personal system. I have tried this previously too – Kieranmv95 Jan 05 '15 at 16:09
Blargh, when everything happens within 30 seconds of each other, duplicates happen. – Blake Jan 05 '15 at 16:09
@Kieranmv95 That's not important; you will break your own query whenever you insert for example a text containing a `'` character. – jeroen Jan 05 '15 at 16:10
I know these things already, and it will probably be fixed at a later dateas i onyl started this half hour ago XD anyway it did work the fix thankyou, will accept in 8 minutes – Kieranmv95 Jan 05 '15 at 16:11
2

@Blake Well, it turned out okay in the end :-) – jeroen Jan 05 '15 at 16:13

score 0 · Answer 2 · answered Jan 05 '15 at 16:19

You must not enclose the field names in apostrophes or quotes. Either enclose them in back quotes (`) or use them as they are.

$sql = "INSERT INTO tasks (`taskName`, `requestedBy`, `details`, `dateAdded`) VALUES ('$taskname' ,'$requestedby' ,'$details', '$datenow')";

or

$sql = "INSERT INTO tasks (taskName, requestedBy, details, dateAdded) VALUES ('$taskname' ,'$requestedby' ,'$details', '$datenow')";

However, if the field name is a MySQL keyword or if it contains spaces, quotes, commas, parenthesis, operators or other characters that have special meaning in SQL then you have to enclose them in back quotes or MySQL will report a syntax error at the special character.

PHP insert into not inserting any data

2 Answers2