You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax

Question

I make page as follows:

   <?php
   $host="localhost";
   $user="root";
   $password="";
   $database="student";
   $link= mysqli_connect($host,$user,$password,$database);

  if(isset($_POST['btnsave']))
 {
  $reg=$_POST['reg'];
  $name=$_POST['name'];
  $trade=$_POST['trade'];
  $college=$_POST['college'];
  $query="CALL insert($reg,'$name','$trade',$college)";

  $res=  mysqli_query($link,$query);
  if(mysqli_affected_rows($link)==1)
  {
      echo 'Data Saved';
  }
  else
  {
      print_r(mysqli_error($link));
  }

  }
  ?>


  <html>
  <head>
    <meta charset="UTF-8">
    <title></title>
   </head>
   <body>
    <form name="form" action="stored_procedure.php" method="post">
    <table border="2">
        <tr>
            <td>Reg No</td>
            <td><input type="text" name="reg">
        </tr>
        <tr>
            <td>Name</td>
            <td><input type="text" name="name"></td>
        </tr>
        <tr>
            <td>Trade</td>
            <td><input type="text" name="trade">
        </tr>
        <tr>
            <td>College</td>
            <td><input type="text" name="college"/></td>
        </tr>
        <tr>
            <td colspan="2">
                <input type="submit" name="btnsave" value="Save"/>
                <input type="submit" name="btnupdate" value="Update"/>
                <input type="submit" name="btndel" value="Delete"/>
            </td>
        </tr>
    </table>
    </form>
    </body>
   </html>

Then create procedure like this:

begin
insert student1 values(reg,name,trade,college);
end

After submitting the form it gives the following error:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near
'insert(6546,'dffgd','teredr',432)' at line 1

I do everything but unable to fix this, please help me with this error.

[Oh god the sql injection.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) — Alexis King, Jan 25 '15 at 18:44
Does the stored procedure work outside your php page? Have you tested it? And as @AlexisKing writes, your page is wide open to sql injection... — mlinth, Jan 25 '15 at 18:46
@jeroen Thnxxxx so much buddy. i change the procedure name now it is working. thanks so so much. :) — Davinder kumar, Jan 25 '15 at 18:48
Then you can use reserved words, have spaces in your table- and column names, etc. But that doesn't really improve your sql so you'd better not use it as it only makes things more confusing. — jeroen, Jan 25 '15 at 18:55
Davinder, you are going to fix the SQL injection, right? You can expect to get hacked as it stands. — halfer, Jan 25 '15 at 19:31
Hey,yeah right i use storage procedure for prevent sql injection ,can sql injection be occured now ?.....whats d solution — Davinder kumar, Jan 25 '15 at 19:58

score 1 · Accepted Answer · answered Feb 10 '15 at 19:47

1

you have used stored procedure name as "insert" which an reserved keyword for mysql, try using any another name of procedure.

example: $query="CALL myprocedure($reg,'$name','$trade',$college)";

answered Feb 10 '15 at 19:47

Mohit

776
7
13

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax

1 Answers1