Error in SQL syntax. Can't insert data in Mysql

Question

I got this error.. please help Im new in this stuff.. "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''orderlist' (branch, date, pname, description, quantity) VALUES ('Harrison', '0' at line 1"

This is my code

<?php
$host = "localhost";
$username = "root";
$password = "";
$dbname = "posharrison";

mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$dbname")or die("cannot select DB");

$branch=$_POST['branch'];
$mydate=$_POST['mydate'];
$product=$_POST['product'];
$description=$_POST['description'];
$quantity=$_POST['quantity'];

$sql = "INSERT INTO 'orderlist' (branch, date, pname, description, quantity)
VALUES ('$branch', '$mydate', '$product', '$description', '$quantity')";
$result=mysql_query($sql);

if($result){
echo "Successful";
}

else {
echo "ERROR!!".die(mysql_error());
}
?> 
<?php 
// close connection 
mysql_close();
?>

And this is my PHP code

<!-- ################ -->
                        <div id="desktop">
                            <form action="order_submit.php" method="POST" name="myform">

                                    Branch: <input type="text" name="branch" value="Harrison" size="10" readonly></br></br>
                                    Date Today: <input type="text" name="mydate" size="10" readonly></br></br>
                                                <script type="text/javascript">
                                                <!-- //
                                                document.forms['myform'].elements['mydate'].value = (new Date()).toUSAdate();
                                                // -->
                                                </script>
                                    <div id="prod1">
                                        Select Product:
                                        <select name="product">
                                            <option value="choose">----------</option>
                                            <option value="desktop">Desktop</option>
                                            <option value="monitor">Monitor</option>
                                            <option value="laptop">Laptop</option>
                                            <option value="parts">Parts</option>
                                        </select>
                                    </div>

                                    <div id="prod">

                                    <div class="desktop box" style="display:none">
                                    &nbsp;&nbsp;Select Item:
                                    <select name="description">
                                            <option>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</option>
                                            <option>Dell corei7 2500 1gRAM 80gHDD COMBO</option>
                                            <option>Green</option>
                                            <option>Blue</option>
                                    </select>
                                    &nbsp;Quantity:&nbsp;<input type="text" name="quantity" size="8">
                                    </div>

                                    <div class="monitor box" style="display:none">
                                    &nbsp;&nbsp;Select Item:
                                    <select name="description">
                                            <option>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</option>
                                            <option>monitor</option>
                                            <option>Green</option>
                                            <option>Blue</option>
                                    </select>
                                    &nbsp;Quantity:&nbsp;<input type="text" name="quantity" size="8">
                                    </div>

                                    <div class="laptop box" style="display:none">
                                    &nbsp;&nbsp;Select Item:
                                    <select name="description">
                                            <option>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</option>
                                            <option>laptop</option>
                                            <option>Green</option>
                                            <option>Blue</option>
                                    </select>
                                    &nbsp;Quantity:&nbsp;<input type="text" name="quantity" size="8">
                                    </div>  
                                    <div class="parts box" style="display:none">
                                    &nbsp;&nbsp;Select Item:
                                    <select name="description">
                                            <option>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</option>
                                            <option>parts</option>
                                            <option>Green</option>
                                            <option>Blue</option>
                                    </select>
                                    &nbsp;Quantity:&nbsp;<input type="text" name="quantity" size="8">
                                    </div>                                  
                                    </div>

                                <input type="submit" value="Add Order" id="button">
                            </form>
                        </div>                      
                        <!-- ############### -->

Get rid off single quote on `'orderlist'` – Abhik Chakraborty Feb 26 '15 at 12:43 — Abhik Chakraborty, Feb 26 '15 at 12:43
Oh thank you .. Problem solve.. thank you very much.. – ozz Feb 26 '15 at 12:48 — ozz, Feb 26 '15 at 12:48

score 0 · Answer 1 · answered Feb 26 '15 at 12:45

0

Your query should have to be like this, Not tested,

$sql = "INSERT INTO orderlist (branch, date, pname, description, quantity)
VALUES ('".$branch."', '".$mydate."', '".$product."', '".$description."', '".$quantity."')";
$result=mysql_query($sql);

answered Feb 26 '15 at 12:45

Nikul

1,025
1
13
33

score 0 · Answer 2 · answered Feb 26 '15 at 13:40

0

Try below code for insert query.

$sql = "INSERT INTO orderlist (branch, date, pname, description, quantity)
VALUES ('".addslashes($branch)."', '".addslashes($mydate)."', '".addslashes($product)."', '".addslashes($description)."', '".addslashes($quantity)."')";
$result=mysql_query($sql);

Thanks

answered Feb 26 '15 at 13:40

Jigar Patel

197
6

The function `addslashes()` is not thought to be an ideal defence against SQL injection, since it is not connection-aware in the way `mysql_real_escape_string()` is. I believe it is possible to craft a multi-byte string that can get around `addslashes()`. Of course, it would be much better for the OP to use parameter binding instead - it's much safer than either of the above! – halfer Mar 24 '15 at 07:21

Error in SQL syntax. Can't insert data in Mysql

2 Answers2