Saving DropDown Value to PhpMySQL

Question

I would like to know how can I save a dropdown select value to a database, I am receiving an error that says "Invalid Input: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near." By the time I implemented a Gender DropDown.

Here's the Code

if(empty($_POST['Gender'])){
$Gender = '';
$flag=1;
} else
$Gender = ($_POST['Gender']);

And the Select:

<select id="Gender" name="Gender" class="input-xlarge">
<option>Select Gender</option>
<option value="Male">Male</option>
<option value="Female">Female</option>

Input:

$sql = " INSERT INTO User(FirstName, LastName, Gender, UserName, Password, reEnterPassword, EmailAdd, reEnterEmailAdd)
VALUES ('$FirstName', '$LastName', '$Gender', $UserName', '$EPassword', '$EreEnterPassword', '$EmailAdd', '$reEnterEmailAdd'); ";

Try to save the NULL in $Gender = NULL; instead of $Gender = ''; — Iffi, Apr 13 '15 at 04:35

Ayyanar G · Answer 1 · 2015-04-13T05:36:20.050

1

use missed single quotes near $UserName,

try this

$sql = " INSERT INTO User(FirstName, LastName, Gender, UserName, Password, reEnterPassword, EmailAdd, reEnterEmailAdd)
VALUES ('$FirstName', '$LastName', '$Gender', '$UserName', '$EPassword', '$EreEnterPassword', '$EmailAdd', '$reEnterEmailAdd'); ";

edited Apr 13 '15 at 05:36

answered Apr 13 '15 at 05:09

Ayyanar G

1,545
1
11
24

score 0 · Accepted Answer · edited May 23 '17 at 11:57

0

The problem is in the way your php mysql select statement is formed:

$sql = " INSERT INTO User(FirstName)
VALUES ('$FirstName', '$LastName'); ";

Either remove the single quotes from all variable names within double quotes.

Or use single quotes at the beginning and sorround your variables like this:

' . $FirstName . '

This will do the trick:

$sql = ' INSERT INTO User(FirstName, LastName, Gender, UserName, Password, reEnterPassword, EmailAdd, reEnterEmailAdd)
VALUES ('.$FirstName.', '.$LastName.', '.$Gender.', '.$UserName.', '.$EPassword.', '.$EreEnterPassword.', '.$EmailAdd.', '.$reEnterEmailAdd.')';

Also look into this answer: Single quotes or double quotes for variable concatenation?

P.S. your application is totally vulnerable to sql injection. You should look into how to sanitize user input.

edited May 23 '17 at 11:57

Community

1
1

answered Apr 13 '15 at 05:09

helloworld

527
6
21

"..using double quotes to define the sentence, and then you are using single quotes in the variables (for example: '$FirstName') the problem is that in this way php will not recognise $FirstName as a variable, rather it will treat it as a string" : False. $FirstName will be recognized as a variable because you have the whole sentence in double quotes. – Artemide Innominato Apr 13 '15 at 07:39
@ArtemideInnominato it will not recognise '$FirstName' as a variable. – helloworld Apr 13 '15 at 12:38
@helloworld I'm having the same problem again, on another page. I don't know what's causing it. Invalid Input: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Cruz, 0935 400 7214, brcruz@banawesports.com, Wash, Meguia Wax)' at line 2 INSERT INTO Supplier(name, cnum, email, service, prod) VALUES (Bryan Cruz, 0935 400 7214, brcruz@banawesports.com, Wash, Meguia Wax) $sql = ' INSERT INTO Supplier(name, cnum, email, service, prod) VALUES ('.$name.', '.$cnum.', '.$email.', '.$service.', '.$prod.')'; – googlelord Apr 13 '15 at 18:36
@googlelord could you open a question with further details about the problem. Then paste a link here so I can check it, if I can do anything I will gladly help – helloworld Apr 13 '15 at 18:40
@googlelord maybe you could try setting the variables like this: " '. $varianlename . ' " the mysql parser may need the data to be enclosed in double quotes, let me know if that was the problem – helloworld Apr 13 '15 at 18:42
That did save. I was reading through the link you posted. Thank you so much. – googlelord Apr 13 '15 at 18:52
@helloworld Please read here http://stackoverflow.com/questions/14980939/php-single-quotes-within-the-double-quote and as you can deduce reading it, the use of a php variable in a single quotes all put in a double quoted string let the php variable to be used as a string variable and not as a string. – Artemide Innominato Apr 14 '15 at 04:15
@ArtemideInnominato looks like you are right. I will edit the answer. – helloworld Apr 14 '15 at 15:13

score 0 · Answer 3 · answered Apr 13 '15 at 05:14

$sql = " INSERT INTO User(FirstName, LastName, Gender, UserName, Password, reEnterPassword, EmailAdd, reEnterEmailAdd)
VALUES ('$FirstName', '$LastName', '$Gender', '$UserName', '$EPassword', '$EreEnterPassword', '$EmailAdd', '$reEnterEmailAdd')";

1) Single Quote missing Before $UserName,

2) Remove Semicolumn After Round Brace Finish,

3) Try To Use "." Concatination Operator So You Can Ger Perfect Variable Name, Like ( ' . $FirstName . ', ' . $LastName . ', ' . $Gender . ' And So On )

Saving DropDown Value to PhpMySQL

3 Answers3