Invalid query: You have an error in your SQL syntax

Question

<?php
mysql_connect("mysql6.000webhost.com","a6124751_murali1","***");
$db= mysql_select_db("a6124751_signup");
$topic=$_GET["Topic"];
$question=$_GET["Question"];
$company =$_GET["Company"];
$query = "INSERT INTO questions (topic, question, company) VALUES ($topic, $question, $company)";
$sql1=mysql_query($query);
if (!$sql1) {
 die('Invalid query: ' . mysql_error());
}
?>

this is my php code in server where there is a table named 'questions' and i am trying to insert the data into it from the input got from the GET method using form at front end, i can figure out that data is coming properly from the client which i have checked using echo. I am getting an error as

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'name, type your question here, company)' at line 1

Don't know what is the error in the query. anyone find it out asap. thank you

Bad idea running an unsanitized query from request variables! — Wes Foster, Jul 22 '15 at 05:13

score 5 · Accepted Answer · edited May 23 '17 at 11:53

5

You need to quote your values

('$topic', '$question', '$company')

since those are strings.

Plus, you should escape your data for a few reasons. Not let MySQL complain about certain characters such as hyphens etc., and to protect against SQL injection.

Use prepared statements:

https://en.wikipedia.org/wiki/Prepared_statement

Reference(s):

Edit:

As an example using your present MySQL API:

$topic    = mysql_real_escape_string($_GET['topic']);
$question = mysql_real_escape_string($_GET['question']);
$company  = mysql_real_escape_string($_GET['company']);

I don't know what your inputs are called, so that's just an example.

You mentioned about using $_GET for debugging but using a POST method.

Change all $_GET to $_POST above.

edited May 23 '17 at 11:53

Community

1
1

answered Jul 22 '15 at 05:13

Funk Forty Niner

74,450
15
68
141

yes, i should hide the data, but for debugging i am using GET method. is there any other way to let me know what data is going if i use post method – murali kurapati Jul 22 '15 at 05:16
@MuraliKrish if you're using a POST method, then change all `$_GET` to `$_POST`. – Funk Forty Niner Jul 22 '15 at 05:20
@DaveChen Thanks for the input Dave. Edit: You deleted your comment. – Funk Forty Niner Jul 22 '15 at 05:29
thank you i understood , you mean to say about sql injection. – murali kurapati Jul 22 '15 at 05:32
@MuraliKrish an alternate method is `$_REQUEST` which handles both GET and POST at the same time, but it's best using the same method as the form's method you're using. edit: you're welcome. – Funk Forty Niner Jul 22 '15 at 05:33

score 1 · Answer 2 · answered Jul 22 '15 at 05:21

Try this

<?php
$db = mysqli_connect('mysql6.000webhost.com', 'a6124751_murali1', 'default@123', 'a6124751_signup');

if (!$db) {
    die('Connect Error (' . mysqli_connect_errno() . ') '
            . mysqli_connect_error());
}

$topic = $_GET["Topic"];
$question = $_GET["Question"];
$company = $_GET["Company"];

$query = "INSERT INTO questions (topic, question, company) VALUES ('$topic', '$question', '$company')";
$sql1=mysqli_query($db, $query);
if(!$sql1)
{
    die('Invalid query: ' . mysqli_error($db));
}
?>

Fixes in your code

The mysql extension is deprecated and will be removed in the future: use mysqli or PDO instead
You need to quote your values ('$topic', '$question', '$company')

score 0 · Answer 3 · answered Jul 22 '15 at 05:14

You have to put the values in single qoutes, if that are char types:

$query = "INSERT INTO questions (topic, question, company) VALUES ('$topic', '$question', '$company')";

But you should not longer use the deprecated mysql_*API. Use mysqli_* or PDO with prepared statements.

Invalid query: You have an error in your SQL syntax

3 Answers3