Insert record PHP/PDO throwing error

Question

I'm trying to build a simple PHP record insert only I can't seem to get it to work, it keeps saying that I have an error in my syntax.

This isn't going to be on a live production server, this is for internal (my use) only so injection/attacks are not a concern.

Code:

<?php
$servername = "server";
$username = "un";
$password = "p";
$dbname = "db";

$title = $_POST['title'];
$firstname = $_POST['firstname'];
$surname = $_POST['surname'];
$gender = $_POST['gender'];
$address = $_POST['address'];
$dob = $_POST['dob'];
$evetelephone = $_POST['eve-telephone'];
$daytelephone = $_POST['day-telephone'];
$occupation = $_POST['occupation'];
$email = $_POST['email'];
$hearabout = $_POST['hear-about'];
$consent = $_POST['consent'];
$readrules = $_POST['readrules'];
$injury = $_POST['injury'];
$questions = $_POST['questions'];
$gymrisk = $_POST['gymrisk'];
$rules  = $_POST['rules'];
$remove = $_POST['remove'];
$fullname = $_POST['fullname'];
$signature = 'test';/*$_POST['signature'];*/

try {
    $conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
    // set the PDO error mode to exception
    $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
    $sql = "INSERT INTO o18-reg (id, title, first_name, surname, gender, addr, dob, eve_tel, day_tel, occupation, email_addr, how_heard, over_18, rules, injury, questions, gym_risk, agree_rules, right_remove, full_name, signature)
    VALUES ($title, $firstname, $surname, $gender, $address, $dob, $evetelephone, $daytelephone, $occupation, $email, $hearabout, $consent, $readrules, $injury, $questions, $gymrisk, $rules, $remove, $fullname, $signature)";
    // use exec() because no results are returned
    $conn->exec($sql);
    echo "New record created successfully";
} catch(PDOException $e) {
   echo $sql . "<br>" . $e->getMessage();
}

$conn = null;

?>

Error:

INSERT INTO o18-reg (id, title, first_name, surname, gender, addr, dob, eve_tel, day_tel, occupation, email_addr, how_heard, over_18, rules, injury, questions, gym_risk, agree_rules, right_remove, full_name, signature) VALUES (Mr, Liam, Gallagher, Male, 5 Street, 25/11/1990, 0883821953, 032714821953, designer, email@gmail.com, google told me, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Liam Gallagher, test) SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-reg (id, title, first_name, surname, gender, addr, dob, eve_tel, day_tel, occup' at line 1

you haven't quoted **ANY** of your values, and you are WIDE OPEN to [sql injection attacks](http://bobby-tables.com), and your table name is illegal. it's `o18 MINUS reg`, since you haven't quoted it with backticks — Marc B, Sep 01 '15 at 21:39
@MarcB Just a sidenote that my answer wasn't based on your comment. I was typing it up at the same time. — Funk Forty Niner, Sep 01 '15 at 21:45
I made an edit to my answer Liam, about the number of columns and values. Reload it to see that change. — Funk Forty Niner, Sep 01 '15 at 22:00

Funk Forty Niner · Accepted Answer · 2015-09-01T22:05:42.200

Firstly, that table name with the hyphen; MySQL figures you want to do math here.

$sql = "INSERT INTO o18-reg

Which translates to o18 minus reg

so wrap it in ticks

$sql = "INSERT INTO `o18-reg` ...

or rename it to be an underscore.

Then you'll be faced with another problem, the VALUES. You have what seems to be strings, so you'll need to quote those.

I.e.

VALUES ('$title', '$firstname', '$surname' ...

and do the same for the rest of the strings.

Then you're faced with an SQL injection.

Use a prepared statement:

Edit:

I just noticed, you have 21 columns, but using 20 variables without making the necessary adjustement to compensate. You would have received an additional error about columns do not match, something to the effect of:

Fatal error: Uncaught exception 'PDOException' with message. Insert value list does not match column list: 1136 Column count doesn't match value count at row 1

If id is an AI, you will need to make a slight adjustment in your query, by adding '' in:

VALUES ('', '$title', '$firstname' ...

If there is a variable set aside for it (which doesn't seem to be present in your posted code), then add it. However, if the id column is an AI, then use the '' above.

An insight:

Make sure that your form does use a POST method and that all inputs bear the name attributes, and with no typos.

They seem to be populating correctly, but this is also for future visitors to the question.

Add error reporting to the top of your file(s) which will help find errors.

<?php 
error_reporting(E_ALL);
ini_set('display_errors', 1);

// rest of your code

Sidenote: Displaying errors should only be done in staging, and never production.

Additionally, underscore (`_`) is typically the word separator one uses for table and column names. You should also keep them all lowercase. — prodigitalson, Sep 01 '15 at 21:43

Insert record PHP/PDO throwing error

1 Answers1