What is with this MySQL syntax error?

Question

I have been through my 5.1.73 MySQL manual and I just can't find the syntax error that MySQL is giving me when I try to POST/GET something:

mysqli_query($connect,'INSERT INTO serial (name, company, algo, country, notes) VALUES ('.$_GET['name'].','.$_GET['company'].','.$_GET['algo'].','.$_GET['country'].','.$_GET['notes'].')');

MySQL Error:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'FCINGZ000***,Unknown,Thanks)' at line 1

Please post the error message and search for SQL Injection. You're probably missing quite a few single-quotes (`'`) around your string values. — ccKep, Apr 06 '16 at 23:02
@ccKep You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'FCINGZ000***,Unknown,Thanks)' at line 1 — Kirsty, Apr 06 '16 at 23:03
Using a prepared statement will fix this (you are missing quotes around the string values) it will also fix the huge SQL Injection vulnerability you have, See [How can I prevent SQL-injection in PHP?](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) — Alex K., Apr 06 '16 at 23:06
As an aside, be aware that serial is considered a keyword in MySQL- though it's not reserved as such. — Strawberry, Apr 06 '16 at 23:10

Panda · Answer 1 · 2016-04-06T23:10:45.090

0

You should assign the $_GET values to a variable to prevent syntax errors. Also, prevent MySQL Injection using mysqli_real_escape_string().

$name = mysqli_real_escape_string($connect, $_GET['name']);
$company = mysqli_real_escape_string($connect, $_GET['company']);
$algo = mysqli_real_escape_string($connect, $_GET['algo']);
$country = mysqli_real_escape_string($connect, $_GET['country']);
$notes = mysqli_real_escape_string($connect, $_GET['notes']);

mysqli_query($connect, "INSERT INTO serial (name, company, algo, country, notes) VALUES ('$name', '$company', '$algo', '$country', '$notes')");

edited Apr 06 '16 at 23:10

answered Apr 06 '16 at 23:06

Panda

6,955
6
40
55

Hey, thanks for the reply but with that I get a PHP parse error. – Kirsty Apr 06 '16 at 23:10
Whoops I forgot to paste it in!:) PHP Parse error: syntax error, unexpected T_VARIABLE in /var/www/html/SN/postdata.php on line 11 – Kirsty Apr 06 '16 at 23:10
@Kirsty Updated post, it should work now – Panda Apr 06 '16 at 23:11
This doesn't prevent injection. See prepared statements – Strawberry Apr 06 '16 at 23:14
Use a prepared statement, its what they are for. – Alex K. Apr 06 '16 at 23:14

What is with this MySQL syntax error?

1 Answers1