QUERY FAILED: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near

Question

As I was testing this form data entry I had no issues. When I tried adding more complex text, in the textarea that is picked up by the $post_content = $_POST['post_content']; with numeric and non-alphabetic characters I'm met with this error.

QUERY FAILED: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near

My code is as follows:

<?php 
    if (isset($_POST['create_post'])){

        $post_title = $_POST['title'];
        $post_author = $_POST['author'];
        $post_category_id = $_POST['post_category_id'];
        $post_status = $_POST['post_status'];
        $post_image = $_FILES['image']['name'];
        $post_image_temp = $_FILES['image']['tmp_name'];
        $post_tag = $_POST['post_tag'];
        $post_content = $_POST['post_content'];
        $post_date = date('d-m-y');
        $post_comment_count = 4;

        move_uploaded_file($post_image_temp, "../images/$post_image");

        $query = "INSERT INTO posts (post_category_id, post_title, post_author, post_date, post_image, post_content, post_tag, post_comment_count, post_status) ";

        $query .= "VALUES ({$post_category_id},'{$post_title}','{$post_author}',now(),'{$post_image}','{$post_content}','{$post_tag}','{$post_comment_count}','{$post_status}' ) ";

        $create_post_query = mysqli_query($connection, $query);
        checkQuery($create_post_query);
    }
?>
<form action="" method="post" enctype="multipart/form-data">
    <div class="form-group">
        <label for="post_status">Post Title</label>
        <input type="text" class="form-control" name="title">
    </div>
    <div class="form-group">
        <label for="post_category">Post Category Id</label>
        <input type="text" class="form-control" name="post_category_id" placeholder="Please enter a number">
    </div>
    <div class="form-group">
        <label for="post_author">Post Author</label>
        <input type="text" class="form-control" name="author">
    </div>
    <div class="form-group">
        <label for="post_status">Post Status</label>
        <input type="text" class="form-control" name="post_status">
    </div>
    <div class="form-group">
        <label for="post_image">Post Image</label>
        <input type="file" name="image">
    </div>
    <div class="form-group">
        <label for="post_tag">Post Tags</label>
        <input type="text" class="form-control" name="post_tag">
    </div>
    <div class="form-group">
        <label for="post_tags">Post Content</label>
        <textarea class="form-control" name="post_content" id="" cols="30" rows="10"></textarea>
    </div>
    <div class="form-group">
        <input class="btn btn-primary" type="submit" name="create_post" value="Publish Post">
    </div>
</form>

I attempted using mysqli_real_escape_string in combination with my $post_content = $_POST['post_content']; and had no success, which leads me to think my query syntax is off. Any help will be greatly appreciated.

Answer 1

try,

this query your query is incorrect

$query = "INSERT INTO posts (post_category_id, post_title, post_author, post_date, post_image, post_content, post_tag, post_comment_count, post_status) ";

    $query .= "VALUES ({$post_category_id},'{$post_title}','{$post_author}','".date('Y-m-d')."','{$post_image}','{$post_content}','{$post_tag}','{$post_comment_count}','{$post_status}' ) ";