-3

i am writing following code

$query_upload="INSERT INTO sipat ('visit','date','meeting_detail','issues','details2','school','toilets','photo','water','connection','contract','news','currentdate') VALUS ('$visit','$date','$meeting_detail','$issues','$details2',$school,$toilets,$photo,$water,$connection,$contract,'$news','$currdate' )";

mysql_query($query_upload) or die("error in query == ----> ".mysql_error());

but getting error error in query == ---->

You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''visit','date','meeting_detail','issues','details2','school','toilets','photo','' at line 1

chris85
  • 23,846
  • 7
  • 34
  • 51
Manoj Baswal
  • 11
  • 1
  • 2
    [When to use single quotes, double quotes, and backticks?](http://stackoverflow.com/questions/11321491/when-to-use-single-quotes-double-quotes-and-backticks#11321508) – Lukasz Szozda May 11 '16 at 15:51
  • 1
    [Little Bobby](http://bobby-tables.com/) says [your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard May 11 '16 at 15:52
  • 3
    Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard May 11 '16 at 15:52
  • 1
    Quotes are for strings, use backticks. This is `mysql` or `sql-server`? – chris85 May 11 '16 at 15:53

1 Answers1

0

That's due to the single quotes '' around every field name. You can either use `` or just remove the quotes.

$query_upload = "INSERT INTO sipat (`visit`,`date`,`meeting_detail`,`issues`,`details2`,`school`,`toilets`,`photo`,`water`,`connection`,`contract`,`news`,`currentdate`) VALUES ('".$visit."','".$date."','".$meeting_detail."','".$issues,"','".$details2."','".$school."', .'"$toilets."', '".$photo."', '".$water."', '".$connection."', '".$contract."', '".$news."', '".$currdate."' )";
Indrasis Datta
  • 8,692
  • 2
  • 14
  • 32
  • Given the second field name is a reserved word, and the last treads very close to a keyword, I'd recommend the ``. – Uueerdo May 11 '16 at 16:44
  • @Uueerdo `date` isn't reserved, only the `(R)`, are reserved. http://dev.mysql.com/doc/refman/5.7/en/keywords.html – chris85 May 11 '16 at 19:38
  • @chris85 you are right, I got them backwards. Either way, it is usually good practice to stay away from either. – Uueerdo May 11 '16 at 19:41