How do I insert records in a Database

Question

I am trying to insert a record from my form into a database but after click on submit it shows me, "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax" error.... please help me

<?php
include('data_conn.php');

if(isset($_POST['subm'])){

  $email = mysql_real_escape_string( $_POST['email']);
$query = "SELECT * FROM login WHERE email='$email'";
    $result = mysql_query($query) or die(mysql_error());

    if (mysql_num_rows($result) ) {
        echo '<script language="javascript">';
    echo 'alert("Email is Already Exist...."); location.href="signup.php"';
    echo '</script>';
    }
    else {
        $f_name = $_POST['f_name'];

        $c_name = $_POST['c_name'];
        $c_add = $_POST['c_add'];
        $mob = $_POST['mob'];
        $email = $_POST['email'];
        $password = $_POST['password'];



        $query = "INSERT INTO login (first_name,company_name,company_add,mob,email,password) VALUES ('$f_name,'$c_name','$c_add','$mob','$email','$password')";


       $result = mysql_query($query) or die(mysql_error());


       if($result==1)
    {
        echo '<script language="javascript">';
    echo 'alert("successfully registered!!!"); location.href="signup.php"';
    echo '</script>';
    }
    else
    {
      echo '<script language="javascript">';
    echo 'alert("Something Went Wrong!!! :("); location.href="signup.php"';
    echo '</script>';
    }
    }
}
?>

mysql_* functions are obsolete and have been removed from PHP 7. You should use a more modern library such as mysqli or PDO — GordonM, Jul 13 '16 at 09:35

score 1 · Accepted Answer · answered Jul 13 '16 at 09:33

Change the below line

$query = "INSERT INTO login (first_name,company_name,company_add,mob,email,password) VALUES ('$f_name,'$c_name','$c_add','$mob','$email','$password')";

To this

$query = "INSERT INTO login (first_name,company_name,company_add,mob,email,password) VALUES ('$f_name','$c_name','$c_add','$mob','$email','$password')";

The issue is, you added only one ' to the variable $f_name. Just make it like '$f_name' and it will work

@Rkboss, With pleasure. Please accept the answer :) – Arun Jul 13 '16 at 09:38 — Arun, Jul 13 '16 at 09:38

score 0 · Answer 2 · edited May 23 '17 at 11:44

Instead of using direct substitution values, you could use below methods to avoid sql injection.

You basically have two options to achieve this:

1) Using PDO (for any supported database driver):

$stmt = $pdo->prepare('SELECT * FROM employees WHERE name = :name');

$stmt->execute(array('name' => $name));

foreach ($stmt as $row) {
    // do something with $row
}

2) Using MySQLi (for MySQL):

$stmt = $dbConnection->prepare('SELECT * FROM employees WHERE name = ?');
$stmt->bind_param('s', $name);

$stmt->execute();

$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
    // do something with $row
}

Please refer How can I prevent SQL injection in PHP?

score 0 · Answer 3 · answered Jul 13 '16 at 09:36

Syntax error.
Try:

$query = "INSERT INTO login (first_name,company_name,company_add,mob,email,password) VALUES ('$f_name','$c_name','$c_add','$mob','$email','$password')";

instead of:

$query = "INSERT INTO login (first_name,company_name,company_add,mob,email,password) VALUES ('$f_name,'$c_name','$c_add','$mob','$email','$password')";

Missing single quotes in '$f_name'.

How do I insert records in a Database

3 Answers3