Writing Data into sql table/ http error 500

Question

I am trying to write data into MySQL table but continue to get an 'HTTP error 500' page when I click submit. I don't think it has anything to do with the form but here is the code im using:

<form method="post" enctype="multipart/form-data" action="rma.php">
    <p>
    Start Date:<br />
    <input type="date" name="datecomp"><br /><br />
    <select name="action">
      <option value="record">Record New Entry</option>
      <option value="search">Search for Existing</option>
    </select><br />
    <br />
    Status:<br />
    <select name="status">
      <option value="Complete">Complete</option>
      <option value="Follow Up">Follow Up</option>
    </select><br />
    Last Name/Last 4:</br>
    <input type="text" name="nameLast4" placeholder="last name, last 4 digits of social"></br>
    Device/s:</br>
    <input type="text" name="device" placeholder="(multiple separated by commas)"></br>
    Device Serial Number/s:</br>
    <input type="tel" name="serial" placeholder="..."></br>
    New Serial Number:</br>
    <input type="text" name="newser" placeholder="..."><br /><br />
    Flagged:</br>
    <input type="radio" name="flag" value="yes">&nbspYes&nbsp<input type="radio" name="flag" value="no">&nbspNo&nbsp</br><br />
    Warranty Expired:</br>
    <input type="radio" name="warranty" value="yes">&nbspYes&nbsp<input type="radio" name="warranty" value="no">&nbspNo&nbsp</br><br />
    Date Returned to Vendor:</br>
    <input type="date" name="returnDate"><br /><br />
    UPS Tracking:<br />
    <input type="tel" name="ups" placeholder="..."></br><br />
    RMA Form Upload:
    <input type="file" name="fileToUpload" id="fileToUpload"><br /><br />
    RMA Number:<br />
    <input type="text" name="RMA_#" placeholder="..."><br />
    <br />
    Date Completed:<br />
    <input type="date" name="datecomp"><br /><br />
    E.T.A. (If Available):<br />
    <input type="date" name="eta"><br /><br />
    Initials<br />
    <input type="text" name="init"><br />

    <textarea name="notes" cols="30" rows="5" placeholder="Optional Notes..."></textarea>
    </br>

    <input type="submit" name="submit" value="Submit">&nbsp<input type="reset" value="Clear Form">&nbsp
    </p>
</form>

And then the PHP....

<?php
$action = $_POST['action'];
$status = $_POST['status'];
$name = $_POST['nameLast4'];
$dev = $_POST['device'];
$serial = $_POST['serial'];
$rmanum = $_POST['RMA_#'];
$flag = $_POST['flag'];
$ups = $_POST['ups'];
$warr = $_POST['warranty'];
$returndate = $_POST['returnDate'];
$newser = $_POST['newser'];
$eta = $_POST['eta'];
$rmaform = $_POST['fileToUpload'];
$datestart = $_POST['startdate'];
$datecomp = $_POST['datecomp'];
$init = $_POST['init'];
$comments = $_POST['notes'];


$servername = "localhost";
$username = "kylezeio_admin";
$password = "********";
$dbname = "kylezeio_RMA";

$conn = new mysqli($servername, $username, $password, $dbname);
if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
} 
if ($action === "record"){
$sql = "INSERT INTO `kylezeio_RMA`.`RMA Records` (`ID`, `Complete/Follow up`, `Name/Last4`, `Device`, `Serial Number`, `RMA Number`, `Flagged`, `UPS Tracking`, `Warranty Expired`, `Date Returned`, `New Serial Number`, `E.T.A. (if available)`, `Date Completed`, `Date Started`, `Initials`, `Comments`) VALUES (NULL, $status, $name, $dev, $serial, $rmanum, $flag, $ups, $warr, $returndate, $newser, $eta, $datecomp, $datestart, $init, $comments);";
}
if ($conn->query($sql) === TRUE) {
    echo "New record created successfully";
} else {
    echo "Error: " . $sql . "<br>" . $conn->error;
}

$conn->close();        

?>

You can also view the page @ http://kylejoeckel.com/RMA%20Form.html

Thanks in advance...

EDIT:

I was missing a semicolon so i believe that that is why i got the 500 error, now i am getting this:

Error: INSERT INTO kylezeio_RMA.RMA Records (ID, Complete/Follow up, Name/Last4, Device, Serial Number, RMA Number, Flagged, UPS Tracking, Warranty Expired, Date Returned, New Serial Number, E.T.A. (if available), Date Completed, Date Started, Initials, Comments) VALUES (NULL, Complete, joeckel,9999, cmdr, 589437609287, l654651, yes, 1z8e983756987, no, 2016-11-21, 356928679, 2016-11-17, 2016-11-08, , hg, test); You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ' hg, test)' at line 1

but i dont know what syntax error it would be refering to.

Do you really have column names in your table with slashes and spaces in them? — markdwhite, Dec 01 '16 at 03:37
yes i do... im new to using mySQL and databases in general, is that not typically accepted? — Kyle Joeckel, Dec 01 '16 at 03:39
Recommended to avoid that, eg: http://stackoverflow.com/questions/7899200/is-there-a-naming-convention-for-mysql — markdwhite, Dec 01 '16 at 03:41
I bet you get the 500 error even without sending your form to that php page. Try submitting it into whatever void instead, like a blank html page, so you can check that off the debug list. What's happening in your `.htaccess`, a more likely culprit? — Markus AO, Dec 01 '16 at 03:45
BTW what you have there is wide open for SQL injections. Consider using prepared statements, or at the very least `mysqli_real_escape_string()` all your user input. — Markus AO, Dec 01 '16 at 03:48
@KyleMathewJoeckel - honestly, difficult to tell because your code is naive - see other comments with advice and make it easy on yourself and others by writing clean code when you can. To solve, dump $sql and try running the generated query in phpMyAdmin or whatever and see if the error message helps you more. — markdwhite, Dec 01 '16 at 03:50
Your syntax error is with all those unquoted strings, you need to quote strings that go into a SQL statement. — Markus AO, Dec 01 '16 at 03:51
Strings must be quoted to work. Values (whether strings or not) must be parametized to be secure. — WEBjuju, Dec 01 '16 at 03:51
You really should read this one before using any of your code in a production environment, "How can I prevent SQL injection in PHP?": http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php — Markus AO, Dec 01 '16 at 03:52
Quotes your strings need them, here `$status, $name, $dev, $serial, $rmanum, $flag, $ups, $warr, $returndate, $newser, $eta, $datecomp, $datestart, $init, $comments`. Use parameterized queries so you also close your SQL injection. To see the exact cause of the 500 check your error logs.. — chris85, Dec 01 '16 at 04:25

score 1 · Accepted Answer · edited Dec 01 '16 at 04:26

1

To give you an exact answer I would need to see your table create statement. But let's give it a go anyways. You're simply missing quotes around strings.

Give this a try.

$sql = "INSERT INTO `kylezeio_RMA`.`RMA Records` (`ID`, `Complete/Follow up`, `Name/Last4`, `Device`, `Serial Number`, `RMA Number`, `Flagged`, `UPS Tracking`, `Warranty Expired`, `Date Returned`, `New Serial Number`, `E.T.A. (if available)`, `Date Completed`, `Date Started`, `Initials`, `Comments`) 
VALUES 
(NULL, $status, $name, $dev, $serial, $rmanum, $flag, $ups, $warr, $returndate, $newser, $eta, $datecomp, $datestart, '$init', '$comments');";

edited Dec 01 '16 at 04:26

chris85

23,846
7
34
51

answered Dec 01 '16 at 04:26

Jack Daniels

169
1
8

What did you quote? – chris85 Dec 01 '16 at 04:27
Just guessing but comments is most likely a string. Strings need single quotations around them in an insert statement. – Jack Daniels Dec 01 '16 at 04:30
Yea, almost all of them need quotes. – chris85 Dec 01 '16 at 04:31
@JackDaniels Thank you for just answering my question and not trying to make me feel like an idiot, the quotes is what I needed, much appreciated! – Kyle Joeckel Dec 01 '16 at 04:32
Others that suggested quote thank you as well but I am very very new to sql and php so I really needed it drawn out... btw I put the quotes around every variable just to be safe and it is working. – Kyle Joeckel Dec 01 '16 at 04:34

Writing Data into sql table/ http error 500

1 Answers1