0

I am trying to INSERT students answers to a Table online_exam_marks whose structure is enter image description here

. I took $_POST values and stored in different variable like $a,$b,... and $stu_id = $_SESSION["id"]; perform a query 

$sql =  "INSERT INTO online_exam_marks (stu_id , 1, 2, 3, 4, 5, 6, 7, 8, 9, 10) VALUES ( '$stu_id' ,'$a', '$b','$c','$d','$e','$f','$g','$h','$i','$j')";
    if(mysqli_query($con,$sql))
    {
        render("success.php");  
    }
    else echo "error";

when executed this it always prints error. Please help.

Sean
  • 12,443
  • 3
  • 29
  • 47
AshrafNmd
  • 41
  • 1
  • 1
  • 6
  • 1
    Welcome to Stack Overflow. We need to see more code to determine your issue. – StackSlave Dec 08 '16 at 04:13
  • 2
    You also are open to SQL injections, use parameterized queries. See http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1. – chris85 Dec 08 '16 at 04:26
  • I don't understand how Are you allowed to use numbers as table names in MySQL? is a dupe. But we do need more info. – OGHaza Dec 08 '16 at 04:50
  • 2
    @OGHaza look at the accepted answer for the dup - http://stackoverflow.com/a/676452/689579 *Identifiers may begin with a digit but unless quoted may not consist solely of digits.* Since column names are *Identifiers*, the OP needs to quote the column names that consist solely of digits, ie. `\`1\`,\`2\`,\`3\`,...`. If they are not quoted, then MySQL will interpret them as number values, not column names. – Sean Dec 08 '16 at 05:08
  • @Sean ah got it – OGHaza Dec 08 '16 at 05:11
  • I changed col_names as `1`,`2`.. It worked. Thanks you very guys – AshrafNmd Dec 08 '16 at 06:19
  • can't we avoid SQL injection using htmlspecialchars() ,stripslashes(), trim() on the input data? – AshrafNmd Dec 08 '16 at 06:23

0 Answers0