0

I am trying to connect to an internal database through PHP. However, it gives me an error when trying to insert something, which looks like this:

Error: INSERT INTO id329521_server1.us (name, eml, pwd, fct, mon) VALUES (username, emailadress@gmail.com, 123, NULL, '100')
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '@gmail.com, 123, NULL, '100')' at line 1

My code looks like this:

        $name = $_POST["name"];
        $email = $_POST["email"];
        $pwd = $_POST["pwd"];

        $servername = "localhost";
        $username = "genericUsername";
        $password = "genericPassword";
        $dbname = "genericDBName";

        // Create connection
        if (!function_exists('mysqli_init') && !extension_loaded('mysqli')) {
            echo 'We don\'t have mysqli!!!';
        } else {
            $conn = new mysqli($servername, $username, $password, $dbname);
            // Check connection
            if ($conn->connect_error) {
                die("Connection failed: " . $conn->connect_error);
            } 
            echo "Connected successfully";

            $sql = "INSERT INTO genericTableName (name, eml, pwd, fct, mon) VALUES ($name, $email, $pwd, NULL, '100')";
            if ($conn->query($sql) === TRUE) {
                echo "New record created successfully";
            } else {
                echo "Error: " . $sql . "<br>" . $conn->error;
            }
        }
froehlichA
  • 13
  • 4
  • 1
    You're not quoting your insert values as strings. If you used prepared statements this would not be a problem. `VALUES ('$name', '$email', '$pwd',` – Jay Blanchard Dec 12 '16 at 20:26
  • you have to put string in quotation ! in this case put email to "" – Freeman Dec 12 '16 at 20:27
  • colour coding above gives you a good idea where one issue is –  Dec 12 '16 at 20:27
  • 1
    **Never store plain text passwords!** Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). Make sure you ***[don't escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Dec 12 '16 at 20:28
  • 1
    [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! [Don't believe it?](http://stackoverflow.com/q/38297105/1011527) – Jay Blanchard Dec 12 '16 at 20:28
  • `$password = "genericPassword;` that's throwing off syntax highlighting if that isn't your real code; missing a quote. – Funk Forty Niner Dec 12 '16 at 20:29

0 Answers0