-1

I have been trying to input data from $_Post variables but I cannot spot where the error is? Hope you can help me. Below is the code:

$conn = mysql_connect("localhost", "root");
if (isset($_POST['studLog'])) {
 $uName = $_POST['uName'];
 $pWord = $_POST['pWord'];

 mysql_select_db("sis_main", $conn);

 if (mysql_num_rows(mysql_query("SELECT * from student where stud_uname='$uName' and stud_pword='$pWord'"))) {
  include("stud-view.html");
 } else {
  echo 'Account doesnt exist!';
  echo "<br><br>";
  echo "<a href='stud-start.html'>GO BACK!</a>";
 }
} else if (isset($_POST['studReg'])) {

 mysql_select_db("sis_main", $conn);
 $stdID = $_POST['studID'];
 $fname = $_POST['firstNme'];
 $mname = $_POST['midNme'];
 $lname = $_POST['lastNme'];
 $stadd = $_POST['stAdd'];
 $ctadd = $_POST['ctAdd'];
 $bdate = $_POST['bDate'];
 $gendr = $_POST['gender'];
 $email = $_POST['email'];
 $mobno = $_POST['mobNum'];
 $uname = $_POST['newUName'];
 $pword = $_POST['newPWord'];
 $age = birthday($bdate);

 if (mysql_query("INSERT INTO student values (`$stdID`,`$fname`,`$lname`, `$mname`,`$stadd`,`$ctadd`,`$age`,`$bdate`,`$gendr`, `$email`,`$mobno`,`$uname`,`$pword`);")) {
  echo 'Account Successfully Regsitered!';
 } else {
  echo 'ERROR: '.mysql_error();
  echo "<a href='stud-start.html'>GO BACK!</a>";
 }


}
}

ERROR: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '@gmail.com, 09981744039, kuyschan, kuyschan)' at line 1

Sunil Garg
  • 14,608
  • 25
  • 132
  • 189
Christian Ansing Gallardo
  • 1

1 Answers1

0

This is suppposed to be a comment, but i have a low reputation here.

Before i answer your question, please do not use the mysql functions as its no longer supported . Consider a switch to either MYSQLI or PDO. Also, do not trust user input. Meaning do not directly post field values from your form to your database as an attcker can easily exploit it by adding funny javascripts or worse.

To your question,

In your insert statement, you did not specify the columns:

Try:

<?php

$sql = "INSERT INTO student  (`studID`, `firstNme`, `lastNme`,`stAdd`,`ctAdd`,`bDate`,`gender`,`email`,`mobNum`,`newUName`,`newPWord`)VALUES 
 ('" . mysqli_real_escape_string($con, $_POST['studID']) . "', 
 '" . mysqli_real_escape_string($con, $_POST['firstNme']) . "', 
 '" . mysqli_real_escape_string($con, $_POST['lastNme']) . "', 
'" . mysqli_real_escape_string($con, $_POST['stAdd']) . "', 
'" . mysqli_real_escape_string($con, $_POST['ctAdd']) . "',     
'" . mysqli_real_escape_string($con, $_POST['bDate']) . "', 
'" . mysqli_real_escape_string($con, $_POST['gender']) . "', 
'" . mysqli_real_escape_string($con, $_POST['email']) . "', 
'" . mysqli_real_escape_string($con, $_POST['mobNum']) . "', 
'" . mysqli_real_escape_string($con, $_POST['newUName']) . "',     
 '" . mysqli_real_escape_string($con, $_POST['newPWord']) . "')";
if ($con->query($sql) === TRUE) {
    echo "New record created successfully";
} else {
    echo "Error: " . $sql . "<br>" . $conn->error;
}

$conn->close();

Where $con is your database connection. 

<?php
$servername = "localhost";
$username = "username";
$password = "password";
$dbname = "myDB";

// Create connection
$con = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($con->connect_error) {
    die("Connection failed: " . $con->connect_error);
}
Rotimi
  • 4,783
  • 4
  • 18
  • 27