0

Here's the code: 

            $coinno = $_POST["CoinNo"];
            $week = $_POST["week"];
            $payer = $_POST["payer"];
            $payee = $_POST["payee"];

            $servername = "localhost";
            $username = "username"; // Edited from original
            $password = "password";
            $dbname = "database";

            // Create connection
            $conn = new mysqli($servername, $username, $password, $dbname);
            // Check connection
            if ($conn->connect_error) {
                die("Connection failed: " . $conn->connect_error);
            }
            $sql = "INSERT INTO `Transactions`(`Week`,`Coin`,`Payer`,`Payee`)
                                      VALUES ($week,$coinno,'$payer','$payee')";
            if($conn->query(sql)===TRUE)
            {
                echo "Success";
            }
            else
            {
                echo "Error ".$sql."<br>".$conn->error;
            }
            $conn->close;
        ?>

And my error message:

Error INSERT INTO Transactions(Week,Coin,Payer,Payee) VALUE (1,2,'Bob','Carol') You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'sql' at line 1

I've tried using backticks, single quotes, etc. Even copying the generated query from phpMyAdmin did not help.

Another notable issue is that my Transactions table has a single row but when I try to select it I get 0 results. Could there possibly be a connection?

Rick James
  • 135,179
  • 13
  • 127
  • 222
TechTheKidd
  • 33
  • 5
  • [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! [Don't believe it?](http://stackoverflow.com/q/38297105/1011527) – Jay Blanchard Mar 10 '17 at 22:33
  • 2
    Change `if($conn->query(sql)===TRUE)` to `if($conn->query($sql)===TRUE)`. That dollar sign is quite important. – cteski Mar 10 '17 at 22:33
  • Thanks for that @cteski, I knew it was something minor but it kept escaping me. – TechTheKidd Mar 10 '17 at 22:47

1 Answers1

0
if($conn->query(sql)===TRUE)

-->

if($conn->query($sql)===TRUE)

Also, get into the habit of flipping the if around -- some functions return either FALSE or something useful. That is, they may never return TRUE. That is:

if($conn->query($sql) !== FALSE)
Rick James
  • 135,179
  • 13
  • 127
  • 222