0

"Error: INSERT INTO bill( Total_Bill,Type_Transaction,Sold_Item,Buyer) VALUES(0,,1, 00001) You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '1, 00001)' at line 2"

what does this mean??

this is a fragment of my code:

$Ttype = $_POST['transaction'];
$Ibuyer= $_SESSION['buyer'];

//assuming the codes between the fragment is correct

$SqlTransaction = "INSERT INTO bill( Total_Bill,Type_Transaction,Sold_Item,Buyer)
VALUES($pPrice,$Ttype,$ItemID, $Ibuyer)";

and when i looked t my data base it the data has been inserted except for $Ttype which should go to "Type_Transaction"

Jay Blanchard
  • 34,243
  • 16
  • 77
  • 119
tan hail
  • 1
  • 1
  • 2
    You need to quote the insert values. Better would be to use prepared statements. – Jay Blanchard Mar 14 '17 at 21:12
  • [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)***. Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Mar 14 '17 at 21:13
  • Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Mar 14 '17 at 21:13

0 Answers0