-2
$sql="INSERT INTO prescription
      (username,phone,procedure,address,emailid,reviews,followups,nextappointment)
      VALUES
      ("$username","$phone","$procedure","$address","$emailid","$reviews",$followups,"$nextappointment")";
mickmackusa
  • 43,625
  • 12
  • 83
  • 136
yash
  • 1
  • here blank entry in db? – Reena Mori Jul 04 '17 at 09:15
  • you need to escape the double quotes in the SQL query – Muthu Kumaran Jul 04 '17 at 09:15
  • 1
    **Never** insert variables directly into a SQL query like that; you **must** escape with [`mysqli_real_escape_string`](https://secure.php.net/manual/en/mysqli.real-escape-string.php) first or use [prepared statements](https://secure.php.net/manual/en/mysqli.quickstart.prepared-statements.php) (otherwise your code is [fatally insecure](https://secure.php.net/manual/en/security.database.sql-injection.php)). – Frxstrem Jul 04 '17 at 09:16
  • 2
    Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) – RiggsFolly Jul 04 '17 at 09:17

4 Answers4

2

I think your problem is in the quotes, you have double quotes inside double quotes, you should escape the quotes or use single quotes.

The easy and simple thing is to use prepared statements.

I'm not sure which API you using PDO/MSQLI

if you in PDO :

<?php

$sql =$databaseConnectionVar->prepare("INSERT INTO prescription(username,phone,procedure,address,emailid,reviews,followups,nextappointment)VALUES(?,?,?,?,?,?,?,?)")
        ->execute(array($username,$phone,$procedure,$address,$emailid,$reviews,$followups,$nextappointment));

if(!$sql){

    print_r($databaseConnectionVar->errorInfo());
}else{

    echo "data inserted";
}
?>

if you are on mysqli then :

<?php

$sql =$databaseConnectionVar->prepare("INSERT INTO prescription(username,phone,procedure,address,emailid,reviews,followups,nextappointment)VALUES(?,?,?,?,?,?,?,?)");
$sql->bind_Param("ssssssss",$username,$phone,$procedure,$address,$emailid,$reviews,$followups,$nextappointment);

if($sql->execute()){

    echo "data inserted";
}else{

    echo "Error : ". $databaseConnectionVar->error;
}
?>

Then important links you need to look at :

  1. How to get mysqli error in different environments?

  2. When to use single quotes, double quotes, and backticks in MySQL

  3. When should I use prepared statements?
  4. Prepared Statements

Hope this will point you to the right path.

Masivuye Cokile
  • 4,754
  • 3
  • 19
  • 34
-1

You should change "" is there know that one should change single quote ''.

for example below:

$sql = 'INSERT INTO prescription(username,phone,procedure,address,emailid,reviews,followups,nextappointment)
    VALUES("$username","$phone","$procedure","$address","$emailid","$reviews",$followups,"$nextappointment")';

Hope it will helps you

Prabu T
  • 27
  • 3
-1

your inverted commas are wrong, use single quote ('') in values, you get error on your IDE. or if you just copy and run on DB.

$sql = "INSERT INTO prescription(username,phone,procedure,address,emailid,reviews,followups,nextappointment)VALUES('$usernam','$phone','$procedure','$address','$emailid','$reviews','$followups','$nextappointment')";
Ahmed Sunny
  • 2,160
  • 1
  • 21
  • 27
-1

Check Your Insert Into Query:

$sql = "INSERT INTO prescription (username,phone,procedure,address,emailid,reviews,followups,nextappointment)
                               VALUES('$username','$phone','$procedure','$address','$emailid','$reviews',$followups,'$nextappointment')";

NOTE: Check THis : https://www.w3schools.com/sql/sql_insert.asp

RïshïKêsh Kümar
  • 4,734
  • 1
  • 24
  • 36