0

I am trying to save the information stored in the SQL but this error keeps coming out: "Error Saving Data. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'company = 'GlobalTop Inc.' where regid = 1' at line 6" What seems to be the error?

Here is the full code:

<!doctype html>
<html>
<head>
<meta charset="utf-8">
<title>Untitled Document</title>
</head>

<?php
include "db.php";
$gresult = ''; //declare global variable



//Start of edit contact read
if(isset($_POST["action"]) and $_POST["action"]=="edit"){
            $id = (isset($_POST["ci"])? $_POST["ci"] : '');
            $sql = "select regid, regname,
                            address, phone,
                            email,company from tblregistrants
                            where regid = $id";

            $result = mysqli_query($link, $sql);

            if(!$result)
            {
                echo mysqli_error($link);
                exit();
            }

            $gresult = mysqli_fetch_array($result);

            include 'update.php';
            exit();
}
//Insert or Update contact information
if(isset($_POST['action_type']))
{
        if ($_POST['action_type'] == 'add' or $_POST['action_type'] == 'edit')
        {
                //Sanitize the data and assign to variables
                $regid = mysqli_real_escape_string($link, strip_tags($_POST['regid']));
                $regname = mysqli_real_escape_string($link, strip_tags($_POST['regname']));
                $phone = mysqli_real_escape_string($link, strip_tags($_POST['phone']));
                $address = mysqli_real_escape_string($link, strip_tags($_POST['address']));         
                $email = mysqli_real_escape_string($link, strip_tags($_POST['email']));
                $company = mysqli_real_escape_string($link, strip_tags($_POST['company']));

                if ($_POST['action_type'] == 'add')
                {
                    $sql = "insert into tblregistrants set
                                        name = '$regname',
                                        phone = '$phone',
                                        address = '$address',
                                        email = '$email'
                                        company = '$company'";
                }else{
                    $sql = "update tblregistrants set
                                        name = '$regname',
                                        phone = '$phone',
                                        address = '$address',
                                        email = '$email'
                                        company = '$company'
                                        where regid = $regid";
}


        if (!mysqli_query($link, $sql))
        {
            echo 'Error Saving Data. ' . mysqli_error($link);
            exit();
        }
    }
    header('Location: view.php');
    exit();
}

//Read registrants information from database : Stage 1
$sql = "select * from tblregistrants";

$result = mysqli_query($link, $sql);

if(!$result)
{
    echo mysqli_error($link);
    exit();
}
//Loop through each row on array and store the data to $reg_list[] : Stage 2
while($rows = mysqli_fetch_array($result))
{
    $reg_list[] = array('regid' => $rows['regid'],
    'regname' => $rows['regname'],
    'address' => $rows['address'],
    'phone' => $rows['phone'],
    'email' => $rows['email'],
    'company' => $rows['company']);
}
include 'view.php';
exit();

?>
Lawrence Cherone
  • 46,049
  • 7
  • 62
  • 106
anthony
  • 1
  • You're missing many `,` in your query for example `email = '$email'`. – Lawrence Cherone Aug 23 '17 at 06:52
  • @Shanukk What are you talking about? – Twinfriends Aug 23 '17 at 06:53
  • 1
    `$_POST["ci"]` is also open to sql injection. – Lawrence Cherone Aug 23 '17 at 06:53
  • http://bobby-tables.com for more information about SQL injection & how to prevent them. – Twinfriends Aug 23 '17 at 06:54
  • @Twinfriends mysql does not support stacked querys so dropping a table is not possible, but dumping it is. Especially with `mysqli_error` ;p – Lawrence Cherone Aug 23 '17 at 06:55
  • `or` is valid PHP but wrong in this case. You'll need to use `||` instead. (see this question: https://stackoverflow.com/questions/5998309/logical-operators-or-or). Looks like you are simply missing a quotation `where regid = $regid"`. IMPORTANT: You're code is really not safe, you inject directly the data from your form in your SQL query, SQL Injection is really easy to do this way... Also it's not recommended to insert variables like that in a SQL array. Check this post for a better example: https://stackoverflow.com/questions/37367992/php-inserting-values-from-the-form-into-mysql – Bram Aug 23 '17 at 06:56
  • Possible duplicate of [PHP Parse/Syntax Errors; and How to solve them?](https://stackoverflow.com/questions/18050071/php-parse-syntax-errors-and-how-to-solve-them) – Atilla Arda Açıkgöz Aug 23 '17 at 07:01
  • @AtillaArdaAçıkgöz its **mysql** error not **php** error – B. Desai Aug 23 '17 at 07:07
  • @B.Desai there are tons of php syntax error and you claim that this is not php error? way to go champ! – Atilla Arda Açıkgöz Aug 23 '17 at 07:09
  • @AtillaArdaAçıkgöz Have you read question properly? **You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'company = 'GlobalTop Inc.** This is sql error not php – B. Desai Aug 23 '17 at 07:10

3 Answers3

0

You have missed , in both if and else statement after email = '$email'

 if ($_POST['action_type'] == 'add')
                {
                    $sql = "insert into tblregistrants set
                                        name = '$regname',
                                        phone = '$phone',
                                        address = '$address',
                                        email = '$email', 
                                        company = '$company'";
                }else{
                    $sql = "update tblregistrants set
                                        name = '$regname',
                                        phone = '$phone',
                                        address = '$address',
                                        email = '$email',
                                        company = '$company'
                                        where regid = $regid";
}

Also use Prepared statement to prevent from SQL injection

B. Desai
  • 16,414
  • 5
  • 26
  • 47
0

as Lawrence suggested you are missing , on your query
try this:

$sql = "insert into tblregistrants set
                                    name = '$regname',
                                    phone = '$phone',
                                    address = '$address',
                                    email = '$email',
                                    company = '$company'";
B.Mossavari
  • 127
  • 6
-1

Change this,

                      $sql = "update tblregistrants set
                                        name = '$regname',
                                        phone = '$phone',
                                        address = '$address',
                                        email = '$email',
                                        company = '$company'
                                        where regid = $regid";

To this 

                            $sql = "update tblregistrants set
                                            name = '$regname',
                                            phone = '$phone',
                                            address = '$address',
                                            email = '$email',
                                            company = '$company'
                                            where regid = '$regid'";
l.g.karolos
  • 1,131
  • 1
  • 10
  • 25