2

I've been working on integrating a Account RDBMS into my site but the MySQL system keeps throwing a syntax error. This is my first time using SQL outside of a Python environment, hence my issues. Below is the segment of code which I believe is causing the issues. The rest of the PHP is operating fine as I've been verifying with each adjustment.

$wname = $_POST["wname"];
$email = $_POST["email"];
$pword = $_POST["pword"];
$dob = $_POST["dob"];
$accd = uniqid();
/*echo $wname .  " " . $email . " " . $pword . " " . $dob . " " . $accd;*/
$sql = "INSERT INTO 'Starting Account Data' ('Whole Name', 'Email', 'Password', 'DOB', 'Account Code') VALUES ('" . $wname . "', " . "'" . $email . "', " . "'" . $pword . "', " . "CAST('" . $dob . "' AS DATE), " . "'" . $accd . "')";
/*echo $sql;*/
if ($conn->query($sql) === TRUE) {
    echo "New record created successfully";
} else {
    echo "Error: " . $sql . "<br>" . $conn->error;
}

Note that I intend on inserting $dob as a date type in the DB. Does anyone have any ideas as to the cause of my syntax errors, or any suggestions?

Marc Delisle
  • 8,879
  • 3
  • 29
  • 29
Eric DiGioacchino
  • 19
  • 1
  • 3
    what is the error ? – Roshan Aug 25 '17 at 15:12
  • 2
    It's because of the incorrect identifier qualifiers used (and the spaces). Consult the following https://dev.mysql.com/doc/refman/5.7/en/identifier-qualifiers.html including the duplicate the question was closed with. You may have read a book or watched a video on this, confusing ticks `\`` as regular quotes `'` being two different animals. – Funk Forty Niner Aug 25 '17 at 15:13
  • 1
    [Little Bobby](http://bobby-tables.com/) says **[you are at risk for SQL Injection Attacks](https://stackoverflow.com/q/60174/)**. Learn about [Prepared Statements](https://en.wikipedia.org/wiki/Prepared_statement) for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even **[escaping the string](https://stackoverflow.com/q/5741187)** is not safe! I recommend `PDO`, which I [wrote a function for](http://paragoncds.com/grumpy/pdoquery/#function) to make it extremely **easy**, very **clean**, and way more **secure** than using non-parameterized queries. – GrumpyCrouton Aug 25 '17 at 15:14
  • 1
    at first, you should print your SQL request and manually run it on the command line or a web interface such as phpMyAdmin. – Gilles Gouaillardet Aug 25 '17 at 15:15
  • @Fred-ii- just as I'd finished typing up an answer, "this question has been marked as a duplicate and no more answers will be accepted" :'( – crazyloonybin Aug 25 '17 at 15:16
  • 1
    **Never store plain text passwords!** Please use ***PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html)*** to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). ***It is not necessary to [escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Aug 25 '17 at 15:18
  • Don't know if this is what is actually causing the error but naming tables with spaces could lead to issues. Tables are usually be named in lowercase separated by `_`. Example: `starting_account_data` What is the error you're getting? Is your connection to the database being established with no issues? – csalmeida Aug 25 '17 at 15:18
  • @crazyloonybin Raining on your parade wasn't my intention and never saw the floats coming ;-) Had I heard a rumbling sound of drums and horns from afar, I'd of probably turned my head. However, these types of questions have been asked countless times before. It is a duplicate that is used too often. – Funk Forty Niner Aug 25 '17 at 15:18
  • 1
    @Fred-ii- understandable, I was merely peeking round the corner rather than coming through all guns blazing ;) But I agree, better to mark as a duplicate than clog the site with the same questions! – crazyloonybin Aug 25 '17 at 15:23
  • @Eric - You should try and avoid spaces in table/column names. Instead, you can use underscores `my_table_or_column_name` as seperators, that way there is no need to tick `\`` anything. – Funk Forty Niner Aug 25 '17 at 15:24
  • The ticks were a problem thank you for clarifying those for me – Eric DiGioacchino Aug 25 '17 at 15:28
  • ...another end to a happy story! and you're welcome @EricDiGioacchino and welcome to Stack Overflow. – Funk Forty Niner Aug 25 '17 at 15:30

0 Answers0