-3

I have been working on a simple php code which links a html form to a mySQL database. I have installed xampp and am running Apache and mySQL but I cannot seem to solve the problem. Error Alert

So I've tried several different things in order to fix this syntax error: Syntax Error Location

This has been a very big annoyance so if anyone could help me out it would be greatly appreciated. I also attacted my entire php code but it cut off the php ending. Entire Code

Thanks and hope to hear from you soon!

collin uveges
  • 1
  • 1
    You have the column names list and the VALUES list the wrong way round – RiggsFolly Aug 21 '18 at 22:51
  • 2
    And in future questions please post the code as text and not as pictures of text – RiggsFolly Aug 21 '18 at 22:52
  • 4
    Tell me; would *you* be able to run what you posted as an image or would retype that? I thought not. You need to post actual code here. – Funk Forty Niner Aug 21 '18 at 22:52
  • You also have single quotes `'` around the table name and field names. This is not valid for MySQL, you should use no quotes at all, or, if you need to escape reserved words, use backticks `\`` – Nick Aug 21 '18 at 22:53
  • Your script is wide open to [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) in either the `MYSQLI_` or `PDO` API's – RiggsFolly Aug 21 '18 at 22:55

1 Answers1

1

Replace your insert with following insert

$insert = $conn->prepare("INSERT INTO `general` (email, psw, firstname, lastname) VALUES (?, ?, ?, ?)");
$insert->bind_param("ssss", $email, $psw, $firstname, $lastname);

and then instead of

$conn->query($sql);

use

$insert->execute();

This way you will protect your database from SQL injection attack. Well at least in this case. This is called prepared statement and you should use them everywhere, where user created data may enter your Database query.

mchamuty
  • 113
  • 8