-3

You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''s Office,meheh)' at line 1

here is my sql query

$sql1 = "INSERT INTO `tbl_charter`(`steps`, `personnel`, `timee`, `fees`, `documents`, `complaints`, `office`, `service`) 
         VALUES($InsertSteps','$InsertPersonnel','$InsertTime','$InsertFees','$InsertDocuments','$InsertComplaints',".$_GET["office_name"].",".$_GET["application_name"].")";
Nick
  • 138,499
  • 22
  • 57
  • 95
yung maistro
  • 1
  • 3
    unescasped quotes in the input string –  Oct 31 '18 at 05:04
  • Please could you tell me where? – yung maistro Oct 31 '18 at 05:07
  • what ever `'s Office` this string is –  Oct 31 '18 at 05:08
  • Most likely due to `".$_GET["office_name"]."`, usage should be `'$_GET["office_name"]'` instead – Jaswinder Oct 31 '18 at 05:09
  • i dont downvote i understand now what you mean it was probably the comma in the office name. – yung maistro Oct 31 '18 at 05:13
  • this is dangerous bad practice and i hope its not on a website –  Oct 31 '18 at 05:17
  • Your query is vulnerable to sql injection. Please stop writing queries until you read and implement this. I am guessing you are using mySqli. If not there is a PDO version as well. Bookmark this and use it as a reference. https://websitebeaver.com/prepared-statements-in-php-mysqli-to-prevent-sql-injection – Joseph_J Oct 31 '18 at 05:18
  • 3
    Possible duplicate of [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Qirel Oct 31 '18 at 05:24

3 Answers3

-1

Looks like you're missing a single quote before $InsertSteps and around the two references to $_GET. Also, try escaping your variables first, it's good practice to always escape input prior to making calls to the database. Escaping will help protect your application against malicious attackers that could try to add extra commands to your SQL statement.

Example:

$InsertSteps = mysql_real_escape_string($InsertSteps);
$InsertPersonnel = mysql_real_escape_string($InsertPersonnel);
$InsertTime = mysql_real_escape_string($InsertTime);
$InsertFees = mysql_real_escape_string($InsertFees);
$InsertDocuments = mysql_real_escape_string($InsertDocuments);
$InsertComplaints = mysql_real_escape_string($InsertComplaints);
$InsertOfficeName = mysql_real_escape_string($_GET["office_name"]);
$InsertApplicationName = mysql_real_escape_string($_GET["application_name"]);


$sql1 = "INSERT INTO `tbl_charter`(`steps`, `personnel`, `timee`, `fees`, `documents`, `complaints`, `office`, `service`) 
         VALUES('$InsertSteps','$InsertPersonnel','$InsertTime','$InsertFees','$InsertDocuments','$InsertComplaints','$InsertOfficeName','$InsertApplicationName')";
Genome
  • 1,106
  • 8
  • 10
  • 2
    I would avoid using `mysql_real_escape_string()` to escape your variables. It is tedious and easy to forget to do 100% of the time on 100% of your variables across your code. Using prepared statements completely eliminates the need to do this. – Joseph_J Oct 31 '18 at 05:20
  • 1
    ^ not to mention mysql_* having been removed from php –  Oct 31 '18 at 05:21
-1

Just try below query 

$sql1 = "INSERT INTO `tbl_charter`(`steps`, `personnel`, `timee`, `fees`, `documents`, `complaints`, `office`, `service`) VALUES('$InsertSteps','$InsertPersonnel','$InsertTime','$InsertFees','$InsertDocuments','$InsertComplaints','".$_GET['office_name']."','".$_GET['application_name']."')";
Rahul
  • 1
  • 6
-1
$appname=$_GET["application_name"];
$officename=$_GET["office_name"];
$sql1 = "INSERT INTO `tbl_charter`(`steps`, `personnel`, `timee`, `fees`,`documents`, `complaints`, `office`, `service`) VALUES('$InsertSteps','$InsertPersonnel','$InsertTime','$InsertFees','$InsertDocuments','$InsertComplaints','$officename','$appname')";
Anjali Ajikumar
  • 22
  • 5