Getting error when attempting to insert data into database from a form

Question

I am trying to insert Data into my database using an HTML Form. I get always the same error after filling the input fields with random Data:

Error: INSERT INTO employee (id, email, passwort, vorname, nachname, created_at, updated_at) VALUES (NULL, hhh@yahoo.com, hfjfhf, , ffffff, 2018-06-12, 2018-11-11)
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '@yahoo.com, hfjfhf, , ffffff, 2018-06-12, 2018-11-11)' at line 2

The ID field is set to Auto Increment, I tried to remove it from the "INSERT INTO" SQL command but the same error appears everytime.

Here is my code :

<html>
<head>
<title>Create new user</title>
</head>
<body>

<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
Name: <input type="text" name="name"><br>
Lastname: <input type="text" name="lastname"><br>
E-mail: <input type="email" name="email"><br>
Password: <input type="password" name="password1"><br>
Creation Date: <input type="text" name="cdate"><br>
Update Date: <input type="text" name="udate"><br>
<input type="submit" value"Send">
</form>
<?php
$servername = "localhost";
$username = "root";
$password = "";
$dbname = "users";
$email = $_POST["email"];
$name = $_POST["name"];
$surname = $_POST["lastname"];
$password1 = $_POST["password1"];
$cdate = $_POST["cdate"];
$udate = $_POST["udate"];

// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
} 

$sql = "INSERT INTO employee (id, email, passwort, vorname, nachname, created_at, updated_at)
VALUES (NULL, $email, $name, $surname, $password1, $cdate, $udate)";

if ($conn->query($sql) === TRUE) {
    echo "record created successfully";
} else {
    echo "Error: " . $sql . "<br>" . $conn->error;
}

$conn->close();
?>
</div>
</body>
</html>

You might want to enclose the strings with a single quote. https://stackoverflow.com/questions/5427090/php-mysqli-insert-variables-query Maybe this is a bit of help. — M. Suleiman, Dec 28 '18 at 12:44

Nahiyan · Accepted Answer · 2018-12-28T12:50:39.397

You need to put quotes around strings in your query:

$sql = "INSERT INTO employee (email, passwort, vorname, nachname, created_at, updated_at)
VALUES ('$email', '$name', '$surname', '$password1', '$cdate', '$udate')";

Moreover, I didn't include the value of the auto-incremented field in the INSERT statement as your DB engine will automatically take care of that, don't try setting it to NULL as you did in your code.

I suggest escaping your data for security purposes (primarily SQL injection). You can read more here.

However, here's how you may want to escape your form input data:

$conn = new mysqli($servername, $username, $password, $dbname);

$email = mysqli_real_escape_string($conn, $_POST["email"]);
$name = mysqli_real_escape_string($conn, $_POST["name"]);
$surname = mysqli_real_escape_string($conn, $_POST["lastname"]);
$password1 = mysqli_real_escape_string($conn, $_POST["password1"]);
$cdate = mysqli_real_escape_string($conn, $_POST["cdate"]);
$udate = mysqli_real_escape_string($conn, $_POST["udate"]);

Getting error when attempting to insert data into database from a form

1 Answers1