Whats wrong with my INSERT statement? (PHP)

Question

I am trying to execute this INSERT statemente but it isn't executed. I echoed the $query string and it seems ok. When attempting to execute with mysqli_query($connect, $query) nothing happens, just a blank screen.

$query = "INSERT INTO spservices('service_no', 'service_email', 'service_type', 'service_exit_node', 'service_billing', 'service_next_due', 'service_download', 'service_password') 
VALUES('$serviceNo','$mail', '$serviceType', '$enode', '$serviceBilling','$nextDue','Pending until payment confirmed','$servicePass')";

if (mysqli_query($connect, $query)) {
    //MY CODE SENDS AN EMAIL HERE
}

[Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)***. Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! — Jay Blanchard, Jan 24 '19 at 12:40

Pupil · Answer 1 · 2019-01-24T12:39:44.347

Strings with single quotes are considered as user inputs not table/field names in SQL.

So, the corrected SQL:

$query       = "INSERT INTO spservices(service_no, service_email, service_type, service_exit_node, service_billing, service_next_due, service_download, service_password) 
VALUES('$serviceNo','$mail', '$serviceType', '$enode', '$serviceBilling','$nextDue','Pending until payment confirmed','$servicePass')";

Instead of single quotes in field names, you can use backtick operator

(`) around column/field names.

This is useful when your field name is exactly a reserved SQL word.

For example.

SELECT `select` FROM users

How should i correct the string? – user ct Jan 24 '19 at 12:39 — user ct, Jan 24 '19 at 12:39

Whats wrong with my INSERT statement? (PHP)

1 Answers1