PHP - ERROR 1064 in mysqli trying making a select query

Question

I'm a new user of this website. I'm trying to execute this simple query:

$id_book=$_REQUEST['id_book'];
$date=date("Y/m/d");
$sql="INSERT INTO books(id_book,date) VALUES($id_book,'$date')";
if(!$mysqli->query($sql)){
   die($mysqli->error.". ".$mysqli->errno);
};

but got this error message:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''2019/02/27')' at line 1. 1064

What am I doing wrong? Can someone help me please?

AbraCadaver · Answer 1 · 2019-02-28T16:01:23.830

First, DO NOT inject that $_REQUEST['id_book'] variable into your SQL, see How can I prevent SQL injection in PHP? and use a prepared statement.

You need to use the correct DATE format for MySQL:

$date = date("Y-m-d");

Also date is a reserved word in MySQL, so choose something else for the column name or use backticks:

// placeholders for prepared statement ?
$sql = "INSERT INTO books(id_book, `date`) VALUES(?, ?)";

score 0 · Answer 2 · answered Feb 27 '19 at 19:54

Try converting proprly the date string in date

$sql="INSERT INTO books(id_book,date) VALUES($id_book,str_to_date('$date', '%Y/%m/%d')";

anyway you should not use php var in sql .. you are at risk for sqlinjection .. for avoid this take a look at you msysql driver for prepared statement and binding param

PHP - ERROR 1064 in mysqli trying making a select query

2 Answers2