-2

I'm trying to insert form data into a database, but I keep getting:

Error: INSERT INTO objective_form (name, doa) VALUES (, ) You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ' )' at line 2

This is the code:

<?php
$name = $_POST["Patient Name"];
$doa = $_POST["Date of Assessment"];

// Create connection
$conn = new mysqli("localhost","username","pw","db");
// Check connection
if ($conn->connect_error) {
    die("Connection error.");
}

$sql = "INSERT INTO objective_form (name, doa)
VALUES ($name, $doa)";

if ($conn->query($sql) === TRUE) {
    echo "New record created successfully";
} else {
    echo "Error: " . $sql . "<br>" . $conn->error;
}

$conn->close();
?>

What's the issue here?

EDIT: I've edited the code, done all of your suggestions, and it still isn't working, despite using the prepared statements, and using the suggested code, still displays error message.

TheEdgyRocket
  • 1
  • 1
  • 1
    **Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/5741187) – Dharman Oct 27 '19 at 00:18
  • 1
    The problem is you are not sending any data to your script. If you have had error reporting enable you would probably see notices of undefined indexes. But even if you passed some data in POST, it would still not work, as you are not using prepared statements and your SQL would break. – Dharman Oct 27 '19 at 00:20
  • [How to get the error message in MySQLi?](https://stackoverflow.com/a/22662582/1839439) – Dharman Oct 27 '19 at 00:20
  • [How to include a PHP variable inside a MySQL statement](https://stackoverflow.com/a/7537500/1839439) – Dharman Oct 27 '19 at 00:21

1 Answers1

0

not sure if it is the root of the problem but its good practise, you should use prepared statments, like this:

$sql = "INSERT INTO objective_form (name, doa) VALUES (?, ?)";
$stmt = $link->prepare( $sql );
$stmt->bind_param( 'ss', $name, $doa);
$stmt->execute();

then what i do to see if its succesful is:

if($stmt->affected_rows > 0){
echo 'works';
} else {
echo 'didnt work';
hndvf
  • 101
  • 8
  • While a very good recommendation in general, this is not addressing the main issue, which is that the POST values are empty. The code should check whether anything has been sent in the POST prior to using it. – Dharman Oct 27 '19 at 00:25
  • 1
    so maybe a: if(isset($_POST['Patient Name'])){ do something; } – hndvf Oct 27 '19 at 00:29
  • POST data will never be blank, it's used in a special web-based application that doesn't allow the end user to visit the URL directly, and the form which is being submitted uses HTML to require all fields to be occupied. And, attacks/injections aren't an issue for me, for the above reason and the matter it'll be run on an on-site local server, won't be connected to the internet and will only be used by myself and 2 others, so I'm not concerned about that. – TheEdgyRocket Oct 27 '19 at 00:33