-1

QUERY Failed! You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'order(product_id,customer_name,total_bill,quantity)VALUES(1,'taha khan',5368,22)' at line 1

<?php 
    if ($_SERVER['REQUEST_METHOD'] == "POST") {   
        $product = $_POST['product_id'];
        $customer_name = $_POST['customer'];
        $qty = $_POST['qty'];
        $product_cost = $_POST['product_cost'];
        $total_bill = $product_cost * $qty;

        $result = "INSERT INTO order(product_id,customer_name,total_bill,quantity)VALUES($product,'$customer_name',$total_bill,$qty)";
        $query = query($result);

        confirmQuery($query);
    }
?>
Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
Taha Khan
  • 11
  • 1

1 Answers1

5

You cannot name your table order and use it like that. That is a reserved keyword.

That being said, you can still use that name if you insist by doing:

INSERT INTO `order` (product_id...

The backticks will allow it to work. My recommendation would be to name your table orders instead to avoid conflicts in queries.

It is important for me to also note that your query is vulnerable to SQL injection attacks. You should NEVER take raw input and put it straight into your database. There is nothing stopping me from posting a fragment of a SQL query in the customer field and stealing data.

Take the time to learn how to use prepared statements, it will be extremely beneficial: https://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php

Jeremy Harris
  • 24,318
  • 13
  • 79
  • 133