"Check the manual that corresponds to your MariaDB server version for the right syntax" - Insert statement not working in MySQL

Question

<?php
    include 'db_connection.php';

    $name = $_POST['name'];
    $password = $_POST['password'];
    $email = $_POST['email'];
    $phone = $_POST['phone'];

    $conn = OpenCon();
    echo "<br><br>Connected Successfully";

    $sql = "INSERT INTO 'customer'('customer name','password','email','phone number') VALUES([$name], [$password], [$email], [$phone]);";

    if (mysqli_query($conn, $sql)) {
        echo "New record created successfully";
    } else {
        echo "Error: " . $sql . "<br>" . mysqli_error($conn);
    }
?>

This code is giving me the error while trying to use INSERT statement. I created the DBConenction using $conn variable.

Remove the square brackets around parameters in the `VALUES` part. — El_Vanja, Mar 18 '20 at 08:53
Hi, in order to get help on an error you should also post the error message. Welcome to StackOverflow. — Duncanmoo, Mar 18 '20 at 09:01

Oops · Accepted Answer · 2020-03-18T09:08:13.073

0

Avoid unwanted semicolon at the end and remove the single quote from table name. Try with the following. Also since 2 of your fields contain space in between them you can avoid using single quote and use `` backticks .

$sql = "INSERT INTO customer (`customer name`,password, email, `phone number`) VALUES ('$name','$password','$email', '$phone') ";

edited Mar 18 '20 at 09:08

answered Mar 18 '20 at 08:53

Oops

1,373
3
16
46

Glad to help :) . You can accept this answer if you find it useful. – Oops Mar 18 '20 at 09:15
This opens the code to [SQL injection](https://stackoverflow.com/questions/332365/how-does-the-sql-injection-from-the-bobby-tables-xkcd-comic-work). You should use [prepared statements](https://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php) instead. – El_Vanja Mar 18 '20 at 13:37

redheness · Answer 2 · 2020-03-18T14:15:08.417

Solution for your code

I assume that your name, password, email and phone are strings.

So they must appear between quotes in your final requests, so

$sql = "INSERT INTO 'customer'('customer name','password','email','phone number') VALUES([$name], [$password], [$email], [$phone]);";

Change to

$sql = "INSERT INTO 'customer'('customer name','password','email','phone number') VALUES('[$name]', '[$password]', '[$email]', '[$phone]')";

In addition, and to avoid SQL injection, you should escape the string you get from the POST request, so you should replace

$name = $_POST['name'];
$password = $_POST['password'];
$email = $_POST['email'];
$phone = $_POST['phone'];

by

$name = mysqli_real_escape_string($conn, $_POST['name']);
$password = mysqli_real_escape_string($conn, $_POST['password']);
$email = mysqli_real_escape_string($conn, $_POST['email']);
$phone = mysqli_real_escape_string($conn, $_POST['phone']);

And moved after the creation of your connexion.

Better solution (if you can)

The best solution to handle databases in PHP is using prepared request, or even better: Using an ORM like Doctrine. It will be far more secure and reliable.

Have you verified the name of the columns in your SQL statement ? Names with spaces seems quite crazy — redheness, Mar 18 '20 at 09:15
Or can you output the generated SQL (with random values to avoid disclosing password) ? — redheness, Mar 18 '20 at 09:18
Escaping with `mysqli_real_escape_string` will do very little, if not next to nothing to prevent [SQL injection](https://stackoverflow.com/questions/332365/how-does-the-sql-injection-from-the-bobby-tables-xkcd-comic-work). You should use [prepared statements](https://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php) instead. — El_Vanja, Mar 18 '20 at 13:38

"Check the manual that corresponds to your MariaDB server version for the right syntax" - Insert statement not working in MySQL

2 Answers2

Solution for your code

Better solution (if you can)