Entry Cant SubmittedYou have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntaxto

Question

Error: Entry Cant SubmittedYou have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''Image') VALUES ('Nakshatra ', 'Neema', 'nakshatraneema@gmail.com', '07746884...' at line 1

Code:

<?php
   global $conn;
 
   if (isset($_POST['submit'])) 
   {
    
        if (isset($_POST['FNAME']) && isset($_POST['LNAME']) && isset($_POST['MAIL']) && isset($_POST['MNUM']))
        {
            $errors = array();
            if(isset($_FILES['IMAGE']) && $_FILES['IMAGE']['error'] == 0)
            {
            
            $servername = "localhost";
            $username = "root";
            $password = "";
            $database = "data1";
            $conn = mysqli_connect($servername, $username, $password, $database);
            if(!$conn)
            {
               die('Connection did not Established');
            }
            $FirstName = $_POST['FNAME'];
            $LastName = $_POST['LNAME'];
            $Email = $_POST['MAIL'];
            $MobileNumber = $_POST['MNUM'];
            $file_name = time() . '_' . $_FILES['IMAGE']['name'];
            $file_size = $_FILES['IMAGE']['size'];
            $file_tmp = $_FILES['IMAGE']['tmp_name'];
            $file_type = $_FILES['IMAGE']['type'];
            $file_ext = pathinfo($file_name, PATHINFO_EXTENSION);
            $extensions = array("jpeg", "jpg", "png", "gif");
            
            
                if (in_array($file_ext, $extensions) === false) 
                {
                    $errors[] = "Extension not allowed, please choose a JPEG or PNG file.";
                }

                if ($file_size > 50000)
                {
                    $errors[] = 'File size must be excately 50KB';
                }

                if (empty($errors) == true)
                {
                    
                    move_uploaded_file($file_tmp, "uploads/" . $file_name);
                    $sql = "INSERT INTO `new` (`FirstName`, `LastName`, `Email`, `MobileNumber`,'Image') VALUES ('$FirstName', '$LastName', '$Email', '$MobileNumber','$file_name')";
                    $result = $conn->query($sql);
                    if($result)
                    {
                        echo "Entry is Successfully Submitted";
                    }
                    else
                    {
                        echo "Entry Cant Submitted".mysqli_error($conn);
                    }
                }
                else
                {
                    print_r($errors);
                }
            }
        }
        else
        {
            echo "All Field are Required";
            die();
        }
    }
    else
    {
        echo "Submit button is not set";
    }
?>

`$sql = "INSERT INTO \`new\` (\`FirstName\`, \`LastName\`, \`Email\`, \`MobileNumber\`,'Image')` - you notice any difference between how you wrote all those other columns here, and `Image` ...? — CBroe, Apr 19 '22 at 10:51
FYI: Terrible code in terms of SQL injection - why are you still not using _prepared statements_ ...? — CBroe, Apr 19 '22 at 10:52
**Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/32391315) — Dharman, Apr 19 '22 at 10:57
Never configure your web app to login to the database as `root`. Root can do whatever it likes, so on top of the SQL injection vulnerabilities this just leaves your database an open book for hackers. Instead create a separate user account specifically for this application which has only the permissions it actually _needs_ in order to work properly. Don't even use the root account as a shortcut during development or testing, because you need to test your account permissions as well - otherwise when you go live you might have unexpected errors relating to the user account setup. — ADyson, Apr 19 '22 at 11:11

score -1 · Answer 1 · answered Apr 19 '22 at 10:54

Suddenly you move away from backticks, change this:

$sql = "INSERT INTO `new` (`FirstName`, `LastName`, `Email`, `MobileNumber`,'Image') VALUES ('$FirstName', '$LastName', '$Email', '$MobileNumber','$file_name')";

To this:

$sql = "INSERT INTO `new` (`FirstName`, `LastName`, `Email`, `MobileNumber`,`Image`) VALUES ('$FirstName', '$LastName', '$Email', '$MobileNumber','$file_name')";

Note the backticks near Image.

Also, you should work on your question asking skills, check this link to see what I mean. And your code is wide open to SQL-injection, check out prepared statements here.

Entry Cant SubmittedYou have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntaxto

1 Answers1