any help for me ..i'm new to this, Error creating query:You have an error in your SQL syntax; |
any help for me ..i'm new to this, Error creating query:You have an error in your SQL syntax; |
samfisher |
Feb 16 2016, 12:07 PM
Post
#1
|
Group: Members Posts: 1 Joined: 16-February 16 Member No.: 24,000 |
This is my code..
<html> <body bgcolor="black" align="center"> <font color="green"> <form method="post" action="payment.php"; > Name:<input type="text" name="fname" required><br><br> Account No:<input type="text" name="account" required><br><br> Card type:<input type="radio" name="card" value="Visa" required>Visa <input type="radio" name="card" value="Master" required>Master <input type="radio" name="card" value="Amex" required>Amex<br><br> Bank:<select name="bank" required> <option value="none" title="Pleaseselectabank">(Please select a Bank)</option> <option value="Nationstrustbank" title="Nations trust bank">Nations trust bank</option> <option value="HSDCBank" title="HSDC Bank">HSDC Bank</option> </select><br><br> Phone No:<input type="text" name="phone" required><br><br> Adress:<input type="text" name="add" required><br><br> ID No:<input type="text" name="id" required><br><br> Reason:<br><textarea name="reason" rows="6" cols="60" optional></textarea><br><br><br> <input type="submit"> </form> <?php if(isset ($_POST['submit'])){ $fname = $_POST['fname']; $account = $_POST['account']; $card = $_POST['card']; $bank = $_POST['bank']; $phone = $_POST['phone']; $add = $_POST['add']; $id = $_POST['id']; $reason = $_POST['reason']; } $con=mysqli_connect("localhost","root","","mas_pvt_ltd"); if(mysqli_connect_errno()){ echo"Faidad to connect to MYSQL:". mysqli_connect_error(); } else{ echo "DB Connected"; } $sql="INSERT INTO department_payments(fname,account,card,bank,phone,add,id,reason) VALUES('$fname','$account','$card','$bank','$phone','$add','$id','$reason')"; if(mysqli_query($con,$sql)){ echo"Query done"; }else{ echo"Error creating query:".mysqli_error($con); } ?> </body> </html> and i'm getting this error. Error creating query:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'add,id,reason) VALUES('','','','','','','','')' at line 1 |
CharlesEF |
Feb 16 2016, 02:11 PM
Post
#2
|
Programming Fanatic Group: Members Posts: 1,981 Joined: 27-April 13 From: Edinburg, Texas Member No.: 19,088 |
I don't see anything in your sql insert statement that jumps out at me. I do see that you are open to SQL injection attacks because you don't seem to sanitize your user data. One thing that might cause this error is some characters require escaping before being inserted into a database. You should use the php command 'mysqli_real_escape_string' to escape the data first. You need to move the database connection code to the beginning before the POST values are set to variables, it needs the $con object.
CODE $fname = mysqli_real_escape_string($con, $_POST['fname']); |
Lo-Fi Version | Time is now: 26th April 2024 - 08:10 AM |