This question already has an answer here:
hello this is an assignment from our class and i have this problem inserting a data in my database called userdb. i have a form that accepts 3 fields: Name, Subject and Message. And in my localhost/phpmyadmin i have a table called data which has 5 fields : userID (auto increment) (int) , name (varchar), subject (varchar), message (text) and Timestamp (date) . And when I submit data to my form, this error pops up : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'john!, 15-11-17)' at line 1
<form action="<?php $_SERVER['PHP_SELF']; ?>" method="post">
Name :    <input type="text" name="name" /> <br>
Subject :  <input type="text" name="subject" > <br> Message :
<br> <textarea name="message" type="text" style="width:200px; height:100px"></textarea> <br>
<input type="submit" name="btnSubmit" />
</form>
</div>
<?php
if($_POST) {
$name = $_POST['name'];
$subject = $_POST['subject'];
$message = $_POST['message'];
$date = date("y-m-d");
$user = "jarvs";
$pass = "strumandplay";
$db="userdb";
$conn = mysqli_connect("localhost", $user, $pass, $db);
if(!mysqli_connect()){
die("failed to connect to server " . mysqli_connect_error());
}else{
echo "connected" . "<br>";
}
$query = "INSERT INTO data (userID, Subject, Message, Timestamp) VALUES (1, $subject, $message, $date)";
if (mysqli_query($conn, $query)) {
echo "New record created successfully";
} else {
echo "Error: " . $query . "<br>" . mysqli_error($conn);
}
mysqli_close($conn);
}
?>
thanks for answering.
</div>
echo your $query var to see what's wrong. You will find that strings are not quoted:
Do it like this:
$query = "INSERT INTO data (userID, Subject, Message, Timestamp) VALUES (1, '$subject', '$message', '$date')";
Next step will be to escape the $subject, $message and $date to not crash the script when they contain a quote '.