This question already has an answer here:
I am trying to execute an INSERT INTO query but for some reason an error is thrown.
$result1 = mysqli_query($connection,
"INSERT INTO `results`
(`result_quiz_name`, `result_marks`, `result_grade`,
`student_id`, `result_max_marks`)
VALUES ('Ionic Bonding Introduction', $marks, $grade,
$student, 5)");
The variable $marks is an integer, the $grade variable is a string and the $student variable is just the integer value of a session variable. The error that is displayed is this:
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' 1, 5)' at line 1
I just can't seem to work out where the syntax error is. I have run this query in phpMyAdmin and it works fine (obviously substituting the variables for values).
Thanks,
</div>
When a column type is text/string/char/varchar etc you have to wrap the variable in quotes in your parameter list, just like you did for 'Ionic Bonding Introduction'
$result1 = mysqli_query($connection,
"INSERT INTO `results`
(`result_quiz_name`, `result_marks`, `result_grade`,
`student_id`, `result_max_marks`)
VALUES ('Ionic Bonding Introduction', $marks, '$grade',
$student, 5)");
Try using following code
$result1 = mysqli_query($connection, "INSERT INTO `results` (`result_quiz_name`, `result_marks`, `result_grade`, `student_id`, `result_max_marks`) VALUES ('Ionic Bonding Introduction', '$marks', '$grade', '$student', 5)");
Change $grade to '$grade'
$result1 = mysqli_query($connection,
"INSERT INTO `results`
(`result_quiz_name`, `result_marks`, `result_grade`,
`student_id`, `result_max_marks`)
VALUES ('Ionic Bonding Introduction', $marks, '$grade',
$student, 5)");
Just like in PHP — in SQL a string must be quoted, and quotes inside of string syntax must be properly escaped if they are a part of the value.
Use var_dump($marks, $grade, $student) to inspect your variables. If $grade is a string like you say then you really should be running it through the proper escape functions (i.e. mysqli_real_escape_string in your case) for your database.
Even better is to just use parameterized queries, which both PDO and MySQLi will support in PHP.
So for example you can change your sql code to the following...
$stmt = mysqli_prepare($connection,
"INSERT INTO `results`
(`result_quiz_name`, `result_marks`, `result_grade`,
`student_id`, `result_max_marks`)
VALUES ('Ionic Bonding Introduction', ?, ?, ?, 5)");
Which gives you a prepared statement that's safe for inserting any value without breaking your SQL syntax...
if ($stmt) {
$stmt->bind_param("i", $marks);
$stmt->bind_param("s", $grade);
$stmt->bind_param("i", $student);
$stmt->execute(); // this executes your statement
$result = $stmt->get_result(); // this gives you the result set
$row = $result->fetch_array(); // get rows from there
}
Since $grade is a string, it should be quoted in the query:
$result1 = mysqli_query($connection, "INSERT INTO `results` (`result_quiz_name`, `result_marks`, `result_grade`, `student_id`, `result_max_marks`) VALUES ('Ionic Bonding Introduction', $marks, '$grade', $student, 5)");