Click here to Skip to main content
15,868,016 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
Getting this error:

ERROR: Hush! Sorry INSERT INTO Tennis_DB.Coach (membership, firstname, lastname, adress, phonenumber, email) VALUES ('','First','Last,'adress','number','email' '']; ). You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'adress','number','email' '']; )' at line 1

Here is my code:

<!DOCTYPE html>
<html>
 
<head>
    <title>Insert Page</title>
</head>
 
<body>
    <center>
        <?php
 
        // servername => localhost
        // username => root
        // password => empty
        // database name => membership_info
        $conn = mysqli_connect("127.0.0.1:3306","root","Farming123", "Tennis_DB");
         
        // Check connection
        if($conn === false){
            die("ERROR: Yell at Miss Chileshe or Malachi. "
                . mysqli_connect_error());
        }
        
        // Taking all 7 values from the form data(input)
        
        $membershipid = $_REQUEST['membershipid'];   
        $firstname = $_REQUEST['firstname'];
        $lastname = $_REQUEST['lastname'];
        $address = $_REQUEST['address'];
        $phonenumber = $_REQUEST['phonenumber'];
        $email = $_REQUEST['email'];
        
         
        // Performing insert query execution
        // here our table name is membership_data
        $sql = "INSERT INTO Tennis_DB.Coach (membership, firstname, lastname, adress, phonenumber, email) VALUES ('$membershipid','$firstname','$lastname,'$address','$phonenumber','$email' '']; )";
         
        if(mysqli_query($conn, $sql)){
            echo "<h3>Data stored sucsessfully."
                . " Saved to swimming MYSQL "
                . " to view the updated data</h3>";
 
            echo nl2br("\n$membershipid\n$firstname\n$lastname\n$address\n$phonenumber\n$email");
        } else{
            echo "ERROR: Hush! Sorry $sql. "
                . mysqli_error($conn);
        }
         
        // Close connection
        mysqli_close($conn);
        ?>
    </center>
</body>
 
</html>


What I have tried:

I have tried troubleshooting myself but I am new so... No luck.
Posted
Updated 8-May-22 11:25am

1 solution

PHP
('$membershipid','$firstname','$lastname,'$address','$phonenumber','$email' '']; )";
// quote missing here                   ^
// Quotes to remove here                                                    ^^


Never build an SQL query by concatenating strings. Sooner or later, you will do it with user inputs, and this opens door to a vulnerability named "SQL injection", it is dangerous for your database and error prone.
A single quote in a name and your program crash. If a user input a name like "Brian O'Conner" can crash your app, it is an SQL injection vulnerability, and the crash is the least of the problems, a malicious user input and it is promoted to SQL commands with all credentials.
SQL injection - Wikipedia[^]
SQL Injection[^]
SQL Injection Attacks by Example[^]
PHP: SQL Injection - Manual[^]
How can I explain SQL injection without technical jargon? - Information Security Stack Exchange[^]
 
Share this answer
 
Comments
Jackson Dwyer 8-May-22 17:25pm    
Thanks for your help but this is just for a school assignment not for actual deployment. Is my error coming from the type of data / characters inserted?
Patrice T 8-May-22 17:28pm    
read again the first part of answer.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month


CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900