You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use nea

Question

I get this error //ERROR

ERRORINSERT INTO new_comp_reg (phno , fullname , address , dept , desc) VALUES ('','','','','') You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'desc) VALUES ('','','' ,'','')' at line 1

PHP

<?php

    $servername = 'mysql.hostinger.in';
    $username = '';
    $password = '';
    $dbname = 'u424351292_icrcm';

    if(isset($_POST['submit']))
    {
        $phone_no = $_POST['phno'];
        $full_name = $_POST['fullname'];
        $location = $_POST['address'];
        $department = $_POST['dept'];
        $description = $_POST['desc'];
    }

        $conn = new mysqli($servername,$username,$password,$dbname);

        if($conn->connect_error)
        {
            die("Connection Failed" . $conn->connect_error);
        }

        $sql = "INSERT INTO new_comp_reg (phno , fullname , address , dept , desc)  VALUES ('$phone_no' , '$full_name' , '$location' , '$department' , '$description')";

        if($conn->query($sql) === TRUE)
        {
            echo "Complaint Registered";
        }
        else
        {
            echo "ERROR".$sql."<br>".$conn->error;
        }

    $conn->close();
    ?>

//ERROR

ERRORINSERT INTO new_comp_reg (phno , fullname , address , dept , desc) VALUES ('','','','','') You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'desc) VALUES ('','','' ,'','')' at line 1

Answer 1

desc is a reserved keyword in MySQL and needs to be escaped by backticks.

INSERT INTO new_comp_reg (..., `desc`)  VALUES (...)

or change your column name to description for instance.

BTW you are not escaping your user input which could lead to syntax errors and SQL injections. Use Prepared Statements.

Answer 2

if(isset($_POST['submit']))
{
    $phone_no = $_POST['phno'];
    $full_name = $_POST['fullname'];
    $location = $_POST['address'];
    $department = $_POST['dept'];
    $description = $_POST['desc'];
}

    $conn = new mysqli($servername,$username,$password,$dbname);

    if($conn->connect_error)
    {
        die("Connection Failed" . $conn->connect_error);
    }

    $sql = "INSERT INTO new_comp_reg VALUES ('$phone_no' , '$full_name' , '$location' , '$department' , '$description')";

    if($conn->query($sql) === TRUE)
    {
        echo "Complaint Registered";`enter code here`
    }
    else
    {
        echo "ERROR".$sql."<br>".$conn->error;
    }

$conn->close();
?>

Answer 3

I would say that it is

$sql = "INSERT INTO new_comp_reg (phno , fullname , address , dept , desc)  VALUES ('".mysql_real_escape_string($phone_no)."' , '".mysql_real_escape_string($full_name)"' , '".mysql_real_escape_string($location)"' , '".mysql_real_escape_string($department)"' , '".mysql_real_escape_string($description)"')";

This would actually improve your protection. Also check your column name as sad above it might be that you referenced one wrong.