Error SQL Syntax

Question

hi im rather new to SQL and im currently trying to save some data into a Sql database using a website. But everytime i run it i get some Syntax error and now after many hours of looking i was hoping somebody in here knew an answer, or could lead me in the right direction :)

this is the error i get when i hit my submit button : 0You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '[Campus one],[101],[2016-12-08],[test])' at line 1 0You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '[Campus one],[101],[2016-12-08],[test])' at line 1

this is the insert part of the script, connection part seems to be running fine

$sql = "INSERT INTO `formel`(`Område`, `Værelse`, `Dato`, `TV Fjernsyn Forlænger`) VALUES ([$area],[$filnavn],[$dato],[$Fjernsyn]) ";

SQL information:

Answer 1

Your values need to be changed from:

[$area],[$filnavn],[$dato],[$Fjernsyn]

to:

'{$area}','{$filnavn}','{$dato}','{$Fjernsyn}'

You should really be binding your params though. I assume you're using mysql_ which you shouldn't be using anymore therefore I also suggest you look into mysqli_ or PDO.

Edit:

You should move over to PDO in fairness, I did and I love it!

I work with classes a lot as it's a neater way to work so I'll give you my input:

Make yourself a dbConfig.php file:

class Database
{
    private $host = "localhost";
    private $db_name = "dbName";
    private $username = "username";
    private $password = "password";
    public $conn;

    public function dbConnection()
    {

        $this->conn = null;
        try
        {
            $this->conn = new PDO("mysql:host=" . $this->host . ";dbname=" . $this->db_name, $this->username, $this->password);
            $this->conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
        }
        catch(PDOException $exception)
        {
            echo "Connection error: " . $exception->getMessage();
        }

        return $this->conn;
    }
}

So because i am half lazy and why type code over and over?

Create yourself a dbCommon.php file.

class DBCommon
{
    private $conn;

    /** @var Common */
    public $common;

    public function __construct()
    {
        $database = new Database();
        $db = $database->dbConnection();
        $this->conn = $db;
    }

    public function runQuery($sql)
    {
        $stmt = $this->conn->prepare($sql);
        return $stmt;
    }
}

Then you need a class file for your PDO to go into such as:

class.update.php:

require_once('dbCommon.php');

    class Update extends DBCommon
    {
        function __construct()
        {
            parent::__construct();
        }

        public function updateCode($area, $filnavn, $dato, $Fjernsyn)
        {

            $stmt = $this->runQuery("INSERT INTO `formel` (`Område`, `Værelse`, `Dato`, `TV Fjernsyn Forlænger`) VALUES (:area, :filnavn, :dato, :Fjernsyn)");
            $stmt->bindParam(array(':area' => $area, ':filnavn' => $filnavn, ':dato' => $dato, ':Fjernsyn' => $Fjernsyn));
            $stmt->execute();
            echo "Your insert command has been completed!";


        }
    }

Then within your file.php where you would be calling the class you need to do:

require_once ('class.update.php');

$update = new Update();

if (isset($_POST['send']))
{
    $update->updateCode($_POST['area'], $_POST['filnavn'], $_POST['dato'], $_POST['Fjernsyn']);
}

Note: Because you didn't post your $_POST['name'] 's in I have given you a base example.

Binding your params is best practice as this prevents SQL Injection.

With binding params you dont have to run $stmt->bindParam(); You can simply run $stmt->execute(array(':paramshere' => $paramVar));

It totally depends on your preference but I always prefer binding before executing (personal preference). I hope this gives you some input and insight on how to move into PDO instead but it really is the way forward.

Answer 2

In order to prevent SQL injection , you should really use Prepared Statements , or correctly escape your strings. Please look at MySQLi or PDO .

Here's a basic tutorial using PDO and Prepared Statements inside of PHP:

// Connect to the database:
$db = new PDO( 'mysql:dbname=DB_NAME;host=localhost', 'DB_USER', 'DB_PASS' );

// Prepare the statement:
$ins = $db->prepare( 'INSERT INTO `formel` (`Område`, `Værelse`, `Dato`, `TV Fjernsyn Forlænger`) VALUES (:area, :filnavn, :dato, :Fjernsyn' );

// Execute with bindings:
$ins->execute(array(  
    ':area'     => $area,
    ':filnavn'  => $filnavn,
    ':dato'     => $dato,
    ':Fjernsyn' => $Fjernsyn
));

Answer 3

Try This,

$sql = "INSERT INTO `formel`(`Område`, `Værelse`, `Dato`, `TV Fjernsyn Forlænger`) VALUES ('$area','$filnavn','$dato','$Fjernsyn') ";

I think it should work.

Answer 4

Change your query to this $sql = "INSERT INTO formel ( Område , Værelse , Dato , TV Fjernsyn Forlænger ) VALUES ('$area','$filnavn', '$dato', '$Fjernsyn') ";

But I would suggest you use prepared statement for security purposes