Receiving error when inserting into database table from form using php and mysql

Question

Having trouble inserting information into my database. Receiving an error Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's only licensed garden.

I have looked up solutions already and followed the steps listed to solve the issue for example, putting the INSRT statement all in the one line to avoid whitespace and changing column names but having no luck. I feel like it is something I'm missing in my code. The same INSRT statement worked fine on a smaller form on my site but not for this one.

<div id="form">
<form action="sendinvite.php" method="post" class="eventform">
    <fieldset id="createeventform" class="fieldset">
         <legend style="color:#3b817a">Plan Details and Invite your Connections</legend>


   <label>Activity Category:</label>
<input type="text" name="activity_cat" id="aname " value="<?php echo $row['activity_cat']?>"/>
    </br>

<label>Activity Name:</label>
<input type="text" name="activity_name" id="aname " value="<?php echo $row['activity_name']?>"/>
    </br>

<label>Activity Address:</label>    
    <textarea id="aaddress" name="activity_address"><?php echo $row['activity_address']?></textarea>
    </br>

<label>Activity Description:</label>    
<textarea id="adescription" name="activity_description"><?php echo $row['activity_description']?></textarea>
    </br>

<label>Date of Activity:</label>
<input type="text" id="date" data-format="DD-MM-YYYY" data-template="D MMM YYYY" name="date"/>
    </br>

<label>Time of Activity:</label>
<input type="text" id="time" data-format="HH:mm" data-template="HH : mm" name="datetime"/>
</br>

<label>Message to Invitee</label>
<textarea id="comment" name="activity_message"></textarea>
    </br>

<label>Username Address to send</label>
<input type="text" id="username" name="username"/>
</br>
</br>
<input type="submit" name="addconnect" value="Send Invite"/>

</fieldset>

</form>

Above is my form and below is my php to insert into my database table called user_invites

<?php

session_start();


require_once('connect.php');

if (isset($_POST['addconnect']) && isset($_POST['activity_cat']) && isset($_POST['activity_name']) && isset($_POST['activity_address']) && isset($_POST['activity_description']) && isset($_POST['date']) && isset($_POST['datetime']) && isset($_POST['activity_message']) && isset($_POST['username']) ) {

    $sql = "INSERT into `user_invites` (user_id, activity_cat, activity_name, activity_address, activity_description, date, datetime, activity_message, username) VALUES (" . $_SESSION['userSession'] . ",'" . $_POST['activity_cat'] . "','" . $_POST['activity_name'] . "','" . $_POST['activity_address'] . "','" . $_POST['activity_description'] . "','" . $_POST['date'] . "','" . $_POST['datetime'] . "','" . $_POST['activity_message'] . "','" . $_POST['username'] . "')";



if (!mysqli_query($conn,$sql))
{
die('Error: ' . mysqli_error($conn));
}

echo "<p></br>Thank you!</p>
";

mysqli_close($conn);

}

?>

PS. this code is not going live and is for project purposes only. I am aware of the SQL injection issues with the code

Answer 1

You're using single quotes to delimit the values in your query. One of your values also contains a single quote, which prematurely ends the value delimiter and invalidates the syntax for the rest of the query.

For the example, I'm limiting your query down to a single field:

$sql = "INSERT into `user_invites` (activity_description)
        VALUES ('" . $_POST['activity_description'] . "')";
                ^ value start quote                    ^ value end quote

Your error message says there's an error near 's only licensed garden . Look what happens (as far as SQL is concerned) if someone enters a description of "StackOverflow's only licensed garden":

$sql = "INSERT INTO `user_invites` (activity_description)
        VALUES ('StackOverflow's only licensed garden')";
                ^ value start quote
                              ^ value end quote

Everything from "s only licensed garden" on is now invalid SQL.

What @cteski means by escaping quotes is that you shouldn't put user input directly in your query, because you need to account for the possibility that there's a ' in there somewhere. Even if you change it to double quotes, there's a chance that a user will enter a " somewhere in a field. Maybe it's not StackOverflow's only licensed garden , but StackOverflow's only "licensed" garden . Then you're in trouble with single or double quotes.

You can mostly work around this by using mysqli_real_escape_string() :

$sql = "INSERT into `user_invites` (activity_description)
        VALUES ('" . mysqli_real_escape_string($conn, $_POST['activity_description']) . "')";

This makes sure that any ' or " in the value is properly escaped and doesn't break your query. And yes, you should do that on all values provided by the user. There might also be a quotation mark in the name, address, message or any of the other form fields.