Click here to Skip to main content
15,353,818 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
Error: INSERT INTO 'student' ('student_num', 'last_name', 'first_name', 'middle_init') VALUES ('2018-03829', 'Cacayuran', 'Alexis', 'A')
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''student' ('student_num', 'last_name', 'first_name', 'middle_init') VALUES (...' at line 1

What I have tried:

PHP Code
<?php

$servername = "localhost";
$username = "root";
$password = "";
$dbname = "program_checklist";
$conn = mysqli_connect($servername, $username, $password, $dbname);

if ($conn->connect_error){
	die("Connection failed: ".$conn->connect_error);
}
echo "Connected succesfully<br>";

$a = $_POST['studentnum'];
$b = $_POST['lastname'];
$c = $_POST['firstname'];
$d = $_POST['middleinit'];

$insertsql = 
"INSERT INTO 'student' ('student_num', 'last_name', 'first_name', 'middle_init')
VALUES ('$a', '$b', '$c', '$d')";

if ($conn->query($insertsql) === TRUE){
	echo "New record created succesfully";
}else{
	echo "Error: ".$insertsql."<br>".$conn->error;
}

$conn->close();
?>


HTML Code

<!DOCTYPE html>
<html>
<head>
	<title>Student Checklist</title>
</head>
<body>
	<form action="submit.php" method="post">
		Student Number:<br>
		<input type="text" name="studentnum"><br>

		Last Name:<br>
		<input type="text" name="lastname"><br>

		First Name:<br>
		<input type="text" name="firstname"><br>

		Middle Initial:<br>
		<input type="text" name="middleinit"><br><br>

		<input type="submit" value="Submit">
	</form>

</body>
</html>
Posted
Updated 14-Nov-20 1:54am
Comments
Richard MacCutchan 14-Nov-20 7:52am
   
Try without the quotes on the table and column names:
$insertsql = 
"INSERT INTO student (student_num, last_name, first_name, middle_init)
VALUES ('$a', '$b', '$c', '$d')";
Richard Deeming 16-Nov-20 4:49am
   
Your code is vulnerable to SQL Injection[^]. NEVER use string concatenation / interpolation to build a SQL query. ALWAYS use a parameterized query.

PHP: SQL Injection - Manual[^]
PHP: Prepared statements and stored procedures - Manual[^]

1 solution

Quote:
You have an error in your SQL syntax

Pay attention to use usage of backticks (`)in sql queries, very similar to quotes ('), but different.
How to use Backticks and quotes when querying a MySQL database[^]
   

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900