Click here to Skip to main content
15,849,129 members
Please Sign up or sign in to vote.
1.00/5 (1 vote)
See more:
Fatal error:Uncaught mysqli_sql_exception:Youhave an error in your SQL syntax;check the manual that corresponds to your MariaDB server

and my code is :
query ($sql) == TRUE) {
echo "New record created successfully";
} else {
echo "Error: " . $sql . "
" . $conn->error;
}
$conn->close();
?>

What I have tried:

i tried to use `` on table and columns but nothing work please hel me to submit this project in backened.
Posted
Updated 8-Nov-22 21:50pm

1 solution

We can't help you based on that: you need to look at the code that generates and sets up the SQL query, not just the code that actually executes it.

An SQL INSERT query looks like this:
SQL
INSERT INTO myTable (myColumn1, myColumn2) VALUES (?, ?)
and you need to add the parameter values to the query when you build it. PHP MySQL Prepared Statements[^] should help.

The most common reason for an INSERT statement failing is that it's been built wrong: Never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Always use Parameterized queries instead.

When you concatenate strings, you cause problems because SQL receives commands like:
SQL
SELECT * FROM MyTable WHERE StreetAddress = 'Baker's Wood'
The quote the user added terminates the string as far as SQL is concerned and you get problems. But it could be worse. If I come along and type this instead: "x';DROP TABLE MyTable;--" Then SQL receives a very different command:
SQL
SELECT * FROM MyTable WHERE StreetAddress = 'x';DROP TABLE MyTable;--'
Which SQL sees as three separate commands:
SQL
SELECT * FROM MyTable WHERE StreetAddress = 'x';
A perfectly valid SELECT
SQL
DROP TABLE MyTable;
A perfectly valid "delete the table" command
SQL
--'
And everything else is a comment.
So it does: selects any matching rows, deletes the table from the DB, and ignores anything else.

So ALWAYS use parameterized queries! Or be prepared to restore your DB from backup frequently. You do take backups regularly, don't you?
 
Share this answer
 
Comments
Rebics Copy 9-Nov-22 3:59am    
prepare("INSERT INTO form (first_name, last_name, mother_name, father_name, address) Values(s,s,s,s,s)");
$sql->bind_param("sssss", $fname,$Lname, $Mname, $fathername, $address);


if ($conn->query ($sql) == TRUE) {
echo "New record created successfully";
} else {
echo "Error: " . $sql . "" . $conn->error;
}
$sql->close();
$conn->close();


?>


error:
Fatal error: Uncaught mysqli_sql_exception: Unknown column 's' in 'field list' in C:\xampp\htdocs\demo\form\process.php:20 Stack trace: #0 C:\xampp\htdocs\demo\form\process.php(20): mysqli->prepare('INSERT INTO for...') #1 {main} thrown in C:\xampp\htdocs\demo\form\process.php on line 20


and there is no mistake
OriginalGriff 9-Nov-22 4:04am    
"and there is no mistake"
Yes, there is.
Read the error message, and it's pretty clear. What is "s" as a parameter? Follow the link I gave you or compare your code with mine, and you will see the difference.
Rebics Copy 9-Nov-22 6:34am    
code is:

$sql= $conn->prepare("INSERT INTO form (first_name, last_name, mother_name, father_name, address) Values(?,?,?,?,?)");
$sql->bind_param("sssss", $fname,$Lname, $Mname, $fathername, $address);
Now giving thsi error:

Fatal error: Uncaught TypeError: mysqli::query(): Argument #1 ($query) must be of type string, mysqli_stmt given in C:\xampp\htdocs\demo\form\process.php:24 Stack trace: #0 C:\xampp\htdocs\demo\form\process.php(24): mysqli->query(Object(mysqli_stmt)) #1 {main} thrown in C:\xampp\htdocs\demo\form\process.php on line 24
Rebics Copy 9-Nov-22 4:01am    
I swear I am frustrated to finding the solution
Richard Deeming 9-Nov-22 6:03am    
You need to use ? to refer to the parameter within the query, not s. You use s in the bind_param call to indicate the type of the parameter (i=integer, d=float, s=string, b=blob).
prepare("INSERT INTO form (first_name, last_name, mother_name, father_name, address) Values (?, ?, ?, ?, ?)");

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900