SQL syntax error starting at '@'

Question

I have a mySQL query that is getting stuck when I run a string containing '@'. I have tried htmlentities() and htmlspecialchars() to no avail. Here's what I'm running:

    $name=$_POST['name'];
$first=$_POST['first'];
$last=$_POST['last'];
$bio=htmlentities($_POST['bio']);
$email=htmlentities($_POST['email']);
$pass=$_POST['pass'];
$date=date("m/d/y");
$bd=date('m-d-y',strtotime($_POST['month'].$_POST['date'].$_POST['year']));
$qer="insert into everything (user,first,last,bio,email,pass,date,bd) values ($name,$first,$last,$bio,$email,$pass,$date,$bd)";
if(!(mysql_query($qer,$con))){
    echo "no qer";
    echo mysql_error();
}

Here is the error:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '@re5yhgr5tyhrtyhr5tyr5tyhrt,test@first.com,pass,12/13/12,01-01-70)' at line 1

I was first trying it just in my email parameter, but I now know it has trouble no matter where it is. >:|

I'm assuming "line 1" is the first line of sql since my actual line 1 is ""...

Sorry if this is obvious, thanks in advance!

Answer 1

when inserting a value with a data type of string, it should be enclosed with single quote. (Also for Date, Time, DateTime and other as long as it is not numeric)

$qer="insert into everything (user, first, last, bio, email, pass, date, bd) 
      values ('$name', '$first', '$last', ...)";

but the query above is vulnerable with SQL Injection, please read the article below to learn how to prevent from SQL Injection

• How can I prevent SQL injection in PHP?

Answer 2

Try: Add apostrophe (') in the fields that are of type varchar, char or date.

 ...values ('$name','$first','$last','$bio','$email','$pass','$date','$bd')...

Answer 3

you should wrap your args of insert sql within string, like "test@first.com"