CODEWITHSUNDEEP
emailmysql
Steph
Steph

Reputation: 49

Inserting an email address into a table field

// write student record
$query = "INSERT INTO Student (SLastName, SFirstName, SeMail, SGrade, SPhone, SCell, SLunch)".
" VALUES ($LastName, $FirstName, $email, $grade, $phone, $cell, $lunch)";
echo $query . '<br />';
$result = mysql_query($query);
if (!$result)
     die("Error inserting Student record: ". mysql_error());

INSERT INTO Student (SLastName, SFirstName, SeMail, SGrade, SPhone, SCell, SLunch)
VALUES (Weiner, Wendy, [email protected], 12, 2123334444, 8458765555, 5)

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '@gmail.com, 12, 2123334444, 8458765555, 5)' at line 1

Server version: 5.0.91-community

Upvotes: 5

Views: 28554

Answers (3)

fredley
fredley

Reputation: 33921

You need to encase your values in quotes:

$query = "INSERT INTO Student (SLastName, SFirstName, SeMail, SGrade, SPhone, SCell, SLunch)". " VALUES ('$LastName','$FirstName','$email', '$grade', '$phone', '$cell', '$lunch')";

Upvotes: 1

Frank
Frank

Reputation: 2648

Shouldn't that be 

INSERT INTO Student (SLastName, SFirstName, SeMail, SGrade, SPhone, SCell, SLunch)
VALUES (Weiner, Wendy, '[email protected]', 12, 2123334444, 8458765555, 5)

i. e. with the email address in quotes?

Upvotes: 8

Borealid
Borealid

Reputation: 98509

You are inviting a visit from little Bobby Tables by using user-supplied data unescaped in a SQL query.

Either use mysql_real_escape_string to defang the input, or use PDO to do it better.

Upvotes: 3

Related Questions