Failed query You have an error in your SQL syntax

Question

[ASK] my php error "Failed query You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'order (iduser, idfood, jumlah, total) VALUES (9, 1, 2, 20000)' at line 1" what's wrong ....?

myphp

<?php  
$data= file_get_contents('php://input');
    $array = json_decode($data, true);

    require_once ('..../db_connectfood.php');

    $db = new DB_CONNECT();

    foreach($array as $row)  
    {  
      $idusr = $row["iduser"];
       $idfd = $row["idfood"];
       $jml = $row["jumlah"];
       $total = $row["total"];
       $result = mysql_query("INSERT INTO order (iduser, idfood, jumlah, total) VALUES ($idusr, $idfd, $jml, $total)") or die ("Failed query ".mysql_error());        

    }  
    if ($result) {
        // successfully inserted into database
        $response["success"] = 1;
        $response["message"] = "successfully created.";

        // echoing JSON response
        echo json_encode($response);
    } else {
        // failed to insert row
        $response["success"] = 0;
        $response["message"] = "Oops! An error occurred.";

        // echoing JSON response
        echo json_encode($response);
    }

?>  

how to get value success and message from this php?

iduser and idfood are foreign keys

Answer 1

order is a reserved word.

To be able to use a reserved word in a query, you must escape it by surrounding it with backticks as in `reserved word` (careful the backtick may look like a single quote, but it's not).

So, in your case change

$result = mysql_query("INSERT INTO order (iduser, idfood, jumlah, total) VALUES ($idusr, $idfd, $jml, $total)") or die ("Failed query ".mysql_error());

to

$result = mysql_query("INSERT INTO `order` (iduser, idfood, jumlah, total) VALUES ($idusr, $idfd, $jml, $total)") or die ("Failed query ".mysql_error());

... and check for the rest of the table or column names if they are reserved words.

As a best & secure practice, parameterized queries/prepared statements are recommended.

Answer 2

order is a reserved word in SQL. The best approach would be to change your table's name (e.g., to orders, in plural). if this is not possible, you can use backticks to escape the name:

INSERT INTO `order` (iduser, idfood, jumlah, total)
VALUES ($idusr, $idfd, $jml, $total)

Mandatory comment:
Using string manipulation in SQL statements leaves your code vulnerable to SQL injection attacks. You should consider using a prepared statement instead.

Answer 3

Hi please try with this:

$result = mysql_query("INSERT INTO databasename.order (iduser, idfood, jumlah, total) VALUES ($idusr, $idfd, $jml, $total)") or die ("Failed query ".mysql_error());

order is a nomenclature word from mysql.

best regards.