CODEWITHSUNDEEP
phpmysql
maestro416
maestro416

Reputation: 924

INSERT INTO syntax error but normally should work

I'm repeatedly getting a syntax error when inserting in to mysql, normally this works fine but I can't seem to get it to work. I can echo out the variables no problem but for some reason I can't insert them.

variables (the session vars are brought over from another page)

session_start();
$name=$_SESSION['bName'];
$email=$_SESSION['email'];
$ship_address = $_SESSION['sAddress'];
$voucher=$_SESSION['voucher'];
$sku=$_SESSION['sku'];
$credit_card=$_POST['credit_card'];
$security_code=$_POST['security_code'];
$payment_type=$_POST['payment_type'];
$cc_number=substr($credit_card, 0, 4) . str_repeat('x', (strlen($credit_card) - 4)) . substr($credit_card, -4, 4);
$phone=$_SESSION['billPhone'];
$status="Redeemed";
$date = date('Y/m/d');
$tracking ="";

insert query

//Insert Queries
$sqlInsert = "INSERT INTO `customers`(`name`, `email`, `address`, `phone`, `sku`, `creditcard`, `securitycode`, `paymenttype`, `voucher`, `purchase_id`, `tracking`, `status`, `date_recieved`) 

VALUES( $name, $email, $ship_address, $phone, $sku, $credit_card, $security_code, $payment_type, $voucher, $purchase_id, $tracking, $status, $date)";
    mysql_query($sqlInsert) or die ('Error Inserting into database' . mysql_error());

I've also tried

VALUES( '$name', '$email', '$ship_address', '$phone', '$sku', '$credit_card', '$security_code', '$payment_type', '$voucher', '$purchase_id', '$tracking', '$status', '$date')

but it doesn't work. The error I get is

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'lastname, [email protected], 22 toronto ont l6a0l4, 416-123-4567, 1001234, 1234567' at line 1

Any ideas?

Thanks

Upvotes: 0

Views: 98

Answers (4)

Conrad Frix
Conrad Frix

Reputation: 52645

You could use PDO to create prepared statements instead. Then you won't have to worry about escaping your values like drdwilcox's example 'Jerry''s'. It also helps as a counter measure against SQL Injection attacks.

Upvotes: 1

drdwilcox
drdwilcox

Reputation: 3951

I would almost guarantee that you have a single-quote in your name field. If you want to place a single quote into a string field in SQL, you must double it: 'Jerry''s'

And you need the '$name' version.

Upvotes: 0

Karoly Horvath
Karoly Horvath

Reputation: 96258

Do it like this, so the fields are delimited:

VALUES( '$name', '$email', ...

check your error message to see what kind of garbage you are currently generating.

Upvotes: 1

Julien
Julien

Reputation: 282

all string values must be quoted.

VALUES("'.$name.'", "'.$email.'" ...

Upvotes: 1

Related Questions