Web Analytics Made Easy -
StatCounter Inserting Data to MySQL Error: 1064 - CodingForum


No announcement yet.

Inserting Data to MySQL Error: 1064

  • Filter
  • Time
  • Show
Clear All
new posts

  • Inserting Data to MySQL Error: 1064

    Hi All,
    I have been trying to insert data to a MySQL table from a HTML form. I know the form data is being revived and being added to the corresponding variables. The connection to the server is working and the 'INSERT INTO' works fine when added directly with PHP MyAdmin. The error that is being thrown is 1064 and varies depending on inputted data:

    "Error: 1064 : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '[varies with inputted data (always in the 'INSERT INTO') ]' at line 1"


    Upload.html :
    <!DOCTYPE html>
    		<title> Upload to Tech For Seniors </title>
    		<h1> Upload to Tech for Seniors </h1>
    		<form method="post" action="upload-processes.php">
    			<input type="text" name="name">
    			<textarea name="description"></textarea>
    			<input type="text" name="software">
    			<input type="text" name="folder">
    			<input type="submit" value="Submit">
    upload-processes.php :

    $servername = 'localhost';
    $username = 'root';
    $password = '';
    $dbname = 'tech for seniors';
    $name = $_POST["name"];
    $description = $_POST["description"];
    $software = $_POST["software"];
    $folder = $_POST["folder"] . "/";
     //Connect to MySql
    $mysqli = new mysqli('localhost', 'root', '', 'tech for seniors');
     //Check our connection
     if ( $mysqli->connect_error ) {
    	 die('Connect Error: ' . $mysqli->connect_errno . ': ' . $mysqli->connect_error);
     //Insert Data
     $sql = "INSERT INTO tutorials (name, description, folder, software) VALUES ( $name, $description, $folder, $software )";
     $insert = $mysqli->query($sql);
     //Print response from MySql
     if ( $insert ) {
    	 echo "Sucsess the Data has Been Added! Row ID: {$mysqli->insert_error}";
     } else {
    	 die("Error: {$mysqli->errno} : {$mysqli->error}"); 
     //Close Connection
    Thanks in advance,

  • #2
    Aside from whatever your problem is, you are vulnerable to a hack attack. You never ever submit user supplied data directly to the database. You need to use prepared statements.
    To save time, lets just assume I am almost never wrong.

    The XY Problem
    The XY problem is asking about your attempted solution (X) rather than your actual problem (Y). This leads to enormous amounts of wasted time and energy, both on the part of people asking for help, and on the part of those providing help.

    Make A Donation https://www.paypal.me/KevinRubio


    • #3
      The syntax error would be generated from an invalid value in one of the variables - so the extremely poor code is not only generating security holes, it is also generating invalid database calls.
      Learn Modern JavaScript - http://javascriptexample.net/
      Helping others to solve their computer problem at http://www.felgall.com/

      Don't forget to start your JavaScript code with "use strict"; which makes it easier to find errors in your code.


      • #4
        The syntax error would be generated from an invalid value in one of the variables
        So by that do you mean the data type (strings, into ect) or something else?

        So the extremely poor code is not only generating sercurity holes,
        I am aware of the risk of SQL injections with this code but this is only a proof of concept. This code will not be deployed to a public site. Also I suck at PHP at the moment and agree with the "extremely poor code" comment.

        It is also generating invalid database calls.
        Does this connect up to point 1? I'm unsure of what you mean here by "invalid database calls"...


        • #5
          The sql errors you are getting are because your sql query syntax is missing single-quotes around each literal string data value, thereby making the database engine think you are supplying column names or sql keywords where they are not permitted, rather than literal string data values.

          You can fix both the sql syntax (single-quotes are not used around prepared query place-holders in the sql statement) and security holes by using a prepared query with place-holders in the sql query statement for the data values, then bind and supply the data when the query is executed.

          If you don't use a prepared query, you will need to properly use the mysqli_real_escape_string() method on each piece of data being put into the sql query statement, so that sql special characters that may be in the data don't break the sql syntax, producing more errors or injected sql in the data doesn't alter the sql statement.
          Last edited by CFMaBiSmAd; Sep 26, 2016, 09:57 PM.
          Finding out HOW to do something is called research, i.e. keep searching until you find the answer. After you attempt to do something and cannot solve a problem with it yourself, would be when you ask others for help.