0

I am a beginner web developer. This is my first attempt at connecting to a MySQL database. I am getting the following syntax error (after successfully connecting to the db?). I know there are similar questions out there, but I think I must be missing something specific. Thanks for your patience!

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Name, Email, Password, Gender) VALUES ('','','', '')' at line 1

<?php
$con=mysqli_connect("localhost", "shiftedr_admin", "", "shiftedr_whosthedeeusers");
// Check connection
if (mysqli_connect_errno())
  {
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
 }
$sql="INSERT INTO Users2 (Full Name, Email, Password, Gender)
VALUES
('$_POST[fullname]','$_POST[email]','$_POST[password]', '$_POST[gender]')";

if (!mysqli_query($con,$sql))   
  {
  die('Error: ' . mysqli_error($con));
 }
 echo "1 record added";

mysqli_close($con);
 ?>

I've double checked that the values match how they are in the DB exactly and case sensitive. "Full Name" is how it is in both the Users2 table and the php I'm calling from.

The HTML Code I am using to submit the script is as follows:

<div class="reformed-form" style="width: 400px; border-right-color:">
<form method="post" name="accountcreation" id="accountcreation" action="insertnewaccounts.php" style="background-color:#CCFFFF;">
<center><h1 style="position:relative;left:0px;"> Account Creation </h1>

    <table>
    <tr>
    <td align="right"> Full Name: </td>
    <td align="left"><input type="text" id="fullname nameerror"  name="fullname" min="4" class="spacing" placeholder="Your Full Name"/> </td></tr>
    <tr>
    <td align="right">Email</td>
    <td align="left"><input type="text" id="email" name="email"  min="5" placeholder="@" />        </td></tr>
    <tr>
    <td align="right"> Password </td>
    <td align="left"><input type="text" id="Password" name="password"  class="spacing" placeholder="Minimum 6 Characters"/>         </td></tr>
    <tr>
    <td align="right"> Confirm Password </td>
    <td align="left"><input type="text" id="confirmpassword passworderror" class="spacing" name="pwc" placeholder="Confirm Password"/></td></tr>
    <tr>
    <td align="right"> Owner's' Gender: </td>
    <td align="left"><input type="radio"> Male <input type="radio">Female </td></tr>
    </table>
    </center>
    </dl>
<input type="submit" value="Check" /></center>
</form>
Improve this question
4
  • Please don't use $_POST['fullname'] directly in your query. What if my name was: '); DROP TABLE Users2; -- ? Please see: bobby-tables.com Commented Sep 4, 2013 at 17:27
  • Thank you. Taking a loot. Appreciate it! Commented Sep 4, 2013 at 17:34
  • Hazmat, would it help if I split it into two fields and limited the character type input? Commented Sep 4, 2013 at 17:39
  • What you should do is use mysqli_prepare. php.net/manual/en/mysqli.quickstart.prepared-statements.php Commented Sep 4, 2013 at 17:41

1 Answer 1

Reset to default
3

Full Name has a space in it so the syntax is invalid. If the actual column name is "Full Name," (ouch) you need backticks around it.

INSERT INTO Users2 (`Full Name`,

Your code is vulnerable to injection and you are using a deprecated MySQL API. Switch to using properly parameterized queries with PDO or mysqli.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.