0

Im having a problem with my PHP code, it says the error is "Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ')' at line 1"

It connects to the database ok as it echos "Database Connection Successful" but it dosnt insert the data into the database. This worked fine before, but now all of a sudden its stopped working. Can anyone help?

<?php   
$username = "student";
$password = "student";
$hostname = "localhost"; 
$db       = "details";
$link = new mysqli($hostname, $username, $password, $db);

 if ($link->connect_errno)
    printf("Connect failed: %s\n", $link->connect_error);
 else 
    echo "Database Connection Successful \n";

 echo nl2br("\n");

 $Urgency = "Urgency";

if(isset($_POST['submit'])){
  $TypeOfProblem = $_POST['problemtype'];
  $ProblemDescription = $_POST['problem'];
  $RoomNo = $_POST['roomno'];
  $Problem = $_POST['reporter'];
  $Urgency = $_POST['Urgency'];
  $Date = $_POST['date'];

 //Insert into Database
  $sql = "INSERT INTO `details`.`problem` (`Type Of Problem`, `Problem Description`, `RoomNo`, `Urgency`, `UserIDProblem`,`Date` ) VALUES ('$TypeOfProblem', '$ProblemDescription', '$RoomNo', '$Urgency', '$Problem', $Date)";

if (!mysqli_query($link, $sql))
       {
       die('Error: ' . mysqli_error($link));
       }

     echo "\n Thank you. Your Helpdesk Call has been submitted.";

    mysqli_close($link);

}//////// end isset submit if ////////
 ?>

Thanks

Improve this question
4
  • Your date needs to be inside quotes. Also, sql injection warning. Learn to bind your queries. It is easy and helps. Commented May 19, 2015 at 20:27
  • Could it be because $Date is not enclosed in ' ' ? Commented May 19, 2015 at 20:28
  • Try to set an echo after the $sql = echo $sql; I think also that the problem is the single quote details.problem (` should be 'details'.'problem' (' Commented May 19, 2015 at 20:28
  • 1
    You are vulnerable to sql injection attacks, and you should show us what $sql looks like. Most likely $Date is empty, leaving you with ...,'foo',), which is invalid. Commented May 19, 2015 at 20:29

4 Answers 4

Reset to default
1

Try using this, the problem is the single quote ` should be '

 $sql = "INSERT INTO 'details'.'problem' ('Type Of Problem', 'Problem Description', 'RoomNo', 'Urgency', 'UserIDProblem','Date' ) VALUES ('$TypeOfProblem', '$ProblemDescription', '$RoomNo', '$Urgency', '$Problem', '$Date')"

Or try to set an echo $sql and test the query directly on de dbms

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

The date '$Problem', $Date)"; needs single-quotes '$Problem', '$Date')";

Improve this answer

Comments

0

First, it is a good idea to leave out the database name:

$sql = "INSERT INTO `problem` (`Type Of Problem`, `Problem Description`, `RoomNo`, `Urgency`, `UserIDProblem`, `Date`) VALUES ('$TypeOfProblem', '$ProblemDescription', '$RoomNo', '$Urgency', '$Problem', $Date)";

Are you sure, that your column names have spaces in it? I mean this would work, but this is not a good idea, I think.

I cannot find another problem in your query, maybe you should quote the date:

$sql = "INSERT INTO `problem` (`Type Of Problem`, `Problem Description`, `RoomNo`, `Urgency`, `UserIDProblem`, `Date`) VALUES ('$TypeOfProblem', '$ProblemDescription', '$RoomNo', '$Urgency', '$Problem', '$Date')";

Otherwise, please provide us with the full query:

die("INSERT INTO `problem` (`Type Of Problem`, `Problem Description`, `RoomNo`, `Urgency`, `UserIDProblem`, `Date`) VALUES ('$TypeOfProblem', '$ProblemDescription', '$RoomNo', '$Urgency', '$Problem', $Date)");

And you SHOULD notice, that your code is exploitable with SQL-Injections! Use mysqli_real_escape_string.

Improve this answer

4 Comments

Leaving out the database name is not a good idea. Why in the world would that be a good idea?
@JayBlanchard: The database name is already specified with the MySQLi connect.
True, but that doesn't mean you have to leave it out, right?
@JayBlanchard: You do not have to, but why should you? Should it be necessary to change hundreds of positions instead of one, if you change the database name?
0

For debugging this, output the actual SQL text that is being submitted to the database, using echo or vardump e.g.

$sql = "INSERT INTO ...";
echo "SQL=" . $sql ;

That will show you the actual statement that's going to be submitted to the database, and you can usually debug the problem from there.

If date isn't a numeric, if it represents a DATE datatype or a string, the value needs to be enclosed in single quotes. Otherwise, it's likely going to be interpreted in a numeric context.

Note that this code appears to be vulnerable to SQL Injection, because it includes potentially unsafe values in the SQL text. Consider what happens when a value contains "special" characters, like a single quote, or comma.

Potentially unsafe values must be properly escaped. With mysqli, you can use the mysqli_real_escape_string function.

A better pattern is to use a prepared statement with bind placeholders.

As an example of what that would look like (before it's cluttered up with code to checks for errors from the return of the mysqli_ function calls)

$sql = "INSERT INTO `details`.`problem`
       (`Type Of Problem`,`Problem Description`,`RoomNo`,`Urgency`,`UserIDProblem`,`Date`)
       VALUES (?,?,?,?,?,?)";

$sth = mysqli_prepare($link,$sql);
if (!$sth) {
   echo "error:" . mysqli_error($link);
)

mysqli_stmt_bind_param($sth,"ssssss"
    ,$TypeOfProblem,$ProblemDescription,$RoomNo,$Urgency,$Problem,$Date); 

mysqli_stmt_execute($sth);
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.