0

Can anyone help with advising what may be wrong with my insert into syntax please ? Working except i am receiving empty query message

    // values sent from form
    $first_name=$_POST['first_name'];
    $last_name=$_POST['last_name'];
    $email=$_POST['email'];
    $postcode=$_POST['postcode'];
    $gender=$_POST['gender'];
    $yob=$_POST['yob'];

    /*********** CONNECT TO THE DATABASE ******/
    //Step 1 CONNECT TO THE DATABASE
   $db=mysql_connect ("localhost", “db_username, “db_password);
   if (!$db) {
     die("Database connection failed miserably: " . mysql_error());
     }
     //Step2 SELECT THE DATABASE
     $db_select = mysql_select_db(“db_name,$db);
    if (!$db_select) {
    die("Database selection also failed miserably: " . mysql_error());
    }

    echo "Welcome $first_name!";
    echo " Success, connected to database but maybe not the table";

    // Insert data into database
    //##############################I THINK PROBLEM MUST BE HERE IN THIS    INSERT       STATEMENT STATEMENT###################################
    $sql="INSERT INTO newsletter-subscribers(first_name, last_name, email,    postcode, gender,    yob)VALUES('$first_name','$last_name','$email','$postcode','$gender','$yob')";
    if(mysql_query($sql)){
    echo "Records added successfully.";
    } else{
    echo "ERROR: Could not able to execute $sql. " . mysql_error($db);
    }
    $result=mysql_query($sql);
Improve this question
9
  • a little more white space around values ? ah yes the table name becomes a subtraction Commented Aug 10, 2015 at 2:58
  • 2
    You are open to SQL injections. If any of your values contain quotes this would fail. Commented Aug 10, 2015 at 3:00
  • 2
    doing math here? newsletter-subscribers <<< Commented Aug 10, 2015 at 3:05
  • 1
    newsletter minus subscribers equals pumpernickel Commented Aug 10, 2015 at 3:10
  • 1
    @Dagon what about the rye? Commented Aug 10, 2015 at 3:11

2 Answers 2

Reset to default
4

Your query,

$sql="INSERT INTO newsletter-subscribers(first_name, last_name, email,    postcode, gender,    yob)VALUES('$first_name','$last_name','$email','$postcode','$gender','$yob')";

Your new query,

$sql = "INSERT INTO `newsletter-subscribers` (first_name, last_name, email, postcode, gender, yob) VALUES ('$first_name','$last_name','$email','$postcode','$gender','$yob')";

So, what has changed?

  • Added ticks around your table name.
  • Removed spaces which you didn't need to make query clearer.

Without the backticks around your table name, MySQL is treating it as newsletter minus subscribers. Which is wrong, add the ticks to tell MySQL that it is a table name.

Edit 1

This might be a copy & paste error, I'm not sure, however...

Your db connect is incorrect too, you aren't assigning any values to it as your quotes are not closed and are smart quotes.

Your connect,

$db = mysql_connect ("localhost", “db_username, “db_password);

Your new connect,

$db = mysql_connect("localhost", "db_username"," db_password");

Also,

$db_select = mysql_select_db(“db_name,$db);

To, 

$db_select = mysql_select_db("db_name", $db);

Notice the difference in the quotes.

Edit 2

Your code is prone to SQL injection, you are still using MySQL even though it has been deprecated, you should use either MySQLi or PDO with prepared statements.

Not to mention your $_POST data is being passed on to the query without being sanitized, you should start using htmlspecialchars it would make it better and prevent XSS.

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

even better dont use hyphens! dev.mysql.com/doc/refman/5.0/en/identifiers.html
not closed and are smart quotes, not the proper ones
smart meaning dumb :-0
("localhost", “db_username, “db_password) to ("localhost", "db_username","db_password") and (“db_name,$db) to ("db_name",$db) dang those curly quotes ;-) if that's what they're really using. Just in case.
Thank you all for your help with this especially Script47 for taking the time to explain it the way you have. I have never placed a hyphen between a table name before so have learned a lesson ove 8 hours trying to figure out what i was doing wrong. My original code had the correct quotes - not sure how the curly quotes ended up being pasted here. Dan Lowe, you hit it the nail on the head also, that was a main issue. Now I can work on the sanitising part - Once again Thank you and have a great day :-)
2

Your table name contains a dash, so you need to quote it. The backtick or back-quote character is used to quote symbol names in MySQL (such as the names of tables, columns, etc), so you would need something like this:

INSERT INTO `newsletter-subscribers` (first_name, ...
Improve this answer

3 Comments

backtick not quote
Yes, backticks are the way you quote a table name in mysql. The example shows that.
ok its just confusing grammar, i'll settle for the manuals version: The identifier quote character is the backtick (“`”):

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.