php - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ')' at line 5 -
i can't data form load mysql database. please help! error get:
error: insert add_review (name,email,details) values ( 'darron brown', 'blank@gmail.com', 'ldldjd', ) have error in sql syntax; check manual corresponds mysql server version right syntax use near ')' @ line 5
<?php // connect mysql // a. variables $host = "hostname"; $username = "user"; $password = "secretpassword"; $dbname = "mydatabase"; // b. connection $connection = mysqli_connect($host, $username, $password, $dbname); // c. check our connection if(mysqli_connect_errno()) { die("database connection failed: " . mysqli_connect_error() . " (" . mysqli_connect_errno() . ")" ); } // insert our data $name = isset($_post["name"]) ? $_post["name"] : ""; $email = isset($_post["email"]) ? $_post["email"] : ""; $details = isset($_post["details"]) ? $_post["details"] : ""; $name = mysqli_real_escape_string($connection, $name); $email = mysqli_real_escape_string($connection, $email); $details = mysqli_real_escape_string($connection, $details); $sql = "insert add_review (name,email,details) values ( '$name', '$email', '$details', )"; // $insert = $connection->query($sql); // print response mysql if (mysqli_query($connection, $sql)) { echo "new record created successfully"; } else { echo "error: " . $sql . "<br>" . mysqli_error($connection); } // close our connection mysqli_close($connection); ?> <div class = "section page"> <div class="wrapper"> <h1>add review</h1> <p>if think there missing, let me know! complete form send me email.</p> <form method="post" action=""> <table> <tr> <th><label for="name">movie name</label></th> <td><input type="text" id="name" name="name" /></td> </tr> <tr> <th><label for="email">email</label></th> <td><input type="text" id="email" name="email" /></td> </tr> <tr> <th><label for="email">suggest movie details</label></th> <td><textarea name="details" id="details"></textarea></td> </tr> </table> <input type="submit" value="send" /> </form> </div> </div>
see syntex '$details', change query , remove comma after $details like:
$sql = "insert add_review (name,email,details) values ( '$name', '$email', '$details' )"; nb : @ risk of sql injections, learn mysqli_prepared prevent sql injections, can learn here
your code prepared statements :
<?php // prepare , bind $sql = $conn->prepare("insert add_review (name,email, details) values (?, ?, ?)"); $sql->bind_param("sss", $name, $email, $details); $sql->execute(); echo "new records created successfully"; $sq]->close(); $conn->close(); ?> now explaining function :
$sql->bind_param("sss", $name, $email, $details); this function binds parameters sql query , tells database parameters are. "sss" argument lists types of data parameters are. s character tells mysql parameter string.
the argument may 1 of 4 types:
i - integer d - double s - string b - blob must have 1 of these each parameter.
by telling mysqli type of data expect, minimize risk of sql injections.
important : when insert data external sources (eg user input form), important data sanitized , validated.
Comments
Post a Comment