-3

I am new to PHP & MySQL and I am getting an error and I don't understand what is the error in my query? Basically I am allowing user to fill this form and submit. After the form is submitted it should go in MySQL database, on myphp the code of Insertion is working all right but on my website its throwing me the error.

This is the error I am getting:

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '@gmail.com), AF_Name = VALUES('Name of A Person'), V_City = VALU' at line 7

And after submitting the form it moved to another PHP page. I want it to stay on a page where form is present. This code & form are on different PHP pages.

This is my code:

<?php

    $con = mysql_connect(host, User_Name, Password, DB_Name);

if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db("user", $con);

$sql="INSERT INTO request (RF_Name, RL_Name, R_Email, AF_Name, V_City, V_Country, Time, Date, Message)
    VALUES
    ('$_POST[RFname]', '$_POST[RLname]', '$_POST[sender]', '$_POST[AFname]', '$_POST[Vcity]', '$_POST[Vcountry]', '$_POST[time]', '$_POST[date]', '$_POST[body]')
ON DUPLICATE KEY UPDATE
     RF_Name = VALUES($_POST[RFname]),
     RL_Name = VALUES($_POST[RLname]),
     R_Email = VALUES($_POST[sender]),
     AF_Name = VALUES($_POST[AFname]),
     V_City = VALUES($_POST[Vcity]),
     V_Country = VALUES($_POST[Vcountry]),
     Time = VALUES($_POST[time]),
     Date = VALUES($_POST[date]),
     Message = VALUES($_POST[body])";

if (!mysql_query($sql,$con))
  {
  die('Error: ' . mysql_error());
  }
echo "1 record added";

mysql_close($con)
?>
Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
MaXx
  • 11
  • 4
  • You're using the `values()` function wrong. it should be `fieldname=values(fieldname), or `fieldname=$value_for_field` – Marc B Jun 19 '14 at 16:18
  • Your present code is open to [**SQL injection**](http://stackoverflow.com/q/60174/). Use [**`mysqli_*` with prepared statements**](http://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php), or [**PDO**](http://php.net/pdo) with [**prepared statements**](http://php.net/pdo.prepared-statements). – Funk Forty Niner Jun 19 '14 at 16:32

3 Answers3

0

Enclose your values in quotes when updating:

  RF_Name = VALUES('$_POST[RFname])',
     RL_Name = VALUES('$_POST[RLname]'),
     R_Email = VALUES('$_POST[sender]'),
     AF_Name = VALUES('$_POST[AFname]'),
     V_City = VALUES('$_POST[Vcity]'),
     V_Country = VALUES('$_POST[Vcountry]'),
     Time = VALUES('$_POST[time]'),
     Date = VALUES('$_POST[date]'),
     Message = VALUES('$_POST[body]')
Nawed Khan
  • 4,393
  • 1
  • 10
  • 22
0

it should be 

R_Email = VALUES(R_Email)

http://dev.mysql.com/doc/refman/5.0/en/insert-on-duplicate.html

You want the value of the proposed R_email column

As others have noted you need to protect yourself against SQL injection and look at upgrading mysql_* functions to either Mysqli or PDO

exussum
  • 18,275
  • 8
  • 32
  • 65
0

Your problem is that you're not sanitizing your query parameters. Try using PDO or mysqli_* with parameterized queries. This will ensure that your parameters are correctly encoded in the query and won't mess up the syntax.

Dennis Degryse
  • 104
  • 4