HTML/PHP/MySQL

mrwaterfield

HTML/PHP/MySQL
My problem is this. I am trying to get data into my MySQL database ('markwaterfield_com-contact') using an HTML form (http://www.markwaterfield.com/contact3.htm) and the following PHP script.

<?php
$dbhost = "127.0.0.1"; // You database host here user
$dbusername = "mrwaterfield"; // Your database username here
$dbpw = "*****"; // Your database password here
$dbname = "markwaterfield_com-contact"; // Database name here
$postvars = array("FirstName", "Email", "CommentsTo","HearAbout");
foreach ($postvars as $var)
if(isset($POST[$var]))
$$var = $POST[$var];

$connection = mysql_connect($dbhost, $dbusername, $dbpw) or die(mysql_error());
mysql_select_db($dbname, $connection);
$query = "INSERT INTO 'details' VALUES ('$FirstName', '$Email', '$CommentsTo', '$HearAbout');";
mysql_query($query, $connection) or die(mysql_error());
mysql_close($connection);

When I enter details into the form I get back the following error message
'You have an error in your SQL syntax near ''details' VALUES ('what', 'ever', 'values', 'I enter')' at line 1'
What I'd like to know is can anyone see the syntax error?
Please help I'm going crazy on this one!
Thanks a lot for any pointers
Mark

bradgrafelman

As a debugging practice, you should always echo your SQL query out so you can look at the entire query PHP sent to the server. In this case, I don't need to see that, as I can tell you what's going wrong, but keep that in mind for the future.

In MySQL queries, you never surround table names nor column names in quotes (of any kind). Notice that the details table name is surrounded by quotes; this isn't good. A correct query would look like this:

$query = "INSERT INTO details VALUES ('$FirstName', '$Email', '$CommentsTo', '$HearAbout');";

If you MUST surround the table name or column names with a character for whatever reason, use backticks ( ` ) like so:

$query = "INSERT INTO `details` VALUES ('$FirstName', '$Email', '$CommentsTo', '$HearAbout');";

Also, it looks as though you're taking POST'd data and putting it directly into a SQL query; begging for someone to do a SQL injection.

Search this board for the keywords 'SQL Injection' to learn more, including definitions and solutions.