Insert into MySQL Table PHP

Question

I am having some trouble making a simple form to insert data into a MySQL table. I keep getting this SQL error:

"Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'stock ('ItemNumber', 'Stock') VALUES ('#4','3'')' at line 1"

My HTML for the form is:

    <form action="database.php" method="post">
    Item Number: <input type="text" name="ItemNumber">
    Stock: <input type="text" name="Stock">
    <input type="submit">
    </form>

And the PHP is:

    <?php
    $con=mysqli_connect("localhost","root","root","inventory");
    if (mysqli_connect_errno($con))
      {
      echo "Failed to connect to MySQL: " . mysqli_connect_error();
      }
     $sql = "INSERT INTO current stock ('ItemNumber', 'Stock')
    VALUES
    ('$_POST[ItemNumber]','$_POST[Stock]'')";
    if (!mysqli_query($con,$sql))
      {
      die('Error: ' . mysqli_error($con));
      }
    echo "1 record added";
    mysqli_close($con);
    ?>

Answer 1

try this

you should not use quotes of parameter around POST . and you should use them inside POST

       $sql = "INSERT INTO `current stock` (ItemNumber, Stock)
           VALUES
         ('".$_POST['ItemNumber']."', '".$_POST['Stock']."' )";

you should escape your variables before you insert them to mysql like that

• Note that the example does not call mysqli_real_escape_string. You would only need to use mysqli_real_escape_string if you were embedding the string directly in the query, but I would advise you to never do this. Always use parameters whenever possible.