-1

I try to build my website with sql requests but when I try to make some request it gives me an error. I am a newbie in web, so I can't say what is going on. Can you help me?

<!DOCTYPE html>
<html lang="en">
    <head>
        <meta charset="UTF-8">
        <title>BFFChinese</title>
    </head>

    <body>
        <p class="main_title">There is a main page that needed to navigate you on the website!</p>
        
        <!--
        <a href="http://shizza.beget.tech/login.php">Goto register/login page...</a><br>
        <a href="http://shizza.beget.tech/radicals.php">Goto radicals page...</a><br>
        -->
        
        <div class="form_container">
            <h2>Register</h2>
            <p>Try to add a radical &lt;3</p>
                
            <form action="" method="post">
                <div class="form_element">
                    <label>Radical name:</label>
                    <input type="text" name="radical_name" class="form_element_control" required>
                </div>
                
                <div class="form_element">
                    <label>Radical reading (pinyin):</label>
                    <input type="text" name="radical_reading" class="form_element_control" required>
                </div>
                
                <div class="form_element">
                    <label>Radical stroke count (just number, like 1 or 5):</label>
                    <input type="text" name="radical_stroke_count" class="form_element_control" required>
                </div>
                    
                <div class="form_element">
                    <label>Radical mnemonic:</label>
                    <input type="text" name="radical_mnemonic" class="form_element_control" required>
                </div>
                    
                <div class="form_element">
                    <input type="submit" name="submit" class="btn_submit" value="Add radical">
                </div>
            </form>
        </div>
        
        <?php
            $db = mysqli_connect("localhost", "shizza_bffc", "5&avXr7Z", "shizza_bffc");
            mysqli_set_charset($con, "utf32");
        
            $sql = 'CREATE TABLE IF NOT EXISTS bffc_radicals (radical_id int NOT NULL AUTO_INCREMENT, radical_name TINYTEXT, radical_reading TINYTEXT, radical_stroke_count int, radical_mnemonic TINYTEXT, PRIMARY KEY (radical_id))';
            $result = mysqli_query($db, $sql);
        
            //$sql = 'CREATE TABLE IF NOT EXISTS users (login TINYTEXT, pass TINYTEXT, rank TINYTEXT)';
            //$result = mysqli_query($db, $sql);

            if($_POST){
                if (($_POST['submit'] ?? null) === "Add radical") {
                    $radical_name = $_POST['radical_name'];
                    $radical_reading = $_POST['radical_reading'];
                    $radical_stroke_count = $_POST['radical_stroke_count'];
                    $radical_mnemonic = $_POST['radical_mnemonic'];
                    $rank = "user";
                    
                    $sql = "INSERT INTO bffc_radicals (radical_name, radical_reading, radical_stroke_count, radical_mnemonic) VALUES ('$radical_name', $radical_reading', '$radical_stroke_count', '$radical_mnemonic')";
                    $result = mysqli_query($db, $sql);
                    
                    if ($result) {
                        echo "<br> Nicely added! <br>";
                    } else {
                        echo "<br> Something is wrong! SQLError -> " . mysqli_error($db) . " <br>";
                    }
                }
                /*
                else {
                    $login = $_POST['login'];
                    $pass = $_POST['pass'];
                    
                    $sql = "SELECT * FROM users WHERE login='$login' AND pass='$pass'";
                    $result = mysqli_query($db, $sql);
                    
                    if ($result && $result->num_rows == 1) {
                        echo "Successfully logined :P";
                    } else {
                        echo "Something happened :C. This is an error provided by SQL -> " . mysqli_error($db);
                    } echo "<br>";
                }
                */
            }
        ?>
    </body>
</html>

On the website it says to me: Something is wrong! SQLError -> You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '', '1', '1')' at line 1

Can you describe what I do incorrect?

I tried to put 1,1,1,1 and one,one,1,one as input in html forms and it sends it to php, but something is happening in request..

Nikolai Bogdanov
  • 1
  • 1
  • 2
    I'm not sure who's been teaching you but they have not done a very good job. Please read [How to include a PHP variable inside a MySQL statement](https://stackoverflow.com/questions/7537377/how-to-include-a-php-variable-inside-a-mysql-statement) because the way you're doing this now is completely wrong - insecure, and unreliable, and also makes the kind of silly typos which have ocurrred here more likely. – ADyson Jul 14 '23 at 11:11

1 Answers1

-2
 $sql = "INSERT INTO bffc_radicals (radical_name, radical_reading, radical_stroke_count, radical_mnemonic) VALUES ('$radical_name', $radical_reading', '$radical_stroke_count', '$radical_mnemonic')";

You forgot the open bracket at $radical_reading.

Just add ' at the beggining and it should be fine.

,'$radical_reading'
Hamidou
  • 65
  • 6
  • Oh mann, thank you very much! – Nikolai Bogdanov Jul 14 '23 at 11:20
  • 1
    @NikolaiBogdanov this might be a quick fix but it is still completely the wrong solution really - see the link I posted above. Your code would be vulnerable to hacking, and also to simple errors - even someone putting a `'` in the text of one of your form fields, and submitting it, would cause the SQL to crash. If you use parameterised queries in the proper way, none of that can happen. – ADyson Jul 14 '23 at 12:06
  • @ADyson i see your point there , do you want me to delete my answer ? – Hamidou Jul 14 '23 at 12:08
  • @Hamidou Eventually, but I am hoping the OP sees my comment first. Thankyou for responding. – ADyson Jul 14 '23 at 12:09