0

I am trying to Save an Email Address into my database and i am getting the following error

  include 'db.php';
  echo $email = $accounts['username'];
  $date = date ("Y-m-d H:m:s");

  $result = mysql_query("SELECT * FROM users where email = $email", $conn) or die($myQuery."<br/><br/>".mysql_error());
  $num_rows = mysql_num_rows($result);

  if ($num_rows == 0) {
    $query_string = "INSERT INTO users (id, email, created)
                                        VALUES (null, '$email', '$date')";

      if (mysql_query($query_string, $conn)) {
        echo "$name inserted<br/>";
      } else {
        die('Error: ' . mysql_error());
        echo "Error inserting $email<br/>";
      }

  } else {
    echo "$email exists<br/>";
  }

Error:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '@mink7.com' at line 1

Improve this question
3
  • Have you checked the query on the line where the error is reported? Did you inspect it for any errors? Commented Jun 7, 2012 at 14:39
  • its coming at the Select Query where i am trying to check if the email exists in the database Commented Jun 7, 2012 at 14:39
  • 1
    I know that's where it is coming from; have you tried to read that query and at least try to find an error in it? Commented Jun 7, 2012 at 14:41

2 Answers 2

Reset to default
2

You should quote $email in the first SQL statement:

"SELECT * FROM users where email = '$email'"

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

marcochiesi has the right answer, but I would suggest mysql_real_escape_string to help prevent an SQL injection attack as well:

"SELECT * FROM users where email = '". mysql_real_escape_string($email)."'"

Update

FYI, if you don't put the quote's around the information you are constraining, MySQL is expecting it to be a column.

Improve this answer

2 Comments

Thanks for the explanation :) i am getting the email from GOOGLE API should i still escape it ?
short answer yes! You never know who is crawling your site, sniffing your traffic, etc. To be safe, it is always a good idea to escape SQL queries, no matter what the deployment or implementation.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.