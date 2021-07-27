The use of $conn->error in your query error handling logic is incorrect. The connection is not in $conn. This would be producing a php error and it is not reporting the actuall sql error you are getting when your code is running the query.

The first step you need to do is find the php.ini that php is using and set error_reporting to E_ALL and set display_errors to ON. Stop and start your web server to get any changes made to the php.ini to take effect and then use a phpinfo() statement in a .php script to check to make sure that these settings were actually changed to the intended values.

Also, don’t use @ error suppressors in any code, ever. When learning, developing, and debugging code/query(ies), you should display all php errors, so that you get immediate feedback as to any problems. When on a live/public server, you should log all errors, so that you will know they are occurring at all and can find an fix what’s causing them.

Next, simplify your life. Use exceptions for database statement errors and in most cases simply let php catch and handle the exception. This will let you remove all the error handling logic you have now, simplifying your code and preventing hackers from getting useful information when they intentionally trigger errors. The exception to this rule is when inserting/updating duplicate or out of range user submitted data. In this case, your code should catch the database exception, detect if the error number is for something that your code is designed to handle, then setup and display a message for the user telling them what was wrong with the data. For all other error numbers, simply re-throw the exception and let php handle it.

In most cases, there’s no need to free results, close prepared queries, or close database connections since php will automatically do this when your script ends.

As to the result from running the query in phpadmin/sql checkers, that’s not the query being used in your php code. It doesn’t have the single-quotes around the (empty) values.

Use a prepared query when supplying external, unknown, dynamic values to a query when it gets executed. In addition to providing protection against sql special characters in data from breaking the sql query syntax (which is how sql injection is accomplished), this actually simplifies the sql syntax, and provided you use the much simpler PDO extension, simplifies the php code.

Don’t copy variables to other variables for nothing. This is just a waste of typing.

Lastly, your code is not detecting if a post method form was submitted before referencing any of the form data and you are not validating the data before using it, which is why you are using empty data values in the sql query.