php - Database error. You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax -

i getting error:

an error occured: database error. have error in sql syntax; check manual corresponds mariadb server version right syntax use near '@gmail.com, salt = , iteration = 12, method = blowfish, person_id' @ line 1

here code:

$data_con = new data_abstraction; $data_con->execute_query("insert `user` set `username` = $user, `password` = $phsh, `email` = $email, `salt` = $salt, `iteration` = $new_iteration, `method` = $new_method, `person_id` = $result2, `role_id` = $result4, `skin_id` = $result5"); 

edit:

i used prepared query, used parameterized statements , bind parameters. error has gone details want inserted table not added.

here code:

if(!($sql = $link->prepare("insert `user` set                                      `username`  = ?,                                      `password`  = ?,                                      `email`     = ?,                                      `salt`      = ?,                                      `iteration` = ?,                                      `method`    = ?,                                      `person_id` = ?,                                      `role_id`   = ?,                                      `skin_id`   = ?"))){                                         echo "sql query preparation has failed";                                     }                      if(!($sql->bind_param("ssssisiii", $user, $phsh, $email, $new_salt, $new_iteration, $new_method, $result2, $result4, $result5))){                         echo "parameter binding failed";                     }                      if(!($sql->execute())){                         echo "mysql query execution has failed";                     } 

all text data must wrapped in quotes in concatenated query this. legal wrap integers in quotes safer both this

$data_con = new data_abstraction; $data_con->execute_query("insert `user` set              `username`  = '$user',              `password`  = '$phsh',              `email`     = '$email',              `salt`      = '$salt',              `iteration` = '$new_iteration',              `method`    = '$new_method',              `person_id` = '$result2',              `role_id`   = '$result4',              `skin_id`   = '$result5'"); 

it better use parameterised query , bind values

$sql = "insert `user` set                  `username`  = ?,                  `password`  = ?,                  `email`     = ?,                  `salt`      = ?,                  `iteration` = ?,                  `method`    = ?,                  `person_id` = ?,                  `role_id`   = ?,                  `skin_id`   = ?"); 

and prepare query , bind values ? using bind_param

this protect sql injection attack have @ happened little bobby tables if escaping inputs, not safe! use prepared parameterized statements