$fnavn = $_POST['fnavn'];
$enavn = $_POST['enavn'];
$adresse = $_POST['adresse'];
$adressenr = $_POST['adressenummer'];
$postnr = $_POST['postnummer'];
$kontonr = $_POST['kontonummer'];
$cvc = $_POST['cvc'];
$fid = $_POST['frakt'];
$gid = $_SESSION['gid'];
$aid = $_SESSION['aid'];
$sql = "INSERT INTO `bestillinger` (`bestilling_id`, `adresse`, `adressenummer`, `postnummer`, `fornavn`, `etternavn`, `kontonummer`, `cvc`, `time`, `fid`, `gid`, `aid`)
VALUES (NULL, '$adresse', '$adressenr', '$postnr', '$fnavn', '$enavn', '$kontonr', '$cvc', now(), '$fid', '$gid', '$aid')";
this is my code, for some reason no data is inserted into my database - and i just cant figure out why.
both sessions have a valid value.
After a form is filled out, my database is supposed to put the info into the database. what is the error?
You are escaping single quotes inside a double quoted string, so that will actually print the \ character as part of the SQL, rendering your SQL invalid.
You need to replace the \' with just ', or wrap the whole query using ' instead of "
Related
I am trying to execute a script to update a database:
my $sql_hash_update = 'UPDATE user SET hash = $hash , updated = 1 WHERE id = $row[0]';
my $sth_hash_update = $dbh->prepare($sql_hash_update);
$sth_hash_update->execute();
I get the error that this is not proper syntax, but this works within SQL itself.
DBD::mysql::st execute failed: You have an error in your SQL syntax;
check the manual that corresponds to your MariaDB server version for
the right syntax to use near '[0]' at line 1 at conexion.pl line 32.
Any ideas what am I doing wrong?
You are using single quotes, so this statement
my $sql_hash_update = 'UPDATE user SET hash = $hash , updated = 1 WHERE id = $row[0]'
will not interpolate the values of $hash and $row[0] into the SQL statement. Instead they will be left as they are, and so the statement isn't valid SQL
You could simply switch to double quotes, which do interpolate, but it is best to use placeholders like this
my $sql_hash_update = 'UPDATE user SET hash = ?, updated = ? WHERE id = ?';
my $sth_hash_update = $dbh->prepare($sql_hash_update);
$sth_hash_update->execute( $hash, 1, $row[0] );
That way you avoid the risk of code injection, and you need to prepare only once for many different execute calls
Placeholders are valid wherever an expression is allowed in the SQL syntax. That means, for instance, you cannot provide a placeholder for a table name, because you couldn't put an expression there in an ordinary SQL statement
Perl does not interpolate single quotes so $row[0] is not being expanded.
You want double quotes.
However, you should also pass $row[0] as a bind parameter.
Something like:
my $sql_hash_update = 'UPDATE user SET hash = ? , updated = 1 WHERE id = ?';
my $sth_hash_update = $dbh->prepare($sql_hash_update);
$sth_hash_update->execute($hash, $row[0]);
Use double quotes instead of single quote
my $sql_hash_update = "UPDATE user SET hash = $hash , updated = 1 WHERE id = $row[0]";
I have this query:
$sql = "
INSERT INTO table SET
name = '$name',
sku = '$number',
description = '$desc'
";
But the rows containing some special characters (in my case this ') are not inserted.. How I can solve?
Thanks in advance.
When you construct your query, you need to escape the data you are inserting.
You need to at least use addslashes() function in PHP, like this:
$sql = "INSERT INTO table SET name = '".addslashes($name)."', sku = '".addslashes($number)."', description = '".addslashes($desc)."'";
However more correct way is to use a different function than addslashes, which would properly handle all characters in the data, not only apostrophes.
I am using my custom 'escape' function like this:
function escape($text)
{
return str_replace(array('\\', "\0", "\n", "\r", "'", '"', "\x1a"), array('\\\\', '\\0', '\\n', '\\r', "\\'", '\\"', '\\Z'), $text);
}
So using this function, you would write:
$sql = "INSERT INTO table SET name = '".escape($name)."', sku = '".escape($number)."', description = '".escape($desc)."'";
You must use parameterised queries instead of manually appending those values. Currently if name, number or description would contain any sql it would get executed.
A lot more detailed answer is in How can I prevent SQL injection in PHP?
Read about escaping characters in mysql. I think it is done with \
'$email'";
$result = $this->selectQuery($sql);
return $result[0]->Id;
}
function insertTestUser($insertData) {
$sql = "INSERT INTO test_akl_insert VALUES (" . $insertData . ")";
$insertAction = parent::insertQuery($sql);
return $insertAction;
}
here i have an error in data insertion. and my error is here:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1)' at line 1
please help me any body!!!!
On my SQL server version you must insert the values inside quotes, i.e.
$sql = "INSERT INTO test_akl_insert VALUES ('" . $value_field_1 . "','".$value_field_2."','"......"')";
Make sure your $insertData is properly formatted. As in, escape the quotes if you're inserting text, and also comma separate all the data.
A typical insert statement looks like this:
INSERT INTO myTable VALUES(1, 2, "three", 4);
So your $insertData needs to look like this:
$insertData = '1, 2, \"three\", 4';
Also, as you can see from the colouring of the code here on SO, you're missing a closing quote from the first bit of your code:
'$email'";
$result = $this->selectQuery($sql);
return $result[0]->Id;
}
The double quote in the first line doesn't have a corresponding closing one.
I am inserting a text field from a mysql database into an oracle clob column.
When I do this it appears that the oracle table does not support unicode as the ' and " characters are showing up as ???.
I have to use clob as the text field is much larger then varchar2 can hold.
Thanks in advance for any help provided on this matter.
Perl script to move data from mysql database into the oracle database:
sub do_crc_company_overview {
my ($sth_mysql, $sth_oracle);
my $sql_details = <<END_SQL;
select
tblRecommendations.code,
tblRecommendations.description,
tblRecommendations.overview,
tblRecommendations.performance,
tblRecommendations.updated
from
crc.tblRecommendations
where
tblRecommendations.code not in (
select
tblRecommendations.code
from
crc.tblRecommendations
where
tblRecommendations.code regexp "[0-9]"
)
END_SQL
# variables to bind values to
my ($code, $description, $overview, $performance, $updated);
eval {
# first clean out the oracle table
$sth_oracle = $dbh_oracle->prepare(q{delete from tblRecommendations});
$sth_oracle->execute;
# create oracle insertion query
$sth_oracle = $dbh_oracle->prepare(q{
insert into
tblRecommendations (
code,
description,
overview,
performance,
updated
)
values
(?, ?, ?, ?, ?)
});
# prepare our select statement for mysql
$sth_mysql = $dbh_mysql->prepare($sql_details);
$sth_mysql->execute;
$sth_mysql->bind_columns(\($code, $description, $overview, $performance, $updated));
while ( $sth_mysql->fetch ) {
# feed the data into the tblRecommendations table
# in the database, which has been cleaned out
$sth_oracle->execute($code, $description, $overview, $performance, $updated);
}
};
Pulling the data from the oracle database:
class CrcCompanyInfo < Sequel::Model(IM.database[:tblRecommendations])
#Only selects companies that have one or more active instruments
set_dataset select(
:tblRecommendations__code => :code,
:tblRecommendations__description => :crc_description,
:tblRecommendations__overview => :crc_overview,
:tblRecommendations__performance => :crc_performance,
)
This works as I am able to pull data from other tables in the database.
I have narrowed it down to the following characters not coming through properly.
“ = left quote = “
†= right quote = ”
‘ = left single quote = ‘
’ = right single quote = ’
— = en dash = –
– = em dash = —
• = hyphen = -
… = ellipsis = …
I have tried doing an update on the oracle table to change these but the oracle table doesn't hold the funny keys it just changes them all to '???' therefore the update didin't work. Can someone give me any insite on how I might update the data before or while it gets input into the oracle database?
Thanks
I figured this out myself.
I just had to force the utf8 flag on all the data being pushed into the oracle database.
code as follows:
$description = Encode::decode_utf8($description);
Cheers for everyones help.
I have a textarea and am submitting the form it is in using AJAX using GET.
I want to preserve the whitespace, so i have a url that look a bit like
http://.../notes/insert/?user_id=12¬e_string=new /r/r/r/r/r/rline&account_id=
however when i use $this->db->insert();
it converts the query to
INSERT INTO `notes` (`user_id`, `note_string`, `account_id`)
VALUES ('12', 'new \\r\\r\\r\\r\\r\\rline', '')
(in the controller i then replace /r for \r)
Is there a way of escaping the escape? lol or just letting the \r through?
Thank you
Take a look at 'Query Bindings' in the CodeIgniter documentation http://codeigniter.com/user_guide/database/queries.html
$sql = "SELECT * FROM some_table WHERE id = ? AND status = ? AND author = ?";
$this->db->query($sql, array(3, 'live', 'Rick'));