I'm writing a script to insert data about books into a database.
This is the code that inserts the data
$errors=array();
foreach(array('title','author','publisher','pub_date','isbn','Format','genre','category','bookcase','shelf','user_id') as $key=>$val){
$_REQUEST[$key] = mysqli_real_escape_string($ptah,trim($_REQUEST[$val])) ;
};
$title = $_REQUEST['title'] ; $title = strip_tags($title);
$author = $_REQUEST['author'] ; $author = strip_tags($author);
$publisher = $_REQUEST['publisher'] ; $publisher = strip_tags($publisher);
$pub_date = $_REQUEST['pub_date'] ; $pub_date = strip_tags($pub_date);
$isbn = $_REQUEST['isbn'] ; $isbn = strip_tags($isbn);
$format = $_REQUEST['Format'] ; $format = strip_tags($format);
$genre = $_REQUEST['genre'] ; $genre = strip_tags($genre);
$category = $_REQUEST['category'] ; $category = strip_tags($category);
$bookcase = $_REQUEST['bookcase'] ; $bookcase = strip_tags($bookcase);
$shelf = $_REQUEST['shelf'] ; $shelf = strip_tags($shelf);
$username = $_REQUEST['user_id'] ; $username = strip_tags($username);
# On success, register user
if (empty($errors))
# Insert the user into the database
{
$insert_sql = "INSERT INTO library (title, author, publisher, pub_date, isbn, format, genre, category, bookcase, shelf, time_entered, by) VALUES ( '$title', '$author', '$publisher', '$pub_date', '$isbn', '$format', '$genre', '$category', '$bookcase', '$shelf', NOW(), '$username' )";
mysqli_query($ptah,$insert_sql) or die(mysqli_error($ptah));
mysqli_close($ptah);
exit();
};
?>
On submission, I get the following error.
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'by) VALUES ( 'Gently Does It', 'Hunter Alan', 'Robinson', '2010', '1234567890', ' at line 1
This misses out format, genre, category, bookcase, shelf, date entered and by whom completely.
Interestingly, the amount of data to be submitted will vary with the length of individual pieces,
for instance
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'by) VALUES ( 'The Hundred Year Old Man Who Climbed Out of a Window And Disappear' at line 1
doesn't even finish the title whereas
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'by) VALUES ( 'a', 'b', 'c', '1234', '1', 'Paperback', 'Fiction', 'Fantasy', 'a1'' at line 1
makes it as far as bookcase.
I'm stumped. Could anyone help please.
BY is a reserved word in MySQL so you should escape it with backticks ` in case you need to use it as a field name .
<...> , time_entered, `by`) <...>
BY is a reserved word in MySQL. In order to use it as an identifier in a query you need to enclose it with backticks:
... time_entered, `by`) VALUES (...
It's generally good practice to always enclose identifiers (column names, table names, etc.) with backticks anyway. It's more explicit to the query engine.
Related
I am using MySQL with ASP.NET/VB. In a table I use GUID instead of int identifiers. All goes as planned until I try to update a specific row, where I get a syntax error in the statement below:
Dim q As String = "UPDATE documents SET date_document = #date_document, document_type = #document_type, sender = #sender, receiver = #receiver, description = #description, document_number = #document_number, pages = #pages, handled_date = current_timestamp, handled_user_id = #handled_user_id, error_code = #error_code) WHERE id = #id"
My GUID parameter:
.Parameters.Add("#id", MySqlDbType.Guid, 16).Value = myguid
And the error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ') WHERE id = '8873442f-2f0b-4372-ac08-8388220c6eca'' at line 1
Any ideas on what's going on?
You're chasing down the wrong issue. What character does your error syntax begin with? It starts off as ') Where id = ...
You're assuming it's the id. It's not. That works fine. The first character is a closing parenthesis. That's the clue. There is no opening parenthesis. Remove the ) because you don't need it with an update statement.
This is query I am using to insert into the table.
I am getting the error like this
$sql = mysql_query("INSERT INTO userinfo(runnername,runnerdob,runnerage,runnergender,runneraddress,runnercity,runnerstate,runnerpincode,runneremail,runnerpassword,runnermobilenumber,e_name,e_relationship,e_address,e_mobilenumber,height,weight,bloodgroup,category,tshirtsize,accountcreationdate,lastlogin,timestamp,registereduser,ipaddress,status)
VALUES('$runnername','$dt',$runnerage,'$runnergender','$runneraddress','$runnercity','$runnerstate','$runnerpincode','$runneremail','$epassword','$runnermobilenumber','$e_name','$e_relationship','$e_address','$e_mobilenumber','$height','$weight','$bloodgroup','$category',$tshirtsize,'$accountdate','Y','$t','Y','$ip',1") or die(mysql_error());
This is generated output
INSERT INTO
userinfo(runnername,runnerdob,runnerage,runnergender,runneraddress,runnercity,runnerstate,runnerpincode,runneremail,runnerpassword,runnermobilenumber,e_name,e_relationship,e_address,e_mobilenumber,height,weight,bloodgroup,category,tshirtsize,accountcreationdate,lastlogin,timestamp,registereduser,ipaddress,status)
VALUES('VIDHYA PRAKASH R','1985-04-08',29,'M','12 DIVINE
RESIDENNCY','coimbatore','TAMILNADU','641035','vidhyaprakash85#gmail.com','FU4A31/GhcmRItAHb97lNtrjRZr+y1yG4arxawG/qEs=','9944524864','rajendran','father','12
DIVINE RESIDENNCY coimbatore TAMILNADU
641035','9894773083','6','6','A1+ve','M',42,'11-07-2014
12:11:02','Y','1405060862','Y','127.0.0.1',1)
but I am getting error as
You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near '' at line 1
I am breaking my head for past two hours.
Any one please help me ?
The issue was at the end of the query, writing long insert queries on single line should be avoided and better to write in multiple lines which helps to find the issue almost immediately , or the best is to use prepared statement with PDO or mysqli.
Your query ends as 'Y','$ip',1") which was missing )
Here how the query should be
$sql = mysql_query(
"INSERT INTO userinfo
(
runnername,
runnerdob,
runnerage,
runnergender,
runneraddress,
runnercity,
runnerstate,
runnerpincode,
runneremail,
runnerpassword,
runnermobilenumber,
e_name,
e_relationship,
e_address,
e_mobilenumber,
height,
weight,
bloodgroup,
category,
tshirtsize,
accountcreationdate,
lastlogin,
timestamp,
registereduser,
ipaddress,
status
)
VALUES
(
'$runnername',
'$dt',
$runnerage,
'$runnergender',
'$runneraddress',
'$runnercity',
'$runnerstate',
'$runnerpincode',
'$runneremail',
'$epassword',
'$runnermobilenumber',
'$e_name',
'$e_relationship',
'$e_address',
'$e_mobilenumber',
'$height',
'$weight',
'$bloodgroup',
'$category',
$tshirtsize,
'$accountdate',
'Y',
'$t',
'Y',
'$ip',
1
)"
) or die(mysql_error());
Are you missing a close bracket at the end of your values statement?
Instead of
'$ip',1")
Shouldn't it be
'$ip',1)")
PHP Script:
<?php
include('connect.php');
if (isset($_POST['project_name'])){
$name = $_POST['project_name'];
$date = $_POST['date'];
$amount = $_POST['amount'];
$curr = $_POST['curr'];
$spec = $_POST['spec'];
$SQL = "INSERT INTO projects (name, date, currency, amount, specifications) VALUES '$name','$date','$amount','$curr','$spec'" or die(mysql_error()."update failed");
$insert = mysql_query($SQL);
if($insert){
echo "Successful";
echo "<BR>";
echo "<a href='insert.php'>Back to main page</a>";
} else {
?>
A HTML FORM HERE
<?php
}
?>
NOTE: The connect.php file is working ok since I've used it before on other scripts but on the same server.
Every time I try to submit the form (method = post), I get this error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''sad','08/13/2013','244','dollars','sdasd'' at line 1
32767
What could be the problem?
While inserting, VALUES for a given row have to be enclosed in parenthesis.
INSERT INTO projects (name, date, currency, amount, specifications) VALUES
('$name','$date','$amount','$curr','$spec')
In order to remember that, you simply have to remember that INSERT allow to add several rows, that's why each row has to be delimited by those parenthesis:
-- Just for the example, insert 3 time the same row
INSERT INTO projects (name, date, currency, amount, specifications) VALUES
('$name','$date','$amount','$curr','$spec'),
('$name','$date','$amount','$curr','$spec'),
('$name','$date','$amount','$curr','$spec');
BTW, please note that using string interpolation to build your query is a major risk of SQL injection. Please see How can I prevent SQL injection in PHP? for the details.
INSERT INTO projects (name, date, currency, amount, specifications) VALUES( '$name','$date','$amount','$curr','$spec'")
Add ( after values
You are forgetting the ( & ) in your insert statement:
$SQL = "INSERT INTO projects (name, date, currency, amount, specifications)
VALUES
('$name','$date','$amount','$curr','$spec')" or die(mysql_error()."update failed");
You should pass the name value like 'sad' not ''sad'. Hope you can find the problem.
I have fought with this the last two hours and my head hurts..
I get this error:
You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version
for the right syntax to use near '' at line 7
This is my table http://i.imgur.com/5KzxxbR.png
This is my query:
if(!is_int($_POST['x']) || !is_int($_POST['x'])) break;
$q = mysql_query("
INSERT INTO `bit-board`
(value, type, x, y)
VALUES(
'".$_POST['post-it']."',
'post-it',
'".$_POST['x']."',
'".$_POST['y']."'
)"
);
echo mysql_error() ? mysql_error:mysql_insert_id();
And the second one:
if(!is_int(intval($_POST['x'])) || !is_int(intval($_POST['x'])) || !is_int(intval($_POST['id']))) break;
$q = mysql_query("
UPDATE `bit-board`
SET
value = '".$_POST['post-it']."',
type = 'post-it',
x = '".$_POST['x']."',
y = '".$_POST['y']."'
WHERE id = '".$_POST[id]."'
");
Thanks
X and Y are floats, so don't put quotes around a numeric value.
Also check the comment from #a_horse_with_no_name about quoting the table name.
$q = mysql_query("
INSERT INTO `bit-board`
(value, type, x, y)
VALUES(
'".$_POST['post-it']."',
'post-it',
".$_POST['x'].",
".$_POST['y']."
)"
);
(Not tested)
I got this perl script and it used to work fine till recently.
i am getting this error message.
DBD::mysql::db do failed: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' '')
ON DUPLICATE KEY UPDATE value=''' at line 2 at import_productfeatures.pl line 71.
DBD::mysql::db do failed: You have an error in your SQL syntax; check the manual that corresponds to your MySQL serve r version for the right syntax to use near ' '')
ON DUPLICATE KEY UPDATE value=''' at line 2 at import_productfeatures.pl line 71.
foreach my $feature (#features) {
my $cat_featureid = $feature->{CategoryFeature_ID};
my $value = $feature->{Presentation_Value};
my $sql = "INSERT INTO products_features (product_id, feature_id, value)
VALUES (".$prodid.", ".$cat_featureid.", ".$dbh->quote($value).")
ON DUPLICATE KEY UPDATE value=".$dbh->quote($value);
$dbh->do($sql);
}
You should use placeholders, instead of putting the values directly into the string:
my $sql = "INSERT INTO products_features (product_id, feature_id, value)
VALUES (?,?,?)
ON DUPLICATE KEY UPDATE value=?";
my $sth = $dbh->prepare($sql);
foreach my $feature (#features) {
my $cat_featureid = $feature->{CategoryFeature_ID};
my $value = $feature->{Presentation_Value};
$sth->execute($prodid,$cat_featureid,$value,$value);
}
$sth->finish();
DBI will handle the correct escaping for you.
Print out the value of $sql so you can see the SQL statement that you are building. Then you can see what the syntax problem is, or post it here so we can diagnose it.
However, even more than that, you should be using parametrized queries, not building SQL statements with untrusted external data. You are leaving yourself open to SQL injection. Please see http://bobby-tables.com/perl.html for examples on how to do it properly.
I think u missed single quote.
change
my $sql = "INSERT INTO products_features (product_id, feature_id, value)
VALUES (".$prodid.", ".$cat_featureid.", ".$dbh->quote($value).")
ON DUPLICATE KEY UPDATE value=".$dbh->quote($value);
to
my $sql = "INSERT INTO products_features (product_id, feature_id, value)
VALUES (".$prodid.", ".$cat_featureid.", '".$dbh->quote($value)."')
ON DUPLICATE KEY UPDATE value='".$dbh->quote($value."'");