insert query is not working in mysql - mysql

I really don't know what is happening insert query is not working for me.
$query_getgreenyear = "INSERT INTO `greenityear` `ConsolidateYear` VALUES ('".$sentdata."')";
in $sentdata the value is ('A','B') and the datatype for ConsolidateYear is varchar.I need this value to be inserted into the database.
but i am getting error
You have a SQL syntax error near 'ConsolidateYear VALUES ('('A','B')')' at line 1.
Please help me in this regard.
I am new to database activities.

You forgot to place a bracket() for your column name.
Try this:
$query_getgreenyear = "INSERT INTO `greenityear` (`ConsolidateYear`)
VALUES ('".$sentdata."')";

Please take a look at the MySQL Reference Manual.
You need to surround your column name with parantheses in your INSERT statement:
$query_getgreenyear = "INSERT INTO `greenityear` (`ConsolidateYear`) VALUES ('".$sentdata."')";
And I would highly recommend you to use prepared statements as provided by your MySQL-extension (at least if you're not using the deprectated mysql_connect). This protects you against SQL injections.

INSERT INTO `greenityear` (`ConsolidateYear`) VALUES (...)
But, you really should be using prepared statements and not constructing statements as you are.

the correct syntax is
INSERT INTO `tablename` (`columnname1`,`columnname2`) VALUES ('value1','value2')
so your example would be like this:
$query_getgreenyear = "INSERT INTO `greenityear` (`ConsolidateYear`) VALUES ('".$sentdata."')";

Related

SQL injection on fixed value?

I'm aware that if you're inserting a variable, it is always good to use mysqli_real_escape_string. But, if I'm inserting a fixed value which is not a variable, do I need to use that function?
For example, like the syntax below. I insert a name which is a variable, and also a value '1' into the status column. Is it safe to do that to avoid SQL injection for the column status? since it is not a variable.
"INSERT INTO customer(name, status) VALUES ('".mysqli_real_escape_string($conn, $name) ."', '1')";
When using mysqli, it is safest to use prepared statements:
$stmt=$mysqli->prepare("INSERT INTO customer(name, status)
VALUES (?, '1')";
$stmt->bind_param("s", $name);
(See http://php.net/manual/en/mysqli.quickstart.prepared-statements.php for the more detailed and working code).
In this you can leave static values as is, nobody can replace those. You can also alter your table:
ALTER TABLE customer ALTER COLUMN status DEFAULT '1';
Then you do not even have to set it any longer.
There is no objection and need to escape the values on constant as SQL Injection will not be done on static things..

PHP Registration to MYSQL Database

I have a problem here..
Im currently building a website(blog) where I want people to be able to register. And I want that information to be sent to my MYSQL
This is some of the code:
<?php
$query="INSERT INTO Medlemmar(namn, epost)
VALUES("$_GET[namn]", "$_GET[epost]")";
if (!mysqli_query($mysql_pekare,$query))
{
die("Error: " . mysqli_error($mysql_pekare));
}
echo "Du har lagt till kunden I databasen";
?>
But for some reason i get error on the "VALUES" part.. That im missing a syntax.. WTF am i missing?! Been stuck with this for 1+ hours.. Just had to turn here, usually a quick response! Thanks!
edit: "Parse error: syntax error, unexpected T_VARIABLE"
There are syntax errors all over the place... This needs some work.
<?php
$query = "INSERT INTO Medlemmar(name, epost) VALUES(\"".$_GET['namn']."\", \"".$_GET['epost']."\")";
That should fix the query... You need to learn how to escape \" double quotes so they can be used in the actual query.
try
VALUES ('".$_GET[a]."', '".$_GET[b]."')
or ' and " exchanged.
You are forgetting the single quotation marks around each value
The way you're managing registration is extremely insecure. If you were to set the namn and epost value to a sql query (like SELECT FIRST (username) FROM user_table) then it would execute that as behalf of the original sql query.
if you set username to SELECT FIRST (username) FROM user_table then it would return the first username in the user_table
To avoid this from happening you can use prepared statements which means that you specifically assign a sql query with a placeholder value and then you apply a value to the placeholder.
This would mean that you force the sql query to only execute what you've told it to do.
E.g. You want to JUST INSERT into a table and only do that and nothing else, no SELECT and no table DROP well in that case you create the prepared INSERT query with a placeholder value like this.
$db = new PDO('mysql:host=localhost;dbname=database_name', 'database_user', 'database_user_password');
// Create the register statement for inserting.
// Question mark represent a placeholder for a value
$register = $db->prepare('INSERT INTO users_table (username, password) values (?, ?)');
// Execute the register statement and give it values
// The values need to be parsed over in a array
$register->execute(array("test_user", "test_password"));
I'm not the best at explaining but if you want to understand what EXACTLY is going on here then this is a pretty good article which explains it in more detail.

Insert into a specific row multiple values with Where clause?

I want to insert two dates into a specifc row on my table using MySql but have a syntax error on Workbench (Error 1064):
INSERT INTO atable (Activated,Expiry) WHERE Access_Code = 'accesscode'
VALUES('$current_date','$Expiration_Date')
What would be the correct version for this?
It would be something like this:
UPDATE atable
SET Activated='$current_date',
Expiry='$Expiration_date'
WHERE Access_Code='accesscode';
I'm assuming you will be setting $current_date and $Expiration_date via (what looks like PHP) code.
Hope this helps.

Issues with simple insert statement

I am working on this code and i am using a simple insert statement and I cant figure out why its not working. If anyone could see what I am doing wrong please let me know. Thanks!
This is the error I am getting:
You have an error in your SQL syntax; check the manual that corresponds
to your MySQL server version for the right syntax to use near 'long,comments)
VALUES (2 ,2012-11-18 21:25:30, 39.3436984, -76.5856958, hh)' at line 1
here is the code:
mysql_query ("INSERT INTO incidents (emergency_type,date_time,lat,long,comments)
VALUES (2 ,$catchDate, $catchLat, $catchLong, $catchDescription)") or die(mysql_error());
echo"<br /> Data inserted";
Long is a reserved word, try `long` surrounded with backticks instead.
Reference https://dev.mysql.com/doc/refman/5.5/en/reserved-words.html
A quick browse around the docs reveals that you should be investigating PDO::prepare and PDO::execute to do this. Your current method appears to be vulnerable to SQL injection.
I'm not a PHP programmer, but something like:
$db = get a db handle from somewhere
$st = $db->prepare('Insert Into Incidents (emergency_type, date_time, lat, `long`, comments) Values (?, ?, ?, ?, ?)');
$st->execute(array(2 ,$catchDate, $catchLat, $catchLong, $catchDescription));
LONG is a keyword/reserved word in mysql. You can use backticks to escape it
INSERT INTO incidents (emergency_type,date_time,lat,`long`,comments)
Or change your table column name to longitude
INSERT INTO incidents (emergency_type,date_time,lat,`long`,comments)
VALUES (2 ,$catchDate, $catchLat, $catchLong, '$catchDescription')
LONG is on the list of MySQL Reserved Keywords. Escape it with backtick instead.
One more thing, values for date_time and comments must be enclosed with single quotes as they are not numeric.
and you query is now vulnerable with SQL Injection, please take time t read the article below
How can I prevent SQL injection in PHP?

MySQL only inserting first row

I'm trying to insert a ton of rows into my MySQL database. I have a query like this, but with about 700 more repetitive entries in it but for some reason the query is only inserting the first row to the database. In this case it would be '374','4957','0'.
INSERT INTO table VALUES ('374','4957','0'),('374','3834','0'),('374','4958','0'),('374','5076','0'),('374','4921','0'),('374','3835','0'),('374','4922','0'),('374','3836','0'),('374','3837','0'),('374','4879','0'),('374','3838','0')
I can't figure out what I'm doing wrong.
Thank you in advance.
Don't mean to state the obvious, but if the first field '374' is your primary key field, than this is the issue.
Otherwise, are there any error messages received from the database? That is always a good place to look for bugs.
For better understanding why something is not working next time use code like this:
$sql = "INSERT INTO table VALUES ('374','4957','0'),('374','3834','0')";
if (!mysqli_query($link, $sql)) {
printf("Errormessage: %s\n", mysqli_error($link));
}
That should display error message returned from MySQL.
More information: PHP manual - mysqli_error
Try to write the column names before values.
For example:
INSERT INTO table (column1,column2,column3) VALUES ...