Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Questions must demonstrate a minimal understanding of the problem being solved. Tell us what you've tried to do, why it didn't work, and how it should work. See also: Stack Overflow question checklist
Closed 9 years ago.
Improve this question
I'm trying to insert values into a mysql database using the following query:
INSERT INTO TestTable (SearchTerm, SearchResult)
VALUES (?, ?), ("TestTerm", "TestResult");
I get the error message that there is an error "near '?, ?) ("TestTerm", "TestResult")' at line 1".
Would someone mind pointing out my mistake?
The ? is used with frameworks like PDO and mysqli. A normal insert looks like this
INSERT INTO TestTable (SearchTerm, SearchResult)
VALUES ('TestTerm', 'TestResult');
or
INSERT INTO TestTable (SearchTerm, SearchResult)
SELECT 'TestTerm', 'TestResult';
Script direct:
INSERT INTO TestTable (SearchTerm, SearchResult)
VALUES ("TestTerm", "TestResult");
With prepared statements:
INSERT INTO TestTable (SearchTerm, SearchResult) VALUES (?, ?);
It looks like you're trying to use a perpared statement. The idea is that the question marks stand in for values that may contain query-breaking character (namely semi-colons and quotes).
If you're using a library, you usually need to use two steps to do this. E.g., in java:
PreparedStatement ps = new PreparedStatement( "INSERT INTO TestTable (SearchTerm, SearchResult) VALUES (?, ?)");
ps.execute("TestTerm", "TestResult");
ps.execute("Escaped;Term", "TestResult"); // the semicolon will be escaped for you
Most every language has generic SQL libraries that allow you to do this. What language are you using?
Related
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 9 months ago.
Improve this question
I want to insert data into my table but when I press "enter" nothing happens and the next sentence starts with '>.
I know it means missing string but I don't see it
this is my code
INSERT
INTO events
VALUES
('13', '2021.03.13',
'vet',
'Dehidration. Spider's body loses more fluids than it does take in. If spider is not threated, it can get worse and become a serious problem.',
'10',
'5');
then it shows "'>"
how to deal with this?
The fourth value that you are entering contains a ' which is closing the string early, try this;
INSERT
INTO events
VALUES
('13', '2021.03.13',
'vet',
'Dehydration. Spider\'s body loses more fluids than it does take in. If spider is not threated, it can get worse and become a serious problem.',
'10',
'5');
In this case the \ lets the database know that you want to store the character ', instead of ending the string early.
Please use this mysqli_real_escape_string(db_connection, $your_string)
OR
you may write single quote like this => \'
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 1 year ago.
Improve this question
I have a MySQL column with data looking like this,
I need to convert the column to the JSON format via convert(somecolumn,JSON). However, it seems that I first need to remove the escape symbols (e.g., \"). I did some search and found that mysql_real_escape_string will do the job (from this question).
But if I understand correctly, mysql_real_escape_string is a PHP command. Is there any native MySQL command that do similar thing as mysql_real_escape_string (something like convert(mysql_native_function(somecolumn),JSON))?
Use REPLACE. For harder things REGEXP_REPLACE.
SELECT REPLACE(somecolumn, '\"', '"')
SELECT REGEXP_REPLACE('"..."', '(^"|"$)', '')
The latter will unquote the entire string, as ^ is the start, and $ the end.
BTW I would actually correct all the data in the table once. (After a backup.)
The mysql library is old.. if you really need to use something like it - use mysqli
the mysql_real_escape_string is not as secure as you would think it to be, see this: https://security.stackexchange.com/questions/8028/does-mysql-escape-string-have-any-security-vulnerabilities-if-all-tables-using-l
That said you're much better off by not using any of them but using Php PDO and replacing something like:
$data = [
'name' => $name,
'surname' => $surname,
'sex' => $sex,
];
$sql = "INSERT INTO users (name, surname, sex) VALUES (:name, :surname, :sex)";
$stmt= $pdo->prepare($sql);
$stmt->execute($data);
it will take care of the 'escaping' problems for you.
more examples here: https://phpdelusions.net/pdo_examples/insert
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Questions asking for code must demonstrate a minimal understanding of the problem being solved. Include attempted solutions, why they didn't work, and the expected results. See also: Stack Overflow question checklist
Closed 9 years ago.
Improve this question
I want to fetch mysql data having round brackets e.g. ABCD(XYZ). When I run query
"SELECT * FROM tablename WHERE Column = 'ABCD(XYZ)'"
it returns an empty result. Please suggest a way. Thanks in advance!
this should work:
INSERT INTO `tablename` (`Column`) VALUES ('ABCD(XYZ)');
SELECT * FROM `tablename` WHERE `Column` = 'ABCD(XYZ)'";
Maybe 'ABCD(XYZ)' is not exactly the value of your data (for example if you inserted some whitespaces before or after it.)
You can try it with a like to find that out:
SELECT * FROM `tablename` WHERE `Column` LIKE '%ABCD(XYZ)%'";
Another possibility is that your value has been converted with htmlentities and you saved something like this:
'ABCD&40;XYZ&41;'
&40; Left parenthesis
&41; Right parenthesis
This may be a futile question, but I will ask anyway. I have now learned that it is bad practice to use a question mark at the end of a field name, as is the case with the Paid? field in the following statement:
$sql = "INSERT INTO `tblAppeals`
(
`#`,
`Year`,
`Property#`,
`Paid?`,
`Outcome`,
`ResolvedBy`,
`AppealCategory`
)
VALUES (?,?,?,?,?,?,?)";
When I try to run the statement, I get an error because the question mark is not handled correctly. I haven't been able to find any workarounds to avoid having to go back and change the field name.
Is there any way I can keep the field name the same, Paid?, and still use it in the INSERT statement? Thanks.
It looks like its an issue with your query layer and not MySQL itself. That is, whatever is doing the bind params handling is eagerly looking for all ? in the SQL and not just whats in the VALUES part of the clause.
What database drive / query framework are you using?
Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 9 years ago.
Improve this question
I can't believe I am having this problem. I've been looking and looking but I can't see what is wrong. I hate this error message.
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' poster_ip, message, posted, thread_id INTO posts ' at line 1
mysql_query("INSERT poster, poster_ip, message, posted, thread_id
INTO posts
VALUES (
{$post_info['poster']},
'".mysql_real_escape_string($_SERVER['REMOTE_ADDR'])."',
'".mysql_real_escape_string($post_info['message'])."',
{$post_info['posted']},
{$post_info['thread_id']}") or die (mysql_error());
Your SQL syntax is wrong.
You should be using something similar to:
INSERT INTO posts (poster, poster_ip, message, posted, thread_id) VALUES (...)
Maybe you should look at the doc ;)
Insert Syntax
If you're going to put the column names you should put it after the table name.
Example:
INSERT INTO table (col1, col2) VALUES (val1, val2)
Looks like a good opportunity to practice some debugging techniques. Try building the string you are passing to the function and assigning it to a variable, then echoing that variable to see what it is you are actually passing to the function. You can learn a lot that way about why you are getting errors. Also, it would help to know the data types of the columns you are inserting values into.
I have written this code to show you why arrays are useful for query generation and less likely to make a syntax error if you need to add more fields in future.
$fields = array('poster, poster_ip, message, posted, thread_id'); // Our fields
$table = 'posts'; // Our table name
$values = array(
$post_info['poster'],
$_SERVER['REMOTE_ADDR'],
$post_info['message'],
$post_info['posted'],
$post_info['thread_id']
);
$values = array_map('mysql_real_escape_string', $values); // Secure all inputs
// Generate query
$query = "INSERT INTO $table (" . implode(',', $fields) . ") VALUES ('" . implode("','", $values . "')";
// Run query
$result = mysql_query($query) or die('query error: ' . mysql_error());