Novice here. Just trying to bind values to eliminate sql injections. I've got the code below but I get this error...
called with 1 bind variables when 47 are needed at my.cgi line 803.
and output looks like..
$new_row='53616c7465645f5fd8b88f6a16704f8ebc0a2002dfg45633617bbb0446fa', 'test12', 'user', '2012-03-06', 'xcvb', 'xb', 'xcvbb', 'xcvbb', 'UT', 'US', '4566', '4564564566', 'todd#my.com', 'vbn', '', '200', 'Monthly', 'eBook', 'WebStore', '9.95', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', 'http://my.com', 'my.com', '', '', '', '', '', '', '', '', '2012-03-06', '30-Day-Trial'
$questionmarks=?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?
I've tried it with/without quotes and commas. Any ideas appreciated.
foreach my $field (#account_field_order) {
$new_row .= "'" . param($field) . "', ";
$questionmarks .="?, ";
}#foreach
$new_row .= "'$status'";
$questionmarks .= "? ";
my $dsn = "DBI:mysql:$database";
my $dbh = DBI->connect($dsn, $MYSQLuserid, $MYSQLpassword )
or die $DBI::errstr;
my $sth = $dbh->prepare(qq(INSERT INTO $table VALUES ($questionmarks) ))
or die $DBI::errstr;
$sth->execute(qq($new_row)) or die $DBI::errstr;
You're supposed to supply a list of arguments, one for each questionmark, not a single scalar argument that contains the strings of the arguments. When I answered your question before, I told you to do:
my #values = map param($_), #account_field_order; # add values to array
push #values, $status; # for simplicity
$new_row = join ", ", ("?") x #values; # add ? for each value
... # basically same code as before, except the execute statement:
$sth->execute(#values); # arguments given will be inserted at placeholders
Where $new_row is your placeholder string, not your argument list. Not:
$new_row .= "'" . param($field) . "', ";
...
$new_row .= "'$status'";
$sth->execute(qq($new_row)) or die $DBI::errstr;
Because $new_row counts as one argument, since it is a scalar. You need an array or list of the same length as the number of questionmarks.
First, lets fix the first statements:
#new_row=('53616c7465645f5fd8b88f6a16704f8ebc0a2002dfg45633617bbb0446fa', 'test12', 'user', '2012-03-06', 'xcvb', 'xb', 'xcvbb', 'xcvbb', 'UT', 'US', '4566', '4564564566', 'todd#my.com', 'vbn', '', '200', 'Monthly', 'eBook', 'WebStore', '9.95', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', 'http://my.com', 'my.com', '', '', '', '', '', '', '', '', '2012-03-06', '30-Day-Trial');
$questionmarks="?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?";
These will create an array of values and a single string with all the ?s.
Then in the execute statement:
$sth->execute(#new_row) or die $DBI::errstr;
which will pass in your array of values into the execute line, rather than a single argument like you were doing before.
Related
I set up an Apps Script program and it needs to save data to database. However, it is not working.
I have tried to use the code from Google Apps Script Documentation but I can't see how to skip the autoIncrementing field named ID and its the primary key as well.
I have used code below.
var connectionName = 'frms-db:us-central1:****';
var user = 'rj-**';
var userPwd = 'fEwnj*LAAj3****';
var db = 'CCW_CLR';
var dbUrl = 'jdbc:google:mysql://' + connectionName + '/' + db;
var conn = Jdbc.getCloudSqlConnection(dbUrl, user, userPwd);
var stmt2 = conn.prepareStatement('INSERT INTO tblPreInterview '
+ '(ID, Timestamp, Email, Section4, Section5, Section6, Section7, Pages12_13, MinorsAtHome, FirearmsStoreage, ReferenceType1, ReferenceName1, ReferencePhone1, ReferenceType2, ReferenceName2, ReferencePhone2, ReferenceEmail2, '
+ 'ReferenceType3, ReferenceName3, ReferencePhone3, ReferenceEmail3, DeptConditions, NoGuarantee, ServicePolicy, NoRefunds, PenaltyPerjury, Authorization) values (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, '
+ '?, ?, ?, ?, ?, ?, ?, ?, ?, ?)');
stmt2.setString(2, new Date());
stmt2.setString(3, data.email);
stmt2.setString(4, data.section4);
stmt2.setString(5, data.section5);
stmt2.setString(6, data.section6);
stmt2.setString(7, data.section8);
stmt2.setString(8, data.pages1213);
stmt2.setString(9, data.minors);
stmt2.setString(10, data.storefirearm);
stmt2.setString(11, data.reftype1);
stmt2.setString(12, data.refcon1);
stmt2.setString(13, data.refphone1);
stmt2.setString(14, data.refemail1);
stmt2.setString(15, data.reftype2);
stmt2.setString(16, data.refcon2);
stmt2.setString(17, data.refphone2);
stmt2.setString(18, data.refemail2);
stmt2.setString(19, data.reftype3);
stmt2.setString(20, data.refcon3);
stmt2.setString(21, data.refemail3);
stmt2.setString(22, data.deptcondition);
stmt2.setString(23, data.review_agree1);
stmt2.setString(24, data.review_agree2);
stmt2.setString(25, data.review_agree3);
stmt2.setString(26, data.review_agree4);
stmt2.setString(27, data.review_agree5);
stmt2.setString(28, data.signature);
stmt2.execute();
I expect to add data to my SQL database.
If the column is auto_incremented, you do not need to provide a value for it. MySQL automatically assigns a new number when you perform an insert where no value is given for that column.
So you should just not specify this column in your insert, ie change:
var stmt2 = conn.prepareStatement(
'INSERT INTO tblPreInterview '
+ '(ID, Timestamp, Email, Section4, Section5, Section6, ...
To:
'INSERT INTO tblPreInterview '
+ '(Timestamp, Email, Section4, Section5, Section6, ...
Accordingly you should remove the first parameter.
I have class with function, which prepares SQL statement to put data into database, but there's an error I can not figure it out, why is happening?
public function vnos_narocila($user) //, $hvrsta_narocila, $hlastna_nabava, $hos, $hsm_dn, $hoe, $hartikel1, $hkolicina_artikel1, $hem1, $hartikel2, $hkolicina_artikel2, $hem2, $hartikel3, $hkolicina_artikel3, $hem3, $hartikel4, $hkolicina_artikel4, $hem4, $hartikel5, $hkolicina_artikel5, $hem5, $hartikel6, $hkolicina_artikel6, $hem6, $hartikel7, $hkolicina_artikel7, $hem7, $hartikel8, $hkolicina_artikel8, $hem8, $hartikel9, $hkolicina_artikel9, $hem9, $hartikel10, $hkolicina_artikel10, $hem10, $hprevzemnik, $hopomba, $hzeljen_datum)
{
$sql = "SELECT * FROM nabava ORDER BY id_nabava DESC LIMIT 1"; //pridobitev zaporedne številke v letu
if( !$this->stmt = $this->mysqli->prepare($sql) )
throw new Exception("MySQL Prepare statement failed: ".$this->mysqli->error);
$this->stmt->execute();
$zadnji_zapis = $this->stmt->get_result();
$zadnji_zapis = $zadnji_zapis-> fetch_array();
$leto = date('Y');
if ( !$zadnji_zapis or $zadnji_zapis[leto] != $leto)
$zap_st=1;
else
$zap_st = $zadnji_zapis[zap_st]+1;
$narocilo = "N-".$zap_st."-".$hoe."/".$leto; //kreiranje številke naročila
$sql_vnos = "INSERT INTO nabava (vrsta_narocila, lastna_dobava, os, sm_dn, prevzemnik, opomba, zeljen_datum_dobave, narocilo, uporabnik, datum_vnosa, zap_st, oe, leto) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, NOW(), ?, ?, ? )";
if( !$this->stmt = $this->mysqli->prepare($sql_vnos) )
throw new Exception("MySQL Prepare statement failed: ".$this->mysqli->error);
$this->stmt->bind_param("iiisssisiiii", $hvrsta_narocila, $hlastna_dobava, $hos, $hsm_dn, $hprevzemnik, $hopomba, $hzeljen_datum, $narocilo, $user, $zap_st, $hoe, $leto );
if( $this->stmt->execute() )
return $this->stmt->insert_id;
return $narocilo;
}
Here is the error:
Fatal error: Uncaught Exception: MySQL Prepare statement failed: in
/var/www/html/intra_komunalaBrezice/skripte/nabava.php:111 Stack
trace: #0 /var/www/html/intra_komunalaBrezice/nabava_vnos.php(27):
nabava->vnos_narocila(1, '1', '1', '1', '200401', '1005', '1', '1',
'1', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '',
'', '', '', '', '', '', '', '', '', '', '', 'test', 'test',
'2018-07-04') #1 {main} thrown in
/var/www/html/intra_komunalaBrezice/skripte/nabava.php on line 111
Please help...
There was a mistake in number of columns and number of values passed.
I'm sorry, I should see that.
I am using this code:
$image = mysqli_real_escape_string($dbc, $res[3][$i]);
Where $res[3][$i] is a url.
Then I store $image in a Mysql DB. But when I retrieve it, it's all messed up with the special characters... (my DB is in utf8).
How can I store a url in mysql and get it back exactly as it was?
Thanks
Actually I am using prepared statement:
$image = mysqli_real_escape_string($dbc, $res[3][$i]);
$md5_of_title = md5($title);
//$query = "INSERT IGNORE INTO scrap (date, journal, section, title, href, teaser, image, md5_of_title) VALUES (?, ?, ?, ?, ?, ?, ?, ?)";
$query = "INSERT INTO scrap (date, journal, section, title, href, teaser, image, md5_of_title) VALUES (?, ?, ?, ?, ?, ?, ?, ?)";
$stmt = mysqli_prepare($dbc, $query);
/*i Integers;
d Doubles;
b Blobs;
s Everything Else;*/
mysqli_stmt_bind_param($stmt, "ssssssss", date('Y-m-d H:i:s'), $name, $section, $title, $href, $teaser, $image, $md5_of_title);
mysqli_stmt_execute($stmt);
My code is this
Profile.update_all(["is_active = ?, name = ?, geo_lat = ?, geo_long = ?, radius = ?, search_option = ?", 1, params[:profile_name],'null','null','null','st'])
but it assign
geo_lat=0
and
geo_long=0
In my database structure default value is null for both
and i want to assign null
please help me
The issue here are string 'null'.
Try the following:
Profile.update_all(["is_active = ?, name = ?, geo_lat = ?, geo_long = ?, radius = ?, search_option = ?", 1, params[:profile_name], nil, nil, nil, 'st'])
Also check your migration to see if default is not set to string 'null'.
I keep getting an incorrect string value error in my Rake Task when I go to insert into my DB for one specific record. I tried converting it to UTF8 after reading several posts here on it but still have not resolved the issue (no guarantee I did that right). Any thoughts on what else it could be? Anything I left out?
MySQL Server Community 5.5
Conversion Code:
ic = Iconv.new('UTF-8//IGNORE', 'UTF-8')
#summary = ic.iconv(bug.summary << ' ')[0..-2]
Create Code:
JiraBug.create(
:issue => bug.key,
:summary => #summary,
:reporter_name => reporter_name,
:assignee_name => assignee_name,
:weight => weight, :issue_created => issue_created,
:issue_updated => issue_updated,
:jira_it_division_id => #it_division_id,
:jira_project_id => #project_id,
:jira_priority_id => #priority_id,
:jira_status_id => #status_id,
:jira_originating_phase_id => #originating_phase_id,
:jira_detection_phase_id => #detection_phase_id,
:jira_version_id => #version_id,
:jira_version_name => #version_name,
:death_burrito_application_id => #jira_id
)
Offending String:
"Instance Blueprints → aa-test-kim → Module/Domain Objects - there is
a drop down title \"ID [REMOVEME]\". I don't think the 'removeme'
belongs."
Error
Mysql::Error: Incorrect string value: '\xE2\x86\x92 aa...' for column
'summary' at row 1: INSERT INTO jira_bugs (assignee_name,
created_at, death_burrito_application_id, issue,
issue_created, issue_updated, jira_detection_phase_id,
jira_it_division_id, jira_originating_phase_id,
jira_priority_id, jira_project_id, jira_status_id,
jira_version_id, jira_version_name, reporter_name, summary,
updated_at, weight) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?,
?, ?, ?, ?, ?) [1m[35m (1.0ms)[0m ROLLBACK Mysql::Error:
Incorrect string value: '\xE2\x86\x92 aa...' for column 'summary' at
row 1: INSERT INTO jira_bugs (assignee_name, created_at,
death_burrito_application_id, issue, issue_created,
issue_updated, jira_detection_phase_id, jira_it_division_id,
jira_originating_phase_id, jira_priority_id, jira_project_id,
jira_status_id, jira_version_id, jira_version_name,
reporter_name, summary, updated_at, weight) VALUES (?, ?, ?,
?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
I wound up doing a record specific hack for right now.
#summary = bug.summary.gsub(/→/,'>')
Not the greatest solution but until I find a better way this will have to do