when I post something into my html form, for example in the first name field, I enter in:
'John', i am getting the following error:
Error in query: .
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Smith',Address_Line_1='rtuy657tr',Address_Line_2='',City='leicester',Postcode='L' at line 1
I know it has something to do with the mysql_real_escape_string () function, but how would I use it for inserting into a the DB. I have started the function:
function db_insert_preparation(){
}
$con = mysql_connect("localhost","root","");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
mysql_select_db("project1", $con);
This is where it needs to be used:
$sql2 = "INSERT INTO `".$table_name."` (`Group`, `Date_Of_Birth`, `Gender`, `Title`, `First_Name`, `Last_Name`, `Address_Line_1`, `Address_Line_2`, `City`, `Postcode`, `Contact_No`, `Email`, `Additional_Comment`, `Upload_File`) VALUES ('".db_insert_preparation($group)."','".$_POST[dateofbirth]."','".$_POST[gender]."','".$_POST[title]."','".$_POST[firstname]."','".$_POST[lastname]."','".$_POST[address1]."','".$_POST[address2]."','".$_POST[city]."','".$_POST[postcode]."','".$_POST[contactno]."','".$_POST[email]."','".$_POST[note]."','".$filename."' )";
The SQL insert statement is vulnerable to SQL injection. If one of the POST values contains a double quote " or a newline, the statement gets corrupted and syntax errors ensue. Make sure you escape everything user-provided with mysql_real_escape_string().
use mysql_real_escape_string function on mysql_real_escape_string($_POST[firstname']). Infact do it on all your post variables before you pass it to the SQL.
Related
This is the line of code that is causing the error:
$result = $mysqli->query("SELECT * FROM 'accounts'.'users' WHERE email='$email' AND hash='$hash' AND active='0'") or die($mysqli->error);
and this is the error that shows:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''accounts'.'users' WHERE email='testemail#email.com' AND hash='76dc611d6eba' at line 1
However, if I print the value of hash I get this "76dc611d6ebaafc66cc0879c71b5db5c" the value that I want to search with and the value that is stored in the database. I am not sure if it is just being shortened for the error message of if something else is happening.
Try changing from ' (apostrophe) to ` (backtick) or simply removed the single quotes from db/table name, so your query looks like this:
SELECT * FROM `accounts`.`users` WHERE email='$email' AND hash='$hash' AND active='0'
Try removing quotes around database and table name
$mysqli = new mysqli("localhost", "my_user", "my_password", "world");
if ($mysqli->connect_errno) {
printf("Connect failed: %s\n", $mysqli->connect_error);
exit();
}
$result = $mysqli->query("SELECT * FROM accounts.users WHERE email='$email' AND hash='$hash' AND active='0'") or die($mysqli->error);
I read and tried hard for the past two hours to run my code. But i got a syntax error in my sql query, can anyone help me?
My code:
$query = "INSERT INTO `article` (`text`,`headline`,`date`,`author`,`active`) SET (?,?,?,?,?)";
$stmt = $pdo->prepare($query);
$stmt->bindValue(1, $text, PDO::PARAM_STR);
$stmt->bindValue(2, $headline, PDO::PARAM_STR);
$stmt->bindValue(3, $date, PDO::PARAM_STR);
$stmt->bindValue(4, $author, PDO::PARAM_STR);
$stmt->bindValue(5, $active, PDO::PARAM_INT);
if($stmt->execute()) { //do something }
Fatal error:
Uncaught PDOException: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'SET ('some text','test headline','2017-09-30','author123',1)'
btw, how can i use php code-tags?
Thanks
Try changing "SET" in your query to "VALUES", your use of "SET" is incorrect in that context.
Your syntax is incorrect. Check the MySQL documentation:
https://dev.mysql.com/doc/refman/5.7/en/insert.html
When using insert query, you use:
INSERT INTO table_name (column1, column2, column3, ...) VALUES (value1, value2, value3, ...);
Why do I get this error: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1?
<?php
include'model.php';
global $db;
try {
$sql ='SELECT accounts.username '
. 'FROM accounts '
. 'WHERE accounts.username = '
.$_POST[username];
$stmt = $db->prepare($sql);
$stmt->execute();
$navList = $stmt->fetchAll();
$stmt->closeCursor();
header('location: ./view_cms.php');
} catch (PDOException $exc) {
echo $exc->getMessage();
// header('location: ./view_error.php');
exit;
}
?>
Because you need to wrap strings in single quotes in the WHERE clause. You also need to access $_POST entries with a quoted string key:
$sql = "SELECT accounts.username ".
"FROM accounts ".
"WHERE accounts.username = '".$_POST["username"]."'";
Plus, this is the reason why PHP based web software has a bad reputation. Sanitize your inputs, for heaven's sake!! Your prepare statement doesn't do anything as you're not using parameters (your statement is not a prepared statement).
Hello i am trying to insert some data into mysql using perl.
i have an array that i want insert into a table. but problem is that the array has a " ' "
.when i try to insert it got an error mysql query failed.
#!/usr/bin/perl
use DBI;
#abc = "FUJI-XEROX CO. LTD. ADVANCED TECH & ENG'G CENTER 9-50 CHUO 2-CHOME, EBINA-SHI KANAGAWA 24 JAPAN";
$dbh = DBI->connect('dbi:mysql:remotegenius;host=localhost', 'root', 'active123') or die "Connection Error: $DBI::errstr\n";
$dbh->do("insert into OUI set `oui`='$abc'");
when i execute code i got
DBD::mysql::db do failed: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'G CENTER 9-50 CHUO 2-CHOME, EBINA-SHI KANAGAWA 24 JAPAN'' at line 1 at ./test.pl line 9.
I need someone help from mysql and perl expertise.
First of all it is essential to use strict and use warnings at the top of every program. It saves a huge amount of time by revealing simple mistakes, and would have alerted you to the fact that you put a string into array #abc and then use the scalar $abc in your SQL statement. I assume here that you intended to use $abc throughout.
Your error is because that's not what an INSERT statement looks like. You also need to escape and quote the string in $abc properly as it contains single quotes, so you must write
$dbh->do(sprintf 'INSERT INTO oui (oui) VALUES (%s)', $dbh->quote($abc))
But it is best to prepare the statement first and then execute it
my $insert = $dbh->prepare('INSERT INTO oui (oui) VALUES (?)');
and later
$insert->execute($abc);
Or perhaps you mean "UPDATE oui SET oui = ?"? But that will set the oui field to the same value on every row of the table.
If you need to insert array of values, first make sure you have values in array variable.
#vals = ('One', 'Two', 'Three');
Error is because INSERT query syntax is wrong, here is the INSERT syntax
INSERT INTO <table> (col1, col2) VALUES ('val1', 'val2)
Here is the snippet that should work for you
use DBI;
my #vals = ('One', 'Two', 'Three');
$dbh = DBI->connect('dbi:mysql:remotegenius;host=localhost', 'root', 'active123') or die "Connection Error: $DBI::errstr\n";
my $in = $dbh->prepare('INSERT INTO oui (oui) VALUES (?)');
foreach (#vals) {
$in->execute($_);
}
`
So I'm getting this error:
Error: Column count doesn't match value count at row 1
(Very common, and I've checked through google, and my issue is that most of the issues are actual comlumn mismatches as it describes)
My location table has "user", "latitude", "longitude", "posttext", user and posttext are both varchar, and lat and long are int. For the time being, I'm just trying to insert values with user and posttext values. I've taken the query out of my php, and run it in the SQL part of phpmyadmin and it runs fine, so I'm not sure why I'm getting the error.
A php form supplies the post data from text boxes, and this is the php processing code:
<?php
error_reporting(E_ALL);
$username = $_POST['user'];
$textToPost = $_POST['textToPost'];
$con = mysql_connect("127.0.0.1","*","*");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
mysql_select_db("test");
$sql= "INSERT INTO location(user, posttext)
VALUES ('.$username.,.$textToPost.')";
if (!mysql_query($sql))
{
die('Error: ' . mysql_error());
}
echo "1 record added";
mysql_close($con);
echo $username;
echo $textToPost;
?>
So I'm hoping it's a very basic syntax error on my part, but could someone help?
You're missing some quotes:
$sql= "INSERT INTO location(user, posttext)
VALUES ('".$username."','".$textToPost."')";
Shouldn't the query be like this?
$sql= "INSERT INTO location(user, posttext)
VALUES ('".$username."','".$textToPost."')";
Try with
$sql= "INSERT INTO location(user, posttext)
VALUES ('".$username."','".$textToPost."')";
Remember you MUST always sanitize user input before using it in a query!!
It could be better using prepared statements...