This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
How can I prevent SQL injection in PHP?
(27 answers)
Closed 11 months ago.
working with php and mysql as well. I have following create.php page and need save data to mysql table.
<?php
include "config.php";
if(isset($_POST['submit'])) {
$first_name = $_POST['firstname'];
$last_name = $_POST['lastname'];
$email = $_POST['email'];
$password = $_POST['password'];
$gender = $_POST['gender'];
}
$sql = "INSERT INTO 'users' ('firstname','lastname','email','password','gender') VALUES ('$first_name','$last_name','$email','$password','$gender')"; // this is line 12
$result = $conn->query($sql);
if($result == TRUE) {
echo "New record has created successfully";
}
else {
echo "error:" . $sql . "<br>". $conn->error;
}
$conn->close();
?>
but got following error message
Undefined variable: first_name in C:\wamp64\www\simple\create.php on line 12 <br> error:INSERT INTO 'users' ('firstname','lastname','email','password','gender') VALUES ('','','','','') You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''users' ('firstname','lastname','email','password','gender') VALUES ('','','',''' at line 1
how to fix this?
You need to put the whole code logic inside the if(isset($_POST['submit'])) condition
What's happening right now is: if there is no $_POST['submit'], your if won't run, thus no variables are declared, but your SQL and rest of the code will still run and that's why it says var not defined
if(isset($_POST['submit'])) { ... }
Coming to the next issue is of using backticks. You really shouldn't have single quotes around the field name. You can use backticks (`) for table and column names, single quotes (') for strings. There is already an answer for it: When to use single quotes, double quotes, and backticks in MySQL
Related
This question already has an answer here:
mysqli insert error incorrect syntax [duplicate]
(1 answer)
Closed 3 years ago.
I am trying to do a small project. My task to create an update form with HTML and PHP. But I am getting this error given below:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's standard dummy text ever since the 1500s, when an unknown printer.' , exp_time' at line 1
I am using Laragon for php and HeidiSQL 9.5 for mysql server.
My database connection is okay. I can fetch data from the database using the SELECT query in the same file. I think something is wrong in my code. So please help me the code is given below:
<?php
require('auth.php');
require('db.php');
$id=$_REQUEST['id'];
$query = "SELECT * FROM experience where expid='".$id."'";
$result = mysqli_query($con,$query) or die ( mysqli_error($con));
$row = mysqli_fetch_assoc($result);
$status = "";
if(isset($_POST['new']) && $_POST['new']==1)
{
$exp_title = $_REQUEST['exp_title'];
$exp_description = $_REQUEST['exp_description'];
$exp_time = $_REQUEST['exp_time'];
$update="UPDATE experience SET exp_title='".$exp_title."' , exp_description='".$exp_description."' , exp_time='".$exp_time."'
WHERE expid='".$id."'";
mysqli_query($con, $update) or die ( mysqli_error($con));
$status = "Record Updated Successfully. </br></br>
<a href='dashboard.php'>View Updated Record</a>";
echo '<p style="color:#FF0000;">'.$status.'</p>';
}else {
?>
You need to escape the single quotes using php's str_replace, e.g.:
$exp_title = str_replace("'", "\'", $_REQUEST['exp_title']);
$exp_description = str_replace("'", "\'", $_REQUEST['exp_description']);
$exp_time = $_REQUEST['exp_time'];
$update="UPDATE experience SET exp_title='".$exp_title."' , exp_description='".$exp_description."' , exp_time='".$exp_time."'
WHERE expid='".$id."'";
However, you should really really use preparedstatements instead of concatenating strings and escaping characters, e.g.:
$exp_title = $_REQUEST['exp_title'];
$exp_description = $_REQUEST['exp_description'];
$exp_time = $_REQUEST['exp_time'];
$stmt = $conn->prepare("UPDATE experience SET exp_title= ?, exp_description = ?, exp_time = ? WHERE expid = ?");
$stmt->bind_param("types", $exp_title, $exp_description, $exp_time, $id);
This question already has answers here:
Syntax error due to using a reserved word as a table or column name in MySQL
(1 answer)
How can I prevent SQL injection in PHP?
(27 answers)
Closed 5 years ago.
I am trying to store form data into database using mysqli but it is generating query error my code is given below....
When ever I try to submit the database connection is generating.. the $_POST is working perfectly.. the error only generating by mysqli_query..
<?php
$name = $_POST["firstname"] . " " . $_POST["lastname"];
$email = $_POST["email"];
$happen = $_POST["whendidhappen"];
$howlong = $_POST["howlong"];
$howmany = $_POST["howmany"];
$describe = $_POST["describe"];
$whattheydid= $_POST["whattheydid"];
$seenmycat = $_POST["seenmycat"];
$anythingelse = $_POST["anythingelse"];
$dbc = mysqli_connect('localhost','root','','abductionreport')
or die('Database connection error');
$query = "INSERT INTO abductionform (firstname, lastname, email,whendidhappen, howlong, describe, whattheydid, seenmycat,anythingelse)VALUES('$name','$name','$email','$happen','$howlong', '$howmany','$describe','$whattheydid', '$seenmycat','$anythingelse')";
$result = mysqli_query($dbc,$query) or die ("Query Error");
mysqli_close($dbc);
?>
<h3>Aliens Abducted Me - Report an Abduction</h3>
<p>Thanks for Submiting the form.</p>
<?php
echo "$name it happend to you on $happen it take $howlong <br>";
echo "Number of aliens: $howmany<br>";
echo "Describe: $describe<br>";
echo "What they did to you: $whattheydid<br>";
echo "Have you seen my cat: $seenmycat<br>";
echo "Anything else : $anythingelse<br>";
echo "Your Email Address is : $email<br>";
?>
DESCRIBE is a mysql keyword. Wrap the column name in backticks. For that matter wrap your table and all columns in backticks. Always check that $_POST elements exist with isset () before trying to access them. Use mysqli prepared statements with placeholders for improved security. Always perform error checking BEFORE posting to SO.
You also have 9 columns and 10 values in your query - this will cause a failure every time.
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 5 years ago.
I feel nothing is wrong with the query i have. i do not understand why i getting the error.
I already tried to remove the single quote on query but its still the same.
here's m code
ERROR
Couldn't enter data: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'Hills, price='393787', sqmw='218', sqml='218', sqm='47524', income='3773773' at line 1
UPDATED thanks
PHP CODE MYSQL
require 'connection.php';
$conn = Connect();
$id= $conn->real_escape_string($_POST['id']);
$descr= $conn->real_escape_string($_POST['descr']);
$price= $conn->real_escape_string($_POST['price']);
$sqmw= $conn->real_escape_string($_POST['sqmw']);
$sqml= $conn->real_escape_string($_POST['sqml']);
$sqm = $sqmw * $sqml;
$income= $conn->real_escape_string($_POST['income']);
$statuss= $conn->real_escape_string($_POST['statuss']);
$query = " UPDATE wentwrong SET descr='$descr',
price='$price',
sqmw='$sqmw',
sqml='$sqml',
sqm='$sqm',
income='$income',
statuss='$statuss'
WHERE id='$id' ";
$success = $conn->query($query);
if (!$success) {
die("Couldn't enter data: ".$conn->error);
}
echo '<script language="javascript">';
echo 'alert("Edit Successfully!")';
echo '</script>';
echo '<script language="javascript">';
echo 'window.location.href = "http://google.com"';
echo '</script>';
$conn->close();
?>
You're missing quotes around a constant. Where you have
$query = " UPDATE wentwrong SET descr=$descr, /*wrong*/
you should have
$query = " UPDATE wentwrong SET descr='$descr',
The tricks to troubleshooting this kind of thing.
read error messages carefully. Then read them again.
believe the error messages. You're working with systems that have been around for a couple of decades. They aren't throwing random bogus errors any more.
In the case of MySQL's syntax error message, it shows you the erroneous query, starting with the first character it could not understand.
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 6 years ago.
I have issue with the query. i don't know why its not working,
it always shows , there is an error, and do not insert data into table, although it is collecting data from form.
there is no error or warning notification but it chooses the else option from if condition and does not insert data into table, don't know why.
<?php
$con=mysqli_connect('localhost','root','','flentox');
if(mysqli_connect_error($con))
{
echo "there is an error in connection";
}
$fname=$_POST['fname'];
$lname=$_POST['lname'];
$email=$_POST['email'];
$phone=$_POST['phone'];
$area=$_POST['select'];
$address=$_POST['address'];
$eaddress=$_POST['eaddress'];
$query= mysqli_query($con, "INSERT INTO order(Fname,Lname,Email,Phone,Area,Address,Eaddress) VALUES(`$fname`,`$lname`,`$email`,`$phone`,`$area`,`$address`,`$eaddress`)");
if ($query) {
echo "order confirm";
}
else {
echo "There is an error";
}
?>
Your query is not correct, you don't need to use ( `` ) in VALUES. Don't forget to check if your values is empty or not.
So if there is no data has come from $_POST, your query also will be crashed.
Also don't forget about SQL injections. It is not recommended to insert $_POST or $_GET data immediately in query. Use Prepared Statements.
Try this.
$fname = (empty($_POST['fname']) ? 'default value' : $_POST['fname']);
.......... (for other params too).
"INSERT INTO order (`Fname`,`Lname`,`Email`,`Phone`,`Area`,`Address`,`Eaddress`)
VALUES('".$fname."','".$lname."','".$email."','".$phone."','".$area."','".$address."','".$eaddress."')";
Also to show your errors, run this code at the very top of the php file -
error_reporting(1);
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 6 years ago.
This one has had me stumped for a couple of days. I have a basic PHP script to submit a user registration form. I just cant see what I am doing wrong in this instance the web server is running PHP 7.0 and there are no errors in the logs.
<?php
require_once('connect.php');
if(isset($_POST) && !empty($_POST)){
$username = mysqli_real_escape_string($connection, $_POST['username']);
$email = mysqli_real_escape_string($connection, $_POST['email']);
$password =md5($_POST['password']);
$sql = "INSERT INTO 'login' (username, email, password) VALUES ('$username', '$email', '$password')";
$result = mysqli_query($connection, $sql);
if($result){
echo "User Rego Secusseflllgk";
}else{
echo "User rego faile";
}
}
?>
I saw a couple of these already but they seemed to be to do with using both myslq and mysqli and others appeared to not be first connection to the DB. Any help would be much appreciated. I am recieving the User Rego Failed echo
You probably want use the backtick ` instead of a single quote ' to wrap your table name.
INSERT INTO `login`
When a query fail, it's useful to print the error message. You can do it with mysqli_error:
echo mysqli_error($connection);
Use table name without single quote and try to check mysqli error with mysqli_error($connection) just after $result.