So bassically I can't seem to send the array with the input values to my database.
I tried sending it seperately, it works, but it only sends the array or the way around. There are no errors.
if (isset($_POST['submit'])) {
$services = implode ("|", $_POST['services']);
mysqli_query($mysqli, "INSERT INTO klientai (package, name, surname, email, phone, message, services) VALUES('$_POST[package]', '$_POST[name]', '$_POST[surname]', '$_POST[email]', '$_POST[phone]', '$_POST[message]', '$services'");
}
mysql_query function is deprecated and is not secured, You should use another option.
You can use PDO for example:
https://www.php.net/manual/en/book.pdo.php
open connection
$pdo = new PDO('mysql:host=localhost;dbname=test', $user, $pass);
insert method 1
$sql = "INSERT INTO users (name, surname, sex) VALUES (?,?,?)";
$stmt= $pdo->prepare($sql);
$stmt->execute([$name, $surname, $sex]);
insert method 2
$data = [
'name' => $name,
'surname' => $surname,
'sex' => $sex,
];
$sql = "INSERT INTO users (name, surname, sex) VALUES (:name, :surname, :sex)";
$stmt= $pdo->prepare($sql);
$stmt->execute($data);
also check https://phpdelusions.net/pdo_examples/insert and
https://www.startutorial.com/articles/view/pdo-for-beginner-part-1
In this method, you don't need to escape your strings for SQL injection and it should also solve your problem.
Related
Have seen tons of similar questions but still can't find out what's going on.
I'm using PHP's PDO to prepare a statement like that:
try{
$statement = $db->prepare("INSERT INTO $date (name, surname, email, phone, comment) VALUES (:name, :surname, :email, :phone, :comment)");
$statement->bindParam(':name', $name);
$statement->bindParam(':surname', $surname);
$statement->bindParam(':email', $email);
$statement->bindParam(':phone', $phone);
$statement->bindParam(':comment', $comment);
$statement->execute();
}
catch(PDOException $e){
die("Connection to database failed: " . $e->getMessage());
}
Have tried escaping everything with [] and specifying the database name before table name, but keep getting
SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in
your SQL syntax; check the manual that corresponds to your MySQL server
version for the right syntax to use near '2017-08-11 (name, surname, email,
phone, comment) VALUES ('Test', 'Test', 'Test#' at line 1
INSERT INTO $date
It seems that there is a 2017-08-11 in $date var.
If you want to insert data into '2017-08-11' table, it should be escaped with ` symbol
try{
$statement = $db->prepare("INSERT INTO `$date` (name, surname, email, phone, comment) VALUES (:name, :surname, :email, :phone, :comment)");
$statement->bindParam(':name', $name);
$statement->bindParam(':surname', $surname);
$statement->bindParam(':email', $email);
$statement->bindParam(':phone', $phone);
$statement->bindParam(':comment', $comment);
$statement->execute();
}
catch(PDOException $e){
die("Connection to database failed: " . $e->getMessage());
}
Assuming that 2017-08-11 is a table name, simply encase it in backticks.
$statement = $db->prepare("INSERT INTO `$date` (name, surname, email, phone, comment) VALUES (:name, :surname, :email, :phone, :comment)");
sorry but you can't use special character when using the prepare statement, so what MySQL is actually seeing is INSERT INTO $date (name, surname, email, phone, comment) VALUES (:name, :surname, :email, :phone, :comment) which will trigger a syntax error.
here is a quick solution
try{
$db->query("INSERT INTO $date (name, surname, email, phone, comment) VALUES ($name, $surname, $email, $phone, $comment)");
}
catch(PDOException $e){
die("Connection to database failed: " . $e->getMessage());
}
I have a problem trying to insert new data into database,
i don't even get any error
$db = new MyPDO();
$datauser = array(
'account' => $acc,
'tid' => $tid,
'email' => $email,
'amount' => $amount,
'date' => 'NOW()',
'obj_id' => $object_id);
$sql = $db->query("INSERT INTO account_reg_log
(account, tid, email, amount, date, obj_id) VALUES
(:account, :tid, :email, :amount, :date, :obj_id)");
$sql->execute($datauser);
Checking database after running the script and see no new rows..
Any ideas how can i fix hat?
You need to prepare your statement instead of running a query directly with placeholders.
Change:
$sql = $db->query("INSERT INTO account_reg_log
(account, tid, email, amount, date, obj_id) VALUES
(:account, :tid, :email, :amount, :date, :obj_id)");
To:
$sql = $db->prepare("INSERT INTO account_reg_log
(account, tid, email, amount, date, obj_id) VALUES
(:account, :tid, :email, :amount, :date, :obj_id)");
You should also add error handling in your MyPDO class so that PDO will throw exceptions and tell you exactly what goes wrong when it goes wrong.
I have been trying to get my form data to database through PHP code but it is not working and I have looked at the code a thousandth times for a possible error but couldn't find one as a beginner. The form will actually submit but nothing gets to the database.
Any fast help would be deeply appreciated. Here is the code:
$conn = #mysqli_connect('localhost', 'root', 'aboki');
if (mysqli_connect_error()) {
die('Connect Error: ' . mysqli_connect_error());
}
$qry = "INSERT INTO users (email, firstName, surname, userName, password, birthday) values ($email, $firstName, $surname, $userName, $password, $userDOB)";
$result = mysqli_query($conn, $qry);
try this
$qry = "INSERT INTO users (email, firstName, surname, userName, password, birthday)
values ('$email', '$firstName', '$surname', '$userName', '$password', '$userDOB')";
Firstly, you are not quoting the values which is why it is not inserting...
This will fix it (But I strongly recommend you do not use this method!):
$qry = "INSERT INTO users (email, firstName, surname, userName, password, birthday) values ('$email', '$firstName', '$surname', '$userName', '$password', '$userDOB')";
The Correct Method
You would be better off making the most of the predefined functions that mysqli offers and binding these parameters in a prepared statement like so:
mysqli_prepare($conn,"INSERT INTO users (email, firstName, surname, userName, password, birthday) values (?, ?, ?, ?, ?, ?)");
mysqli_stmt_bind_param($conn, 'TYPES_HERE',$email, $firstName, $surname, $userName, $password, $birthday)
I have solution for data Insert , You can try it out.
$conn= mysqli_connect("localhost", "root", "my_password", "world");
if (mysqli_connect_errno()) {
printf("Connect failed: %s\n", mysqli_connect_error());
exit();
}
$query = "INSERT INTO users
(email, firstName, surname, userName, password, birthday) VALUES
($email, $firstName, $surname, $userName, $password, $userDOB)";
mysqli_query($conn, $query);
printf ("New Record has id %d.\n", mysqli_insert_id($link));
mysqli_close($link);
As you having mysqli in Query the syntax quite different,
Feel free to ask further Question.
Thanks
example:
$stmt = mysqli_prepare($conn, "SELECT District FROM City WHERE Name=?")) {
$stmt->bind_param("s", $city);
$stmt->execute();
I just to need make sure I've got the PDO prepare statements correctly, will the following code be secured by SQL Injection?
$data['username'] = $username;
$data['password'] = $password;
$data['salt'] = $this->generate_salt();
$data['email'] = $email;
$sth = $this->db->prepare("INSERT INTO `user` (username, password, salt, email, created) VALUES (:username, :password, :salt, :email, NOW())");
$sth->execute($data);
Yes, your code is safe. It can be shortened however:
$data = array( $username, $password, $this->generate_salt(), $email );
// If you don't want to do anything with the returned value:
$this->db->prepare("
INSERT INTO `user` (username, password, salt, email, created)
VALUES (?, ?, ?, ?, NOW())
")->execute($data);
You could start with an empty array for your $data like
// start with an fresh array for data
$data = array();
// imagine your code here
Your code looks good so far.
EDIT: I missed your NOW() call. Imho you should add it with a bind variable as well, like
// bind date
$data['created'] = date("Y-m-d H:i:s");
// updated prepare statement
$sth = $this->db->prepare("INSERT INTO `user` (username, password, salt, email, created) VALUES (:username, :password, :salt, :email, :created)");
I am having a strange issue that I am just not finding a solution to. The problem is that the prepared sql statement is not binding in values, parameters or even passing them through the execute function. Instead, it inserts the ':blah' placeholder. As I said, I have tried bindParam, bindValue and this method all without result. However, I will try them all again now.
I outputted the parameters being sent right before the execute call.
Array ( [:username] => schenn [:salt] => NW5552wekj5155cNr52O54q56 [:hashpass] => 5e54240aec6294873d11d6ac3e5b135136a1b671 [:email] => monkey#monkey.com [:state] => OR [:country] => USA [:last_login] => 12/08/2011 )
Below is the code:
$query = "INSERT INTO player_acct (username, salt, hashpass, email, state, country, last_login)
VALUES (':username', ':salt', ':hashpass', ':email', ':state', ':country', ':last_login')";
$stmt = $pdoI->prepare($query);
$params = array(":username" => $this->username, ":salt" => $this->salt, ":hashpass" => $this->hashpass,
":email" => $this->email, ":state" => $this->state, ":country" => $this->country, ":last_login" => $this->last_login );
$stmt->execute($params);
You shouldnt be quoting the placeholders in the SQL. Try the following as your SQL string:
$query = "INSERT INTO player_acct (username, salt, hashpass, email, state, country,
last_login) VALUES (:username, :salt, :hashpass, :email, :state, :country, :last_login)";
You don't quote the binded values in the SQL statement when binding variables.
$query = "INSERT INTO player_acct (username, salt, hashpass, email, state, country, last_login) VALUES (:username, :salt, :hashpass, :email, :state, :country, :last_login)";
Also make sure $this->email, etc... is set correctly.