I have MySQL table called cashreg and it has only one row called also cashreg and is set to VARCHAR 64 and utf8_general_ci. The problem is that while using this form :
<td>
<input placeholder="<?php echo SETTINGS_NEWCASHIER; ?>" class="form-control floating-label" name="newCashregInput" id="newCashreg" /></br>
<input style="width: 100%;" class="btn btn-success waves-effect waves-light" type="submit" name="newCashreg" id="newCashreg" align="right" value="PridÄ—ti kasos aparatÄ…"></input>
</td>
and
if(isset($_POST['newCashreg'])) {
mysql_query("INSERT INTO ".$table['cashreg']." VALUES (".$_POST['newCashregInput'].")");
}
the data from this form can be added to table if value is only made from numbers for example "984133" and for example "851fff", "gsdagsd", "fsdfas521" can't be added
you need to specify the column name in your SQL query for inserting a record. see https://www.w3schools.com/sql/sql_insert.asp
I will suggest you look into PDO. Your code is not safe.
But the answer to your question is qoutes. After concatenating the SQL statement it's wrong.
So the correct string should be INSERT INTO cashreg VALUES ('value')
You can insert number without a problem but if when you try to insert an alphanumeric string you need to quote it.
More info https://dev.mysql.com/doc/refman/8.0/en/string-literals.html
<?php if(isset($_POST['newCashreg'])) {
mysql_query("INSERT INTO $table['cashreg']."VALUES('".$_POST['newCashregInput']."')");
}
Your syntax is wrong. It should be:
INSERT into tablename (columnx, columny, etc) VALUES ('valX', 'valY', 'etc')
Stop using the ancient mysql lib. It has been removed from PHP. Please instead use PDO. And prepared statements, your current code is vulnerable to an SQL injection attack.
https://phpdelusions.net/pdo
Related
Just wondering if anyone can point out where I'm going wrong with the code below. I'm trying to gather the text from the form and UPDATE a field within the database with the text.
I have tested the SQL statement alone and it is updating the column correctly, but seems to be an issue with the PHP syntax as when i click on the submit button, it only insets '1' into the columns.
PHP:
$SubmitComments = isset($_POST['SubmitComments']);
$AddComment = isset($_POST['AddComment']);
if ($SubmitComments){
mysql_query ("UPDATE `table` SET `column` = '$AddComment' WHERE `column` = '$.....'") or die(mysql_error());
echo 'Comment added';
}
HTML:
<tr>
<td>Add Comment</td>
<td align="center"><form name="form1" method="POST" action=""><input name="AddComment" type="text" id="AddComment" autocomplete="off" placeholder="Add comments..." size="45px"><br />
<input type="submit" name="SubmitComments" id="SubmitComments" value="Submit"></form></td>
</tr>
Right, from the top. isset returns a bool, so $SubmitComments would only equal true or false, it will never equal the POST variable (Same with $AddComment). Consider instead:
if(isset($_POST['SubmitComments'])&&isset($_POST['AddComment']))
{
$SubmitComments = $_POST['SubmitComments'];
$AddComment = $_POST['AddComment'];
//Rest of Code
}
Second, table and column names do not need single quotes around them. And finally, as addressed in the comments, think about using MySQLi instead as if your script does eventually work, one malformed comment will erase your entire database.
Example:
If their comment is even just butts';-- It will make the SQL:
UPDATE table SET column = 'butts';--' WHERE column = '$.....'
Which is the equivalent of:
UPDATE table SET column = 'butts';
Making all of your comments just the word "butts", and that's just a humorously childish attack, compared to stealing usernames/passwords, trashing the database etc
I have a like button on my site http://zabavajsa.eu/new/ .
When you click on the button, it shoud add +1 like to the database and it doesn't work.
Here is my code:
<form method='post'>
<li>
<button class='like' name='like' value='48'>Like</button>
</li>
</form>
<?php
if(isset($_POST['like'])) {
$id = $_POST['like'];
require('db.php');
$resultiiik = $mysql->query("SELECT * FROM fotka WHERE id='{$id}'");
$p = $resultiiik->fetch_assoc();
$pocet = $p[like];
$pocet = $pocet +1;
$mysql->query("UPDATE fotka SET like='{$pocet}' WHERE id='{$id}'") or die ('This always write to me -.-');
}
?>
Firstly, this
<button class='like' name='like' value='48'>Like</button>
it needs a "type", let's use a "submit" type
<button class='like' name='like' value='48' type='submit'>Like</button>
then the word like is a MySQL reserved word which needs to be wrapped in ticks
SET `like`
http://dev.mysql.com/doc/refman/5.5/en/reserved-words.html
LIKE is used in string comparisons and pattern matching
http://dev.mysql.com/doc/refman/5.0/en/pattern-matching.html
http://dev.mysql.com/doc/refman/5.0/en/string-comparison-functions.html
Therefore it's best to stay away from using reserved words. You could use the word "likes" instead and won't require the column to be escaped, or do as above and wrap it in backticks.
You're also not getting MySQL to signal the proper errors with
or die ('This always write to me -.-')
use
or die(mysqli_error($mysql))
or
die('There was an error running the query [' . $mysql->error . ']')
Which would have triggered something like:
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'like
Edit:
As stated in comments, your code is vulnerable to SQL injection.
Use prepared statements, or PDO with prepared statements, they're much safer.
Additionally to #Fred -ii- 2 more bugs:
$pocet = $p[like];
like is a constant, but since you never define a constant named 'like' php will just treat it as string and print a notice if they are enabled. You should use $pocet = $p['like']; instead of $pocet = $p[like];
And: You don't need to fetch the value just to increment and update it. Your Database can do the work for you:
UPDATE fotka SET `like`=`like`+1 WHERE id='{$id}'
I am trying to insert a value into a MySQLi row using a select box, as seen below.
<select name="post_game"><option value="minecraft">Minecraft</option></select>
But I am faced with the error:
Undefined index: post_game
Is this because I should be using a different data type as oppose to using Varchar? I am also inserting values into other MySQLi rows using < input > instead of < select >, and they seem to go through just fine, which is why I believe it may have to do with the data type, and not my code.
But here is my code anyway:
<select name="post_game"><option value="minecraft">Minecraft</option></select>
$game=$_POST['post_game'];
$query = mysqli_query($con,"INSERT INTO servers (game) VALUES ('$game')");
Varchar will work just fine. If that is your entire code that you posted it won't work since there is not post request being made, in order to do that you need a form element
<form method="post">
<select name="post_game">
<option value="minecraft">Minecraft</option>
</select>
<input type="submit" name="submit" value="submit" />
</form>
<?php
if (isset($_POST["submit"]) && isset($_POST["post_game"]))
{
$game = mysqli_real_escape_string($con,$_POST["post_game"]);
$query = mysqli_query($con,"INSERT INTO servers (game) VALUES ('$game')");
}
?>
And also think about security as well. Bind your params, I'm on my phone so I wpnt get into that. This should be enough to get you going though
So i have this form
<form>Tag name:
<input type='text' name='tagname' />
<input type='submit' value='Add' />
<input type='hidden' name='id' value='$id' />
</form>
<hr />
it runs this script
if ($tagname)
{
mysql_query("INSERT INTO tags (id, tag) VALUES ($id, $tagname)");
?>
<script type="text/javascript">
alert("Tag added.");
history.back();
</script>
<?php
}
If i insert numbers in form it gets added to sql database nicely,but if it consist of alphabetical characters i get the alert but nothing is inserted in database.
I checked phpmyadmin if the structure is wrong(text/varchar/int...) tried most of them but it is the same.
You need single quotes to enclose strings within SQL queries:
mysql_query("INSERT INTO tags (id, tag) VALUES ('$id', '$tagname')");
And I'm conjecturing you also forgot to apply mysql_real_escape_string beforehand.
mysql_query("INSERT INTO tags (id, tag) VALUES ($id, '$tagname')");
Very common mistake. Think about escaping, or better - parametrizing queries. Concatenating an SQL query is an awful approach (so is putting in a small piece of code, together, HTML, PHP, SQL and JavaScript)
You need quotes around $id (unless it's a number) and $tagname in your mysql query.
As a side note, this is vulnerable to SQL injection.
I see a couple of issues with your code, first setting the value for the id input field:
<input type="hidden" name="id" value="<?php echo $id; ?>" />
And then, in the SQL you should use quotes:
mysql_query("INSERT INTO tags (id, tag) VALUES ($id, '$tagname')");
In so far as I can tell based on your code, and depending on how you're escaping, if you've no ajax to fetch the id you're running either of:
INSERT INTO tags (id, tag) VALUES (0, $tag)
INSERT INTO tags (id, tag) VALUES ('', $tag)
You should really be running:
INSERT INTO tags (tag) VALUES ('$tag')
I'm trying to execute
I have an html form in a page of this sort :
Name: <input type="text" id="namebox" value="" name="fields[]" /> <br />
Position: <input type="text" id="positionbox" value="" name="fields[]" /> <br />
<input type="hidden" name="createcard">
<input type="submit" value="Create">
.. and 3 other fields. I'm passing these 5 form fields by POST to a file process.php which has the following function to insert the array elements into a mysql DB.
if(isset($_POST['createcard'])){
$this->procCreateCardtheme1();
..
..
function procCreateCardtheme1(){
global $session;
$cardData = $_POST['fields'];
$username=$session->username;
$sno=1;
echo count($cardData);
while($sno < count($cardData))
{
$v=$cardData[$sno];
echo $v;
mysql_query("INSERT INTO carddata VALUES ('$username', $sno, '$v', 1)");
$sno++;
}
Now, the echo statement above returns the expected output, that is the five or so fields. But the mysql_query only executes once. It just stores the first entry in the DB, and nothing else. Even re-submitting the form does nothing at all. It's just the one entry that is stored in the DB.
Any ideas?
Do you have a unique constraint on username in the carddata table? This will cause the second insert to fail.
To debug this you should add some error checking to your program:
mysql_query("INSERT INTO carddata VALUES ('$username', $sno, '$v', 1)")
or trigger_error(mysql_error());
You might also need to use mysql_real_escape_string to avoid syntax errors or possible SQL injection vulnerabilities if the string data can contain quotes.
Single Loop iteration issue occurs when you have issue with variable for query ($query)
and Result Object ($result).
Try different name for variable inside the WHILE Loop or debug the variable inside the loop.