This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 4 years ago.
I have a problem, I can't upload anything to database. In my database in the jelenlet table there is a jelen which is integer and a gyerekneve which is text.
Here is my php code:
<?php
$servername = "...";
$username = "...";
$password = "...";
$dbname = "...";
// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
$sql = "INSERT INTO 'jelenlet' ('gyerekneve', 'jelen') VALUES ('barmi', 0)";
if ($conn->query($sql) === TRUE) {
echo "Hozzaadtad ezt a nevet: ";
} else {
echo "Error: " . $sql . "<br>" . $conn->error;
}
$conn->close();
?>
And don't know what is the problem with the code. The page says:
Error: INSERT INTO 'jelenlet' ('gyerekneve', 'jelen') VALUES ('barmi',
0) You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near ''jelenlet' ('gyerekneve', 'jelen') VALUES ('barmi', 0)' at line
1
$sql = "INSERT INTO jelenlet (gyerekneve, jelen) VALUES ('barmi', 0)";
This will work. BUT make sure to use prepared statements when you will try to pass variables to this one and not static values. The problem was that you were using single-quotes when you didn't have to. If you want to escape fields in a query you can use this : `
This query would also work :
$sql = "INSERT INTO `jelenlet` (`gyerekneve`, `jelen`) VALUES ('barmi', 0)";
Related
This question already has answers here:
PHP parse/syntax errors; and how to solve them
(20 answers)
Closed 5 years ago.
I want to send input data from a form on publish.php to updateCopy.php that will then update the "postCopy" column on my SQL database.
Here's my code so far:
publish.php
<form action="\.\.\updateCopy.php" method="post" id="newCopy">
<input type="text" name="postCopy">
<input type="submit">
</form>
updateCopy.php
<?php
$servername = "localhost";
$username = "root";
$password = "";
$dbname = "main";
// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
$sql = "UPDATE posts SET postCopy= var_dump ($_POST["postCopy"]); WHERE id=123456789";
if ($conn->query($sql) === TRUE) {
echo "Record updated successfully";
} else {
echo "Error updating record: " . $conn->error;
}
$conn->close();
?>
When I attempt to run this process I get the following error:
Parse error: syntax error, unexpected '"', expecting '-' or identifier (T_STRING) or variable (T_VARIABLE) or number (T_NUM_STRING)
Is anyone able to tell me how I can effectivley use var_dump ($_POST["postCopy"]); to include the updated postCopy info and then update my SQL db?
Don't know why are you trying to use var_dump to execute the SQL statement, that makes no sense, and then a ; too that will terminate the sql, if you talk about the error
$sql ="UPDATE posts SET postCopy= var_dump ($_POST["postCopy"]); WHERE id=123456789";
change it to
$sql ="UPDATE posts SET postCopy= '".$_POST['postCopy']."' WHERE id=123456789";
and the error will go away.
Note : This is not the optimal way and an open invite to sql injection, you should use prepared statements and parameterized queries either use PDO or MYSQLI
This question already has answers here:
PHP parse/syntax errors; and how to solve them
(20 answers)
Closed 5 years ago.
First off, yes I have done research and have seen tons of posts like this one. I see the post this is supposed to be a duplicate of but it was not helpful. I am very new with this and do not know how to apply their results to mine.
I'm getting this result when running:
Parse error: syntax error, unexpected '$_GET' (T_VARIABLE) in /storage/ssd4/269/2113269/public_html/updateuser.php on line 12
Here is my script:
<?php
$servername = "localhost";
$username = "username";
$password = "password";
$dbname = "database";
// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
$sql = "UPDATE Users ". "SET Status = '"$_GET["status"]"' ".
"WHERE Username = '"$_GET["username"]"'";
if ($conn->query($sql) === TRUE) {
echo "Record updated successfully";
} else {
echo "Error updating record: " . $conn->error;
}
$conn->close();
?>
Thank you a bunch for taking a look. I might be missing a semi-colon somewhere but I've looked over the code for a while. Please let me know!
You have to concatenate string using .
$sql = "UPDATE Users ". "SET Status = '".$_GET["status"]."' ".
"WHERE Username = '".$_GET["username"]."'";
You need to concatenate string and variable using dot(.) properly like this
$sql = "UPDATE Users
SET Status = '".$_GET["status"]."'
WHERE Username = '".$_GET["username"]."'";
This is because you end and start the statement with " before and after the the GET statement declaration; but haven't put the concatenation . in between the " and GET.
"SELETCT tb FROM db WHERE field = '".GET ['something']."'";
It's also a good habit to wrap the two GET in a IF statement and run the full code if bot Get has some value. Reduce the unnecessar SQL and PHP execution.
I am facing problem which is mentioned as follows.
ERROR: Could not able to execute
INSERT INTO user_db (Name,UserId,Ip_addr) VALUES ('jayesh vyas', 'jay', ::1).
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version
for the right syntax to use near '::1)' at line 1.
My code is mentioned as below.
<?php
$link = mysqli_connect("localhost", "root", "", "apptitude");
$ip_user = $_SERVER['REMOTE_ADDR'];
// Check connection
if($link == false){
die("ERROR: Could not connect. " . mysqli_connect_error());
}
// Escape user inputs for security
$uname = mysqli_real_escape_string($link, $_REQUEST['uname']);
$username = mysqli_real_escape_string($link, $_REQUEST['username']);
// attempt insert query execution
$sql = "INSERT INTO user_db (Name,UserId,Ip_addr) VALUES ('$uname', '$username', " . $ip_user . ")";
if(mysqli_query($link, $sql)){
echo "Records added successfully.";
} else{
echo "ERROR: Could not able to execute $sql. " . mysqli_error($link);
}
// close connection
mysqli_close($link);
?>
can anyone please help me to understand that why it is happened???
Thanks in advance.
Your SQL statement is missing single quotes around the IP address.
So as you did it for $user and $username, just use it again on $_SERVER['REMOTE_ADDR'] (after connecting to the MySQL server): $ip_user = mysqli_real_escape_string($link, $_SERVER['REMOTE_ADDR']);.
And as tadman said, please use prepared statements.
Btw. $_SERVER['REMOTE_ADDR'] must not the clients IP address. Take a look at this Post.
I am using the following code to insert Event Logs and User Info from my Mobile App to a mysql database.
I am finding the " Character gives me issues later on when in use with JSON arrays that I pull from the db. What I would like to do is remove the " character in the php code completely before posting to the db.
Removing the " character by Javascript from the Mobile App is not really an option.
<?php
$servername = "localhost";
$username = "Fred";
$password = "Barney";
$dbname = "BamBam";
// Create connection
$conn = new mysqli ($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
// escape variables for security
$event_log = mysqli_real_escape_string($conn, $_POST['event_log']);
$logged_by = mysqli_real_escape_string($conn, $_POST['logged_by']);
$sql = "INSERT INTO time_event (event_log, logged_by)
VALUES ('$event_log', '$logged_by')";
if ($conn->query($sql) === TRUE) {
echo "Data entered successfully";
} else {
echo "Error: " . $sql . "<br>" . $conn->error;
}
$conn->close();
?>
Use mysqli_prepare and mysqli_stmt_bind_param to execute a parameterised query. I strongly advise this approach.
If you really want to just escape special characters for manual interpolation
into a query string, use mysqli_real_escape_string.
Hand-rolling a solution presents a real risk that you will
miss something important, leaving your program vulnerable
to SQL injection attacks.
I did not try, but this should do
$sql = sprintf("INSERT INTO time_event (event_log, logged_by)
VALUES ('%s' ,'%s'",$event_log,$logged_by);
I am very new to php programming. I have tried googling and searching this website for a fix to this but I don't know what to even type into google to really find my answer.
I get the error:
unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING
I am unsure what I can do avoid this.I know it is caused by the ['userid'] but I need that as part of my coding.
Here is my code:
<?php
include ('auth/userInfo.php');
$servername = "example";
$username = "example_1";
$password = "example";
$dbname = "example_enter";
// Create connection
$conn = mysqli_connect($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
$userprofile['userid'] = mysqli_real_escape_string($userprofile['userid']);
$sql="INSERT INTO today (accessed)
VALUES ('$userprofile['userid']')";
if ($conn->query($sql) === TRUE) {
echo "Success";
} else {
echo "Error: " . $sql . "<br>" . $conn->error;
}
$conn->close();
?>
In case my coding is so bad that no one knows what it is attempting to do. I am attempting to write to a MySQL DB when a user has signed in.
The problem is caused by the fact that you are (a) using quotes to reference an array index inside a literal string (b) inserting a line break inside that same string:
$sql="INSERT INTO today (accessed)
VALUES ('$userprofile['userid']')";
What you probably meant to write is:
$sql="INSERT INTO today (accessed) VALUES ('" . $userprofile['userid'] . "')";
However even this is problematic due to SQL injection attacks - I recommend you read up on parameterized queries (mysqli_prepare).