can't reach header.php???
if ($_SERVER["REQUEST_METHOD"] == "POST") { $name = $_POST["firstname"]; $lastname = $_POST["lastname"]; $email = $_POST["email"]; $password = $_POST["password"]; $mobile = $_POST["mobile"]; $office_num = $_POST["office"];
$sql = mysqli_query($dbcon,"insert into `user_info`(`firstname`, `lastname`, `email`, `password`, `mobile`,`office_contact`) values('$name','$lastname','$email', '$password', '$mobile', $office_num)");
if (mysqli_query($dbcon, $sql)) {
echo "New record created successfully";
header("Location: header.php");
} else {
echo "Error: " . $sql . "<br>" . mysqli_error($dbcon); } ?>
This is the error I am receiving:
Error: 1
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '1' at line 1
The problem here is that you're using mysqli_query() twice.
$sql = mysqli_query($dbcon,"insert into... $office_num)");
^^^^^^^^^^^^ There
if (mysqli_query($dbcon, $sql))
^^^^^^^^^^^^ and there
The conditional statement is calling it again. You need to remove the first query call, which explains the 1 coming back as the error.
Your code is also prone to an sql injection; use a prepared statement:
https://en.wikipedia.org/wiki/Prepared_statement
You're also outputting before header with the following lines of code:
echo "New record created successfully"; // << Remove this line
header("Location: header.php");
Remove the echo statement for it and add exit; after header to avoid further execution.
Note: Make sure that the value for $office_num is indeed an integer such as 5551234 and not 555-1234. If it is the latter, you will need to wrap that variable with quotes as you did for the other string values.
Don't store plain text passwords, especially if you're going live with this.
Use password_hash() and password_verify() and please read over those manuals attentively:
http://php.net/manual/en/function.password-hash.php
http://php.net/manual/en/function.password-verify.php
Related
I am facing problem which is mentioned as follows.
ERROR: Could not able to execute
INSERT INTO user_db (Name,UserId,Ip_addr) VALUES ('jayesh vyas', 'jay', ::1).
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version
for the right syntax to use near '::1)' at line 1.
My code is mentioned as below.
<?php
$link = mysqli_connect("localhost", "root", "", "apptitude");
$ip_user = $_SERVER['REMOTE_ADDR'];
// Check connection
if($link == false){
die("ERROR: Could not connect. " . mysqli_connect_error());
}
// Escape user inputs for security
$uname = mysqli_real_escape_string($link, $_REQUEST['uname']);
$username = mysqli_real_escape_string($link, $_REQUEST['username']);
// attempt insert query execution
$sql = "INSERT INTO user_db (Name,UserId,Ip_addr) VALUES ('$uname', '$username', " . $ip_user . ")";
if(mysqli_query($link, $sql)){
echo "Records added successfully.";
} else{
echo "ERROR: Could not able to execute $sql. " . mysqli_error($link);
}
// close connection
mysqli_close($link);
?>
can anyone please help me to understand that why it is happened???
Thanks in advance.
Your SQL statement is missing single quotes around the IP address.
So as you did it for $user and $username, just use it again on $_SERVER['REMOTE_ADDR'] (after connecting to the MySQL server): $ip_user = mysqli_real_escape_string($link, $_SERVER['REMOTE_ADDR']);.
And as tadman said, please use prepared statements.
Btw. $_SERVER['REMOTE_ADDR'] must not the clients IP address. Take a look at this Post.
I am retrieving data from the joomla Database.
I am searching for the tag <img alt=''"> in the content and I want the alt tag value as the articles title.
But when I Update the content in database I get the following error.
"Error updating record: You have an error in your SQL syntax; check
the manual that corresponds to your MySQL server version for the right
syntax to use near 's, each catering to different testing needs of an
organization. It has f' at line 1"
Please Check the Code given below.
$link= "SELECT * FROM as23dc_content LIMIT 1";
$link_result = mysqli_query($conn, $link);
while($row_link= mysqli_fetch_assoc($link_result)) {
$content = $row_link["introtext"];
$add_alt_title = 'alt="'.$row_link["title"].'"';
$content1 = preg_replace('/(alt)=("[^"]*")/i', "$add_alt_title", $content);
//echo $content1;
$sql = "UPDATE as23dc_content SET introtext='".$content1."' WHERE id='".$row_link["id"]."'";
//print_r($sql);
if(mysqli_query($conn, $sql)) {
echo "Record updated successfully";
} else {
echo "Error updating record: " . mysqli_error($conn);
}
}
The problem is that your $content1 string has quotes that confuse the SQL parser because it has a hard time knowing where that value ends.
Use prepared statements instead because they make it impossible for the parser to become confused
//Put '?' where the values would be
$sql = "UPDATE as23dc_content SET introtext = ? WHERE id = ?"
$stmt = mysqli_prepare($conn, $sql) or die (mysqli_error($conn));
//bind the values to the '?' parameters (replace 's' with 'i' for integer values)
$stmt->bind_param('ss', $content1, $row_link['id']);
//execute the query and abort on error
$stmt->execute() or die ($stmt->error);
if($stmt->affected_rows) echo "Record updated successfully."
else echo "Record could not be found. No change was made."
I'm almost sure that you are generating invalid sql.
introtext='".$content1."'
witch generate something like
introtext='sometest'
Pay attention to the quotes!
Same goes for
id='".$row_link["id"]."'"
is the problem (unsafe too)
Please read
How to use mysqli prepared statements in PHP?
and official php docs http://php.net/manual/en/mysqli.prepare.php
You can escape single quotes using this
$content1 = preg_replace('/(alt)=("[^"]*")/i', "$add_alt_title", $content);
$content1 = mysqli_real_escape_string($conn, $content1);//Procedural
OR
$content1 = preg_replace('/(alt)=("[^"]*")/i', "$add_alt_title", $content);
$content1 = $conn->real_escape_string($content1);//OOPS
After this you can insert into database.
I am doing php and writing some code to insert data into different tables at the same time. I wrote a foreach loop and one part of my code is as follows:
while ($datarow = dbgetrow($dataresult)) {
if ( $dotcount > $datanumrows) {
showarchivestatus(" .", true);
$dotcount = 1;
}
$sqlvalues = "";
You need to escape your string before putting it into the database.
Here is a basic example of how to do it in MySQLi
<?php
$con=mysqli_connect("localhost","my_user","my_password","my_db");
// Check connection
if (mysqli_connect_errno()) {
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
// escape variables for security
$firstname = mysqli_real_escape_string($con, $_POST['firstname']);
$lastname = mysqli_real_escape_string($con, $_POST['lastname']);
$age = mysqli_real_escape_string($con, $_POST['age']);
$sql="INSERT INTO Persons (FirstName, LastName, Age)
VALUES ('$firstname', '$lastname', '$age')";
if (!mysqli_query($con,$sql)) {
die('Error: ' . mysqli_error($con));
}
echo "1 record added";
mysqli_close($con);
?>
Here is an example of PDO:
<?php
$conn = new PDO('sqlite:/home/lynn/music.sql3');
/* Dangerous string */
$string = 'Naughty \' string';
print "Unquoted string: $string\n";
print "Quoted string:" . $conn->quote($string) . "\n";
?>
You may want to consider using a prepared statement. There are several benefits to this including:
Security - Helps prevent SQL injection
Speed - You only are sending the values.
http://www.w3schools.com/php/php_mysql_prepared_statements.asp
Sources:
http://www.w3schools.com/php/func_mysqli_real_escape_string.asp
http://php.net/manual/en/mysqli.real-escape-string.php
http://php.net/manual/en/pdo.quote.php
I'm currently working on creating a login system, one part of which is of course registration. It's been going smoothly up until this point, where I'm getting an error.
I've researched this as thoroughly as I can, but I can't find the solution as it is giving me an incorrect line number.
The error I'm getting is:
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1' at line 1
My SQL query is
$token = (round(microtime(true) * 1000));
$query = mysql_query("INSERT INTO "
. "`users` "
. "(name, password, email, token) "
. "VALUES "
. "('$_POST[user]'"
. ",'".hash('sha512',$_POST['pass'])."'"
. ",'$_POST[email]'"
. ",'$token')") or die(mysql_error());
if (mysql_query($query) === TRUE) {
//echo "Sucsessfuly registered! Check your email for a confirmation link.";
} else {
echo "Error: " . mysql_error();
}
(this is not the first line of the file, it's the 22d)
When the code runs, even though it throws the error it still is inserting the values into the table correctly.
Also when I run the same query in phpmyadmin, it runs just fine with no errors.
I've been trying to solve this error for the last 3 hours so any help would be appreciated ;)
You're calling mysql_query twice: first with the SQL, and then you're using the result of the query as if it were a query. The error you're getting is because $query is true, which gets turned into 1 when treated as a string.
Either you should just set $query to the SQL string:
$query = "INSERT INTO ...";
if (mysql_query($query)) {
...
} else {
...
}
or you should just check the value of $query:
$query = mysql_query(...);
if ($query) {
...
} else {
...
}
I post the data of dynamically generated textbox in PHP. When I post the data using real_escape_string(), i.e:
$ingredient = mysql_real_escape_string($_POST['ingredient']);
...it doesn't post data from textbox and I use simple $_POST['']; method i.e:
$ingredient = $_POST['ingredient'];
...it gives me error when I use a single quote (') in my text.
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's', 'fgad', '55')' at line 2
this was my old post i solved the problem locally by enabling magic_quotes_gpc = On but when upload this on my server it does't work again so how can i turn on magic quotes on server.
Do you have an open database connection? mysql_real_escape_string needs a MySQL server to talk to in order to function.
You might want to try
$ingredient = $_POST['ingredient'];
$ingredient = mysql_real_escape_string($ingredient);
<?php
$con=mysqli_connect("localhost","my_user","my_password","my_db");
// Check connection
if (mysqli_connect_errno()) {
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
// escape variables for security
$firstname = mysqli_real_escape_string($con, $_POST['firstname']);
$lastname = mysqli_real_escape_string($con, $_POST['lastname']);
$age = mysqli_real_escape_string($con, $_POST['age']);
$sql="INSERT INTO Persons (FirstName, LastName, Age)
VALUES ('$firstname', '$lastname', '$age')";
if (!mysqli_query($con,$sql)) {
die('Error: ' . mysqli_error($con));
}
echo "1 record added";
mysqli_close($con);
?>
you must used connection db see
http://php.net/manual/en/mysqli.real-escape-string.php
you can use also
string mysqli::real_escape_string ( string $escapestr )
I think this might be related to the "magic" quotes feature -- see this page for details: Magic Strings & SQL
Basically, because of problems with SQL injection attacks, they pre-escaped strings with quotes after a certain version of PHP (I think it was 5.0, but I could be wrong). So the end result is that now your software has to check for the software version and behave differently depending on whether the string is already escaped or not.