Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 5 years ago.
Improve this question
$insert_query = "Asset Addition (server_name, phy_ip, nat_ip, server_model) values ('$server_name','$phy_ip','$nat_ip','$server_model')";
if(mysqli_query($con, $insert_query))
Do you think there is an issue with the syntax here?
"Do you think there is an issue with the syntax here?"
Yes, as I said in comments; syntax is English-based.
You need to use: INSERT INTO your_table and replacing with your table's actual name.
Your code also is open to an sql injection, use a prepared statement.
https://en.wikipedia.org/wiki/Prepared_statement
and mysqli_error($con) on the query.
Edit: Now seeing more comments, make sure you did successfully connect to your database and using the same MySQL API, and that all variables contain value and running off a webserver with PHP/MySQL installed and running.
Reference(s):
http://php.net/manual/en/function.mysqli-connect.php
http://php.net/manual/en/function.error-reporting.php
Example:
if(mysqli_query($con, $insert_query)) {
echo "Success";
} else {
echo "Error: " . mysqli_error($con);
}
Should this also fail, then you may also be inserting characters that MySQL is complaining about, such as an apostrophe and is seeing it as an sql injection.
Therefore you will need to escape that data, to which you should be doing in any case.
Again; use a prepared statement.
You need to make sure that the column types/lengths can also accomodate the incoming data. That could fail silently.
Related
Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 5 years ago.
Improve this question
Ex: If I have code :
$data = array('a','b','c');
foreach($data as $val){
mysql_query("INSERT INTO db (`title`)VALUES('$val')");
}
I want to insert all data from variable $val how can I coding it ?
please help !!!
thank !!
There are two things wrong which i can see at a glance.
mysql is deprecated, use mysqli instead. Reference
Since you will have to switch over to mysqli you will need to reference your database connection every time you want to do a mysql database related operation, unless you do some PHP magic (classes or methods).
Other than these two i guess there is no problem in your code, the for loop should work perfectly fine.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Closed 6 years ago.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Improve this question
I am a beginner at PHP and MYSQL. Here is my simple code to add data to a data base. it is not working
the connection.php(sets up the mysql connection variables) files have already been created and are working fine with other files and functions. Am receiving no errors while this code here does not add the data to the database
could someone please tell me where the problem could be?
<?php
if (isset($_POST['bookt']) & isset($_POST['type']) & isset($_POST['publisher']) & isset($_POST['year']) & isset($_POST['class']) & isset($_POST['subject'])) {
//set the values
$bookt= $_POST['bookt'];
$type= $_POST['type'];
$publ=$_POST['publisher'];
$year=$_POST['year'];
$class= $_POST['class'];
$subj= $_POST['subject'];
//INSERTING A ROW
$add_query= "INSERT INTO books ('Book Title','Type','Publisher','Yearp', 'Class','Subject')
VALUES ('$bookt','$type','$publ','&year','$class','$subj')";
//query
$result=mysql_query($add_query);
if (!$result) {die("couldn't perform query".mysql_error());}
if ($result) {echo " </ br> <p><script type='text/javascript'>alert('INSERT SUCCESSFUL!!!');</script></p><br /><br /> insert id was ".mysql_insert_id();}
};
?>
You have a lot of major problems with this code.
First, please don't use mysql_*; the mysql_* functions are outdated, deprecated, and insecure. They were removed entirely from PHP 7. Use MySQLi or PDO instead.
Second, the Boolean "and" operator is &&, not & (the bitwise "and" operator).
Third, it's $year, not &year.
Fourth, put column names in backticks, not single quotes ('...'):
$add_query= "INSERT INTO books (`Book Title`,`Type`,`Publisher`,`Yearp`, `Class`,`Subject'`)
VALUES ('$bookt','$type','$publ','$year','$class','$subj')";
Single quotes will cause your query to fail. This is why your query isn't working at all.
Fifth, you aren't doing any error checking or data validation.
Sixth, you are wide open to SQL injection. You need to use prepared statements and never put user input directly into SQL.
There may be even more issues, but these are the big ones.
If you want multiple conditions in your if-statement use a logical operator "&". Also mysql_ has been gone from PHP7 for a long time.
Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 6 years ago.
Improve this question
When I use a variable in my WHERE clause of Update the updation doesnt take place.
$eventid=$_GET['id'];
$sql = "UPDATE events SET name=:name WHERE id=:id";
$q = $conn->prepare($sql);
$q->execute(array(':name'=>$name,':id'=>$eventid));
When I echo $_GET['id'] I get the correct value.
$_GET['id'] is the value I have passed from another page
People are saying you're vulnerable to sql injection attacks because you're passing an id via a $_GET parameter to an update statement where you directly use the $_POST superglobal.
In order to make it more secure, you could start by passing the ID via $_POST as well, and not using $_POST directly in your SQL.
But that's not the question you asked.
I would hazard to guess it's not updating because you're passing ID as a string, which it probably isn't.
Try changing
WHERE id='".$_GET['id']."'");\
to
WHERE id=".$_GET['id']."");
Save your query to a string variable so you can debug what are you sending to db MySQL. Then try to run the result query direct on the db.
$DBcon->query(#strSQL);
Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 7 years ago.
Improve this question
i have code like this but when i click submit its give me error
mysqli_real_escape_string() expects parameter 2 to be string, array
given where should i do or put the mysqli_real_escape_string ?
if(!empty($_POST['poscon'])) {
foreach($_POST['poscon'] as $condition)
$condition=mysqli_real_escape_string($link,$_POST['poscon']);
Seeing you're not responding to comments, I'm posting this as an answer.
- Maybe you'll respond then.
You see your foreach($_POST['poscon'] as $condition)?
You're using the wrong parameter and passing the array instead of the $condition variable.
Do $condition=mysqli_real_escape_string($link,$condition);
When ever you taking user inputs from the view you should check.
mysqli_real_escape_string Definition
This function is used to create a legal SQL string that you can use in an SQL statement. The given string is encoded to an escaped SQL string, taking into account the current character set of the connection.
mysqli_real_escape_string Manual
Normal text
Early `$name = $_POST['name'];`
New Practice `$name = mysqli_real_escape_string($_POST['name'])`
URL
Early `$url = $_POST['url'];`
New Practice `FILTER_VALIDATE_URL` [Check Example](http://www.w3schools.com/php/filter_validate_url.asp)
E-Mail
Early `$email = $_POST['email'];`
New Practice `FILTER_VALIDATE_EMAIL` [Check Example](http://www.w3schools.com/php/filter_validate_email.asp)
More Useful Articles
Is mysqli_real_escape_string safe?
mysql(i)_real_escape_string, safe to rely on?
mysqli::real_escape_string, mysqli_real_escape_string
Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 7 years ago.
Improve this question
I am trying to output the sum of turples from the a table. The SQL statement is ok and gives me results. My problem is printing the answer on a form. Below is my code:
<?php
$r=mysql_query("select sum(total_amount) from lbc_production where link_id='C741_Link01' and execution_date BETWEEN '2014-12-01' AND '2014-12-31'");
$rows=mysql_fetch_assoc($r);
echo $r;
echo $rows['(total_amount)'];
?>
It outputs Resource id #9 on a form but I want a figure.
You have two issues:
$r contains the resource ID for your MySQL connection. You echo it out. That's why you see that. Stop doing that and it goes away.
You are not using the right array key to access your sum value you seek so nothing is output. If you had error reporting turned out PHP would have told you this.
Here's improved code to resolve these issues:
<?php
$r=mysql_query("select sum(total_amount) as total from lbc_production where link_id='C741_Link01' and execution_date BETWEEN '2014-12-01' AND '2014-12-31'");
$rows=mysql_fetch_assoc($r);
echo $rows['total'];
?>
I removed the line where you echo out the MySQL resource and added an alias to sum(total_amount) which makes it easier to access via PHP. The alias is called total which I use as the key to access that value from the $row array.
FYI, you shouldn't use mysql_* functions in new code. They are no longer maintained and are officially deprecated. See the red box? Learn about prepared statements instead, and use PDO or MySQLi - this article will help you decide which. If you choose PDO, here is a good tutorial.