This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 5 years ago.
Maybe a silly question, but I'm really struggling.
I've created a MySQL Database and Table and am trying to push data into it. The data in question is a unique ID and a load of Javascript.
Code is simple:
$sql = "INSERT INTO TableName (id, code)
VALUES ('$uniqueid', '$codeoutput')";
However, whilst I can get the ID in there, I can't get the DB to accept the Javascript (which is currently stored in the variable $codeoutput.
I get the error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax
I'm not that familiar with using MySQL, and I have played around with different data types in PhpMyAdmin, but sadly still no luck.
What am I doing wrong? Do I need to have a very specific setup on the column where I'm storing the code? I'm currently trying to store it as medium text.
Is it something to do with needing to escape special characters? Is there an easy solution to this?
simplest way to do it is
$sql = "INSERT INTO TableName ($uniqueid) VALUES ('id')";
$sql2 = "INSERT INTO TableName ($codeoutput) VALUES ('code')";
Related
This question already has answers here:
How to insert utf-8 mb4 character(emoji in ios5) in mysql?
(2 answers)
Closed 6 years ago.
So I use the following line of code to insert a chat message into my MySQL database:
$this->db->query("INSERT INTO group_messages (group_message_text,group_message_group_id,group_message_user_id) VALUES ('$message','$group_id','$user_id');");
This works great until the users tries to use characters like ' or emoji's. How do I handle that properly?
To store emoji's in your database you have to store it in utf8mb4. See this answer.
You should also escape your text bevor storing it into the database. See this answer as well.
Might be the Syntax error:
Please try using
$this->db->query("INSERT INTO group_messages (group_message_text,group_message_group_id,group_message_user_id) VALUES ('".$message."','".$group_id."','".$user_id."');");
Hope this will help :)
This question already has answers here:
How do I get the last inserted ID of a MySQL table in PHP?
(16 answers)
Closed 6 years ago.
I tried to find an answer on here already, as well as read the PHP doc on it, however it doesn't explain it very well.
I'm just trying to get the last ID inserted by the user. I know MYSQL is deprecated, but I need to do it this way.
This is what I have so far.
$query="INSERT INTO teams (team_name)
VALUES
('$team_name')";
mysql_query($query) or die('error');
$team_id = mysql_query("SELECT LAST_INSERT_ID()");
Thanks!
Take a look at mysql_insert_id
But beware of the issues when using ON DUPLICATE KEY UPDATE statements. It is described in the comments on the php doc page.
But your solution should work, too.
Also, if you're using mysql, don't forget to mysql_real_escape your input, $team_name in your case.
[insert obligatory mysql is deprecated warning here ;)]
You can do it by PHP. You don't need a query: mysql_insert_id()
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Syntax error due to using a reserved word as a table or column name in MySQL
(1 answer)
Closed 8 years ago.
I have this following sql code:
$sql = "INSERT INTO data (Artist, Name) VALUES ('TF2', 'you're right behind me')";
The code itself looks normal but for some reason mysql doesn't want to allow me to save it. I get the following error:
"#1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 're right behind me')' at line 1"
What I know the problem is because of the word "right" being reserved in mysql but I need to save it so how should my code look like. All help is appreciated
As #Fred and #JunM have already commented, you have two issues. The first is that Name is a reserved word. The second is that you have a single quote inside your single quoted string. Change your SQL to this:
$sql = "INSERT INTO data (`Artist`, `Name`) VALUES ('TF2', 'you\'re right behind me')";
Your problem is because you have an ' in the work you're. So your string is terminating to early in your sentence. Use you\'re instead to escape the character '
$sql = "INSERT INTO data ('Artist', 'Name') VALUES ('TF2', 'you\'re right behind me')";
My experience with MySQL is limited, but I use SQL Server extensively. To me it seems that the problem is in the apostrophy used in the "you're right behind me". In SQL server, I'd have to use a double apostrophy, so the sql instruction would be something like this (notice the double apostrophy in the you''re):
$sql = "INSERT INTO data (Artist, Name) VALUES ('TF2', 'you''re right behind me')";
Hope this helps.
Regards
This question already has answers here:
Closed 11 years ago.
Possible Duplicate:
Can a number used to name a sql column
I am trying to figure out what is wrong with this code
$query = "UPDATE $table SET '$_GET[qty]'=$_GET[newprice] WHERE 'id'='1'";
this is what $query looks like - UPDATE retail_12x18 SET '25'=100 WHERE 'id'='1'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''25'=100 WHERE 'id'='1'' at line 1
I have put backticks ' every which way and cant get it to go through, always the same error message.
use backtick around your field name:
UPDATE table SET `25` = '{thevalue}', `100` = '{thevalue}', `200` = '{thevalue}' WHERE wherefield = '{wherevalue}'
See here (look for backtick word): http://dev.mysql.com/doc/refman/5.0/en/identifiers.html
It's a bit hard to know for sure, without seeing the table definition, but:
[1] It might be the column types. For instance this bit:
type=" .$_GET['type'];
is trying to set the value of the "type" column without using quotes. It will fail if the "type" column is type like varchar, for example.
[2] You need to use backtics if you're going to have numeric column names
[3] It really must be said that the main thing that's wrong with your code is that you are putting un-escaped $_GET values into your SQL query. Anyone could mount an SQL injection attack by putting SQL into the URL of the page. Very bad practice.
http://en.wikipedia.org/wiki/SQL_injection
This question already has answers here:
Closed 11 years ago.
Possible Duplicate:
How to get Insert id in MSSQL in PHP?
im working in project by php and sql server 2000, how i can get inserted id like mysql_inserted_id function which work with mysql .
im googled in the internet and cant find something...please leave example to how use it
You probably want to use SCOPE_IDENTITY() (which you can return via a SELECT statement) but the operator you use to get the latest ID depends on your implementation (your stored procedure may do more than one insert, for example, in which case ##IDENTITY would return only the latest ID). Check out this explanation:
http://www.sqlteam.com/article/alternatives-to-identity-in-sql-server-2000