Have seen tons of similar questions but still can't find out what's going on.
I'm using PHP's PDO to prepare a statement like that:
try{
$statement = $db->prepare("INSERT INTO $date (name, surname, email, phone, comment) VALUES (:name, :surname, :email, :phone, :comment)");
$statement->bindParam(':name', $name);
$statement->bindParam(':surname', $surname);
$statement->bindParam(':email', $email);
$statement->bindParam(':phone', $phone);
$statement->bindParam(':comment', $comment);
$statement->execute();
}
catch(PDOException $e){
die("Connection to database failed: " . $e->getMessage());
}
Have tried escaping everything with [] and specifying the database name before table name, but keep getting
SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in
your SQL syntax; check the manual that corresponds to your MySQL server
version for the right syntax to use near '2017-08-11 (name, surname, email,
phone, comment) VALUES ('Test', 'Test', 'Test#' at line 1
INSERT INTO $date
It seems that there is a 2017-08-11 in $date var.
If you want to insert data into '2017-08-11' table, it should be escaped with ` symbol
try{
$statement = $db->prepare("INSERT INTO `$date` (name, surname, email, phone, comment) VALUES (:name, :surname, :email, :phone, :comment)");
$statement->bindParam(':name', $name);
$statement->bindParam(':surname', $surname);
$statement->bindParam(':email', $email);
$statement->bindParam(':phone', $phone);
$statement->bindParam(':comment', $comment);
$statement->execute();
}
catch(PDOException $e){
die("Connection to database failed: " . $e->getMessage());
}
Assuming that 2017-08-11 is a table name, simply encase it in backticks.
$statement = $db->prepare("INSERT INTO `$date` (name, surname, email, phone, comment) VALUES (:name, :surname, :email, :phone, :comment)");
sorry but you can't use special character when using the prepare statement, so what MySQL is actually seeing is INSERT INTO $date (name, surname, email, phone, comment) VALUES (:name, :surname, :email, :phone, :comment) which will trigger a syntax error.
here is a quick solution
try{
$db->query("INSERT INTO $date (name, surname, email, phone, comment) VALUES ($name, $surname, $email, $phone, $comment)");
}
catch(PDOException $e){
die("Connection to database failed: " . $e->getMessage());
}
Related
So bassically I can't seem to send the array with the input values to my database.
I tried sending it seperately, it works, but it only sends the array or the way around. There are no errors.
if (isset($_POST['submit'])) {
$services = implode ("|", $_POST['services']);
mysqli_query($mysqli, "INSERT INTO klientai (package, name, surname, email, phone, message, services) VALUES('$_POST[package]', '$_POST[name]', '$_POST[surname]', '$_POST[email]', '$_POST[phone]', '$_POST[message]', '$services'");
}
mysql_query function is deprecated and is not secured, You should use another option.
You can use PDO for example:
https://www.php.net/manual/en/book.pdo.php
open connection
$pdo = new PDO('mysql:host=localhost;dbname=test', $user, $pass);
insert method 1
$sql = "INSERT INTO users (name, surname, sex) VALUES (?,?,?)";
$stmt= $pdo->prepare($sql);
$stmt->execute([$name, $surname, $sex]);
insert method 2
$data = [
'name' => $name,
'surname' => $surname,
'sex' => $sex,
];
$sql = "INSERT INTO users (name, surname, sex) VALUES (:name, :surname, :sex)";
$stmt= $pdo->prepare($sql);
$stmt->execute($data);
also check https://phpdelusions.net/pdo_examples/insert and
https://www.startutorial.com/articles/view/pdo-for-beginner-part-1
In this method, you don't need to escape your strings for SQL injection and it should also solve your problem.
I'm trying to pull information from an HTML form and put this into a database using the following code:
$link = mysqli_connect("localhost", "user", "password", "MyDB");
if($link === false){
die("ERROR: Could not connect. " . mysqli_connect_error());
}
$sql = "INSERT INTO interest (name, email, dob, address)
VALUES ('$fullname', '$email', '$dob' '$addr')";
if(mysqli_query($link, $sql)){
echo "Records added successfully.";
}else{
echo "ERROR: Could not able to execute $sql. " . mysqli_error($link);
}
mysqli_close($link);
It was working, and I've managed to get 2 test runs in, but now I'm getting the following error at the top of my submission page
ERROR: Could not able to execute INSERT INTO MyDB (name, email, dob,
address) VALUES ('test name', 'test#email.com', '2003-02-01'
'address'). Column count doesn't match value count at row 1
I have another variant of this which sends a PHP email, which is the file I'm using to base this database connection on.
There is also an autoincrement on ID column which is set as the primary key in the database if that makes a difference? SQL isn't my strong point unfortunately!
Given the syntax error you have in your query, being a missing comma in '$dob' '$addr'; you are open to an SQL injection and should be using a prepared statement.
Therefore, I am submitting this complementary answer for your own safety.
Here is an example of a prepared statement using the MySQLi API.
<?php
error_reporting(E_ALL);
ini_set('display_errors', 1);
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
$link = mysqli_connect('localhost', 'xxx', 'xxx', 'my_db');
if (!$link) {
die('Connect Error: ' . mysqli_connect_error());
}
// assuming these are the POST arrays taken from your HTML form if you're using one.
$fullname = $_POST['fullname'];
$email = $_POST['email'];
$dob = $_POST['dob'];
$addr = $_POST['addr'];
$sql = ("INSERT INTO interest (name, email, dob, address) VALUES (?, ?, ?, ?)");
$stmt = $link->prepare($sql) or die("Failed Execution");
$stmt->bind_param('ssss', $fullname, $email, $dob, $addr);
$stmt->execute();
echo $stmt->error;
echo "SUCCESS";
exit();
References:
How can I prevent SQL injection in PHP?
http://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php
http://php.net/pdo.prepared-statements
Foonotes:
If using the following failed because of the AI'd column:
$sql = ("INSERT INTO interest (name, email, dob, address) VALUES (?, ?, ?, ?)");
You may also try: (I used id as the AI'd column as an example)
$sql = ("INSERT INTO interest (id, name, email, dob, address) VALUES ('', ?, ?, ?, ?)");
This could be the case, as I have seen this type of SQL failure behaviour before.
You have missed comma here:
VALUES ('$fullname', '$email', '$dob' '$addr')
Thus (as it was clearly said in error text) column count doesn't mach values count.
It should be
VALUES ('$fullname', '$email', '$dob', '$addr')
You missed a comma
$sql = "INSERT INTO interest (name, email, dob, address)
VALUES ('$fullname', '$email', '$dob', '$addr')";
^here
You missed a comma:
VALUES ('$fullname', '$email', '$dob' '$addr')
I dont get any errors, but when I refresh my database nothing seems to be going through. The connection credentials are definitely correct.
$query = $pdo->prepare('INSERT INTO direct_transfer (fname, lname, add, city, post, country, email, nummag, donate) VALUES (:fname, :lname, :add, :city, :post, :country, :email, :nummag, :donate)');
$query->execute(array(':fname'=>$fname,
':lname'=>$lname,
':add'=>$add,
':city'=>$city,
':post'=>$post,
':country'=>$country,
':email'=>$email,
':nummag'=>$nummag,
':donate'=>$donate));
When you use reserved words in mysql, you need to escape them in backticks:
... (fname, lname, `add`, city, post, country, email, nummag, donate) ...
You should also add error handling so that PDO tells you right away what is wrong.
You can tell PDO to throw exceptions by adding this after you connect to the database:
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
You can also set the error handling mode when you open the connection, see the manual.
Without ':' in the array.
$query = $pdo->prepare('INSERT INTO `direct_transfer` (`fname`, `lname`, `add`, `city`, `post`, `country`, `email`, `nummag`, `donate`) VALUES (:fname, :lname, :add, :city, :post, :country, :email, :nummag, :donate)');
$query->execute(array('fname'=>$fname,
'lname'=>$lname,
'add'=>$add,
'city'=>$city,
'post'=>$post,
'country'=>$country,
'email'=>$email,
'nummag'=>$nummag,
'donate'=>$donate));
I dont no what the problem is with my code. It doesn't insert the data into the database. Here it is.
$adduser = $con->prepare("INSERT INTO 'basicuserinfo'(email, password, firstname, lastname) VALUES(:email, :password, :firstname, :lastname)");
$adduser->bindValue(':email', $email);
$adduser->bindValue(':password', $password);
$adduser->bindValue(':firstname', $firstname);
$adduser->bindValue(':lastname', $lastname);
$adduser->execute();
INSERT INTO 'basicuserinfo'(email, password, firstname, lastname) VALUES(:email, :password, :firstname, :lastname)
That isn't a valid SQL statement. Get rid of the 's.
Are you sure it is succeeding? You aren't checking the execute as in:
if(!$adduser->execute()) echo "Execute failed";
You will likely find that it is throwing an error on the ' around the table name.
Try this..
$adduser = $con->prepare("INSERT INTO `basicuserinfo`(email, password, firstname, lastname)
VALUES(?, ? , ? , ? )");
$adduser->bindParam('ssss', $email,$password , $firstname,$lastname);
$adduser->execute();
In this way of prepare statement you can reduce your executing time..
then dont put apostapy before the tablename
I am inserting a record and i want to use the id of the last record inserted.
This is what i have tried:
$sql = 'INSERT INTO customer
(first_name, last_name, email, password,
date_created, dob, gender, customer_type)
VALUES(:first_name, :last_name, :email, :password,
:date_created, :dob, :gender, :customer_type)'
. ' SELECT LAST_INSERT_ID()' ;
I am getting the error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'SELECT LAST_INSERT_ID()'.
Can anyone show me where is my mistake?
Thanks!
Check out mysql_insert_id()
mysql_query($sql);
$id = mysql_insert_id();
When that function is run after you've executed your INSERT statement in a mysql_query() command its result will be the ID of the row that was just created.
You can do another query:
$last_id = "SELECT LAST_INSERT_ID()";
Or try to add ; in your query:
INSERT INTO customer
(first_name,
last_name,
email,
password,
date_created,
dob,
gender,
customer_type)
VALUES(:first_name,
:last_name,
:email,
:password,
:date_created,
:dob,
:gender,
:customer_type)<b>;</b>' . ' SELECT LAST_INSERT_ID()';