$query = "INSERT INTO users ". "(first_name,last_name,dob,mobile_number,landline_number,email) ". "VALUES('$fname','$sname','$dob','$mobile','$landline','$email', NOW())";
$query = "INSERT INTO address ". "(house_number,street_name,town/city,postcode,province/county) ". "VALUES('$hnumber','$addr','$town','$pcode','$county', NOW())";
$result = mysqli_query($conn, $query) or die("Invalid query 2"); // runs query using open connection
So I can create a connection to my database no problem and on my previous page I can send username and password to the database but then I come to the user details page to save the information and continually getting Invalid query 2 error. The table names are correct (users & address) and all variables are spelt correctly. Does anyone have a suggestion to fix the issue or a better alternative (I mean to just point me in the right direction of the research I should be looking at if I am way off target, if I have just mispelled something or have something in the wrong place then I would appreciate the heads up, have been at this quite a while now)
This is the code from the previous page and it works fine and sends the information to the database:
$query = "INSERT INTO login ". "(username,password) ". "VALUES('$uname','$epass', NOW())";// sets up sql query
$result = mysqli_query($conn, $query) or die("Invalid query 2"); // runs query using open connection
mysqli_close($conn); // close database connection
As far as I know all the database side of things is fine, all data types are varchar except for dob which is date (I have tried changing this to varchar to see if it fixed the problem but it didnt) and userID is int and is an autoincrement for the unique primary key. I have also tested the php file without the validation rules and still gives the same error.
Quite a few things wrong here.
First you are reassigning the variable $query; so the first insert will be getting overwritten by the second, you need to concat the variable.
Then you have 2 queries you are attempting to send at one time. However you never tell Sql you've finished your first before starting your second.
Try the following instead take note Of The semi colons ; at the end of each.
You are also putting slashes into your column names which is illegal.
Lastly, you've got more values to insert than you have columns. Remove the now() from the end.
$query = "INSERT INTO users ". "(first_name,last_name,dob,mobile_number,landline_number,email) ". "VALUES('$fname','$sname','$dob','$mobile','$landline','$email');";
$query .= "INSERT INTO address ". "(house_number,street_name,town_city,postcode,province_county) ". "VALUES('$hnumber','$addr','$town','$pcode','$county');";
Although this will now work, I highly recommend you do some research regarding safe practices with Sql.
Here would be a great starting point https://www.w3schools.com/php/php_mysql_prepared_statements.asp
On a side note, why are you concating your Strings? There's no need
$query = "INSERT INTO users (first_name,last_name,dob,mobile_number,landline_number,email) VALUES('$fname','$sname','$dob','$mobile','$landline','$email', NOW());";
Maybe it's the fact that you are closing the connection after your first call.
try or die(mysqli_error($conn));
EDIT:
Delete passing value "NOW()".
code:
$query = "INSERT INTO address ". "(house_number,street_name,town_city,postcode,province_county) ". "VALUES('$hnumber','$addr','$town','$pcode','$county')";
Related
I'm new to PHP but normally able to solve most problems but this one has got me.
I'm trying to create a newsletter sign up (single field) with a single submit button. I have this working fine, sending out an email and inserting the form data into my table. However I want to add functionality to have a confirmation email send to the person who signs up. I've done extensive research and I know the method behind this but my code just is not inputting data into my 2nd table used to store the confirmation information.
I have 2 tables:
Table 1 named 'newsletter' columns are:
idmail,emailaddress,datetime,state
idmail is set to AUTO_INCREMENT
Table 2 named 'confirm' columns are:
idconfirm,emailaddress,confirmkey
Here is my code (I've omitted the email part which goes after this as that all work OK):
//connect to database
include('admin/connection.php');
$email = mysqli_real_escape_string($dbc, $_POST['email']);
//check if value exists in table
$result = mysqli_query($dbc, "SELECT emailaddress FROM newsletter WHERE emailaddress = '$email'");
if (mysqli_num_rows($result)==0) {
//Insert value into database
$query1 = mysqli_query($dbc, "INSERT INTO newsletter(emailaddress, datetime, state) VALUES('$email','$now','0')");
mysqli_query($dbc, $query1);
// Get ID of last record
$id = mysqli_insert_id($dbc);
//Create a random key
$hash = $email.date('mY');
$hash = md5($hash);
//Insert value into database
$query2 = mysqli_query($dbc, "INSERT INTO confrim(idconfirm, emailaddress, confirmkey) VALUES('$id','$email','$hash')");
mysqli_query($dbc, $query2);
When I submit an email address, the first table is populated correctly.
The goal here is to get the auto ID created in the first INSERT INTO query into a variable then to add that in the 2nd tables column named 'idconfim'.
I tried:
echo $id;
echo $email;
echo $hash;
and all of the variables hold the correct information.
Does anyone have any ideas?
I've tried to many things to list here, but I've researched this and I just don't know where I'm going wrong.
Thanks in advance.
I'm posting my comment as an answer here:
The problem here is this $query2 = mysqli_query($dbc,... '$hash')"); mysqli_query($dbc, $query2); and you should have gotten an error about that. This besides the possible typo for the table name confrim.
You need to remove mysqli_query($dbc, $query2); here and replace it with:
if($query2){ echo "Success"; }
else{ echo "Error: " . mysqli_error($dbc);
(Another edit): You did the same error here:
$query1 = mysqli_query($dbc, "INSERT INTO newsletter ... '$now','0')");
mysqli_query($dbc, $query1);
and needs to be changed to:
if($query1){ echo "Success"; }
else{ echo "Error: " . mysqli_error($dbc);
As stated in comments by RiggsFolly; don't use MD5 to hash passwords, it's no longer safe. A lot of water's run under the bridge in over 30 years.
Use password_hash() http://php.net/manual/en/function.password-hash.php and a prepared statement.
Edit: It looks to me now that after looking at your code again, that you're not trying to save a password, but more as a confirmation key. If that is the case, then you can disregard the password stuff. However, if you do decide to use MD5 to store passwords with in the future, don't.
One of the problems is that you aren't showing the MySQL error, if there is one. So you need to either check the server logs for the error in PHP, you can force to print the error to the error log or do something else:
for example:
mysqli_query($dbc, $query2) or error_log(mysqli_error($dbc));
mysqli_query($dbc, $query2) or custome_error_handler(mysqli_error($dbc));
As well php should be returning an HTTP error to the client. You should be catching that error.
Once you see the SQL error it will be easy to figure out what you did wrong.
EDIT Fred ii caught the real error, but I think the error would have been thrown the first time the mistake is made:
mysqli_query($dbc, $query1);
$query1 isn't a string. And if you noticed you already executed the query on the line above. Reading the PHP error logs will show you exactly where the error is.
Sorry for wasting time.
Thanks to jeffery_the_wind for pointing me to the logs. I will use them in future.
The problem was TWO spelling mistakes, one in the column name in the php and one on the mysql database. confrim is not a word! I'm slightly lexdixlick!
Thanks for your prompt responses.
I'm trying to output a simple list with all the usernames registered on a single e-mail address in our database. The SQL queries necessary for it shouldn't be too hard, but apparently they are too hard for me - here's my issue:
$sql = "SELECT emailaddress FROM ".db_prefix("accounts")." where acctid = '$mailid'";
$mailadress = db_query($sql);
That one's working just fine - I'm declaring mailid in a earlier part of the code, and with that query I can output the e-mail adress (for debugging) of the currently logged in user without any problems. Fine so far.
$sql = "SELECT name FROM ".db_prefix("accounts")." where emailadress ='$mailadress'";
$charakterliste = db_query($sql);
Here's the issue: $charakterliste seems to stay empty, even though I'm pretty sure my syntax is correct. var_dump() and print_r() don't return anything that would point towards the array/variable containing something.
I've double checked and executed a similar query directly in the SQL database and found no problems there - all the fields I'm calling do exist, and the DB connection is fine too. I guess something is wrong in my syntax for the second SQL query? I'd want to list all the names saved in the $charakterliste afterwards with a foreach loop, but as of now there doesn't seem to be anything to list saved in there, although there should be.
Thanks in advance!
Are you sure the column 'emailadress' exist?
Maybe it's 'emailaddress' with two 'd'?
According to your first line of code it should be 'emailaddress'.
$sql = "SELECT name FROM ".db_prefix("accounts")." where emailaddress ='$mailadress'";
$charakterliste = db_query($sql);
I have made a database where email id and corresponding name and password is stored. I have successfully obtained a form's data.. where the user enters updated name and password. But the problem is occuring with the query which is as follows
$db = mysqli_connect(all details)...
$name = $_POST['name'];
$password = $_POST['password']:
$email = $_POST['email'];
$query = "UPDATE mytable SET name='$name',password='$password' WHERE emailid='$email'";
$result = mysqli_query($db,$query);
Though I am getting all form values succesffuly and until and unless I put the 'where' clause.It works.But obviously updates all values. i want it to work with where..but so far unsuccessful :(
you need to put {} around the variables if its surrounded by quote ''
so your query should look like this
$query = "UPDATE mytable SET name='{$name}',password='{$password}' WHERE emailid='{$email}'";
$result = mysqli_query($db,$query);
EDIT : also before saving data to database make sure to filter and validate data
You need to make sure that emailid exists in mytable, you truly intended to filter by it and in your database scheme it has a type which supports the posted data. It seems that you are sending strings, like 'foo#bar.lorem' and your emailid is an int or something in the database scheme. Check it by running
desc mytable;
You need to put curly brackets around variables if you use apostrophe around them, but as a matter of style I like to close the string and attach the $variable with a . as this coding style is closer to me personally.
If everything fails, see what is generated, by echoing out the query string, try to run that directly, see what the error is and fix until...
... until it is fixed.
Also, you do not encrypt the password and your code is vulnerable to SQL injection too. Please, read about password encryption and SQL injection and then protect your project against these dangers.
You can write your statement as:
$query = "UPDATE mytable SET name='".$name."',password='".$password."' WHERE emailid='".$email."'";
using . as string concatenating operator
I have got this code so insert values into a table in MySQL through PHP. I have tried all the possible Insert syntax, it does not insert the data... this are the codes that i used.
$param = "xyzxyz";
$param1 = "sdfdfg";
$sql = "INSERT INTO trail (User_Name, Quiz_ID) VALUES ('".$param."','".$param1."')";
$result = $mysql->query($sql);
if($result)
echo "successful";
else
echo mysql->error;
if(mysql->errno==0)
echo "successful"
else
echo mysql->error;
I even tried the following sql syntax
"INSERT INTO trail (User_Name, Quiz_ID) VALUES ('$param1','$param1')";
"INSERT INTO `trail` (`User_Name`, `Quiz_ID`) VALUES ('$param1','$param1')";
and i tried several other none of them inserts anything into the table. and this is the table in MySQL;
trail
User_Name varchar(35)
Quiz_ID varchar(35)
It does not insert anything nor does it display any error. And I have the correct DB connection because i am able to Select from the table. Its just the insert that is tricky.
Any help would be much appreciated.
Thanks
Just a note if someone is running on similar problems:
I had a similar issue --- Insert query working on PHPMyAdmin but not working on PHP and not issuing any errors (result was true all the time).
The reason is that I was starting a transaction but forgetting to commit it...
$mysqli->autocommit(FALSE);
$mysqli->query( "START TRANSACTION" );
Never forget this:
$mysqli->commit();
It is a silly error, I know, but I was so focused on the query mistery that I forgot the transaction statements a few lines above.
Check the mysqli::$errno first.
if(mysql->errno==0)
echo "successful"
else
echo mysql->error;
What I have done is if you don't have a debugger installed, just have it email you the query. This way you can see what the final query is and if you have access to something like phpMyAdmin try manually running the query and see what happens. Another thing, make sure that you are searching for your inserted record correctly, if you are using a search query because of the number of records make sure the WHERE condition is right, that has burned me a few times.
EDIT
Missing symbol around names maybe. I have to run all my MySQL queries like
`nameOfThing`
instead of just nameOfThing
$param = "xyzxyz";
$param1 = "sdfdfg";
$sql = "INSERT INTO `trail` (`User_Name`, `Quiz_ID`) VALUES ('".$param."','".$param1."')";
$result = $mysql->query($sql);
if($result)
echo "successful";
else
echo mysql->error;
if(mysql->errno==0)
echo "successful"
else
echo mysql->error;
FYI, you are inserting $param1 twice.
You also don't have a ';' after echo "successful".
I'd suggest you clean up the code example, and try things again, and let us know.
Things to clean up
$sql = "INSERT INTO trail (User_Name, Quiz_ID) VALUES ('$param','$param1')";
You don't need to concatenate the variables in a string concatenate, you can interpolate. However, you actually should use PDO with a prepared statement to avoid the potential for SQL injection.
Add that missing ;
put that first check of if(mysql->errno==0) in (unless you are going to switch to PDO for this stuff).
Fix mysql->error to be mysql->error()
Maybe some other things from the comments.
Well, if the following code produce no error and shows 1 affected row, most likely you are looking for the result in the wrong database.
ini_set('display_errors', 1);
error_reporting(E_ALL);
$sql = "INSERT INTO trail (User_Name, Quiz_ID) VALUES ('testing','1')";
$mysql->query($sql);
var_dump($mysql->error,$mysql->affected_rows);
My tables were InnoDB tables and when i changed my tables to MyISAM the insert worked fine. Well i have never encountered this problem before. Well that did the trick for the time being.
If i want to use InnoDB engine for transactions? How can i get php to be able to insert values in InnoDB table? Any one got any suggestion? And i am using WAMP server and the MySQL is version 5.5.24. And i did change the InnoDB conf in my.ini but that did not seem to work either?
try this
$param = "xyzxyz";
$param1 = "sdfdfg";
$sql = "INSERT INTO trail (User_Name, Quiz_ID) VALUES ('".$param."','".$param1."')"; $result = $mysql_query($sql); if($result){ echo "successful";} else { echo " not successful;}
I am doing a really simple script to delete a row out of a database. I have done it before with almost identical code but for some reason this wont work!
Viewmessages.php has no problem running but when I try and delete the row using deletemessage.php I receive the an sql error, I only have one line of sql:
viewmessage (sending info to deletemessage.php):
echo "<a href='deletemessage.php?contactname=".$contactname."'>Delete</a>";
The following is the delete message code:
<?php
session_start();
if ( !isset($_SESSION['adminusername']))
{
header("Location:admin.php");
exit();
}
require "dbconn.php";
$contactname = $_GET['contactname'];
$query = "DELETE FROM message WHERE contactname =".$contactname;
$results = mysql_query($query) or die(mysql_error());
header("Location: viewmessages.php");
?>
I cant work out what the error is! $contactname in the viewmessages.php file definately speaks of the primary key for the table!
Any Ideas?>
EDIT: I know that the problem lies with the contactname in the sql... for some reason it is not recieving it well, I did an echo to see what it thought the contactname was and it was correct. I then changed the variable and put in a string of one values in contactname and it deleted the row correctly... so the problem is the GET_['contactname'] but I am not sure what....
Enclose $contactname in quotes in the query, since it is a string. But escape it first! It is highly vulnerable to SQL injection the way it is now. I understand it may be an administrative page, but it is a very good habit to always observe, even when your users are trusted. (Especially since Mr O'Malley would break the SQL statement when you tried to delete him)
$concatname = mysql_real_escape_string($_GET['contactname']);
$query = "DELETE FROM message WHERE contactname ='".$contactname . "'";
Always beware when deleting via a hyperlink. Looks like you are checking for admin privileges before allowing this to execute, but be sure these links are not accessible to the broad Internet, where they might get crawled.
Wild guess here? $contactname is a STRING. Therefore it must be in quotes in the query. Also, you want people to destroy your database, apparently.
$query = "DELETE FROM `message` WHERE `contactname` = '".mysql_real_escape_string($contactname)."'";
You need quotes around a string you're inserting.
$query = "DELETE FROM message WHERE contactname ='".$contactname."'";
Note that this is MASSIVELY vulnerable to SQL injection. Someone could delete your entire database table with this code as it stands.