mysqli_query syntax error with $_SESSION used - php

I had got the error like this
Parse error: syntax error, unexpected '' (T_ENCAPSED_AND_WHITESPACE), expecting identifier (T_STRING) or variable (T_VARIABLE) or number (T_NUM_STRING)
Here is my code (I used $_SESSION to get variable from the other page.)
$sql="insert into data(name,sex,time,suggest,eat,problem,student_suggest,tutor_suggest,other_suggest)
values('$_SESSION['name']','$_SESSION['gender']','$_SESSION['time']','$_SESSION['suggest']','$_SESSION['eat']', '$_SESSION['problem']','$_SESSION['student']','$_SESSION['tutor']','$_SESSION['other']')";
mysqli_query($cn,$sql) or die(mysqli_error($cn));


You need to proper write down variables.
It can't be :
values('$_SESSION['name']',
It has to be:
values('".$_SESSION['name']."',
Another good approach is to use PDO
$dbh = new PDO('mysql:host=localhost;dbname=data', $user, $pass);
$stmt = $dbh->prepare("INSERT INTO data (name, sex) VALUES (:name, :sex)");
$stmt->bindParam(':name', $_SESSION['name']);
$stmt->bindParam(':sex', $_SESSION['gender']);
$stmt->execute();


You are using single quote in worng sequnence and this generated wrong code ..
You could use string concat for avoid the problem
but be carefulfor sqlijcection using php var inside sql, (you should use PDO and param binding.
Anyway related to your question
$sql="insert into data(name,sex,time,suggest,eat,problem,student_suggest,tutor_suggest,other_suggest)
values(" . $_SESSION['name'] . ","
. $_SESSION['gender'] . ","
. $_SESSION['time'] . ","
. $_SESSION['suggest'] . ","
. $_SESSION['eat']', . ","
. $_SESSION['problem'] . ","
. $_SESSION['student'] . ","
. $_SESSION['tutor'] . ","
. $_SESSION['other'] . ")";

Related

Sanitize input $_POST [duplicate]

This question already has answers here:
How to prevent against XSS and SQL injection [duplicate]
(4 answers)
Closed 6 years ago.
Sadly my student website just got hacked. Someone insert script tag and stored in the database. Database also been published in a website call pastebin. I just took down the website. Can someone show me how to fix this quick.

Use a combination of filters and prepared statements.
http://php.net/manual/en/function.filter-input.php
http://php.net/manual/en/pdo.prepared-statements.php

You can use strip_tags() before inserting any value into database to remove any HTML or PHP tags from the string.
This is how you can remove HTML and PHP tags from string,
$code=strip_tags($code);
Use it with every variable you want to insert into database.
$code=strip_tags($code);
$fn=strip_tags($fn);
$em=strip_tags($em);
$un=strip_tags($un);
$hash=strip_tags($hash);
$salt=strip_tags($salt);
$ip=strip_tags($ip);
$this->db1->query("INSERT INTO users SET code='" . $code . "', firstname='" . $fn . "', email='" . $em . "', username='" . $un . "', password='" . $hash . "', salt='" . $salt . "', registerdate='" . time() . "', ipregister='" . $ip . "'");
Although strip_tags() doesn't prevent SQL injection completely. You should better use prepared statements.
Reference: http://php.net/manual/en/mysqli.quickstart.prepared-statements.php

MySQL insert errors

It's pretty much one of my first times working with MYSQL, and I can't seem to fix this one error I keep getting. I'm trying to store data to a table which has an auto_increment on its id (first column).
The error I keep getting is this:
"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'voorletters ='asd', tussenvoegsel ='', achternaam ='', roepnaam ='', adres ='', ' at line 1"
I just filled the textboxes with a little bit of rubish, there are no columns that require data either. Here is the code I use:
if(isset($_POST['save']))
{
$voorletters = $_POST['voorletters'];
$tussenvoegsel = $_POST['tussenvoegsel'];
$achternaam = $_POST['achternaam'];
$roepnaam = $_POST['roepnaam'];
$adres = $_POST['adres'];
$postcode = $_POST['postcode'];
$plaats = $_POST['plaats'];
$geslacht = $_POST['geslacht'];
$emailadres = $_POST['emailadres'];
$telefoonnummer = $_POST['telefoonnummer'];
$mobielenummer = $_POST['mobielenummer'];
$geboortedatum = $_POST['geboortedatum'];
$bsn = $_POST['bsn'];
mysql_query("INSERT INTO `naw` "
. "voorletters ='$voorletters', "
. "tussenvoegsel ='$tussenvoegsel', "
. "achternaam ='$achternaam', "
. "roepnaam ='$roepnaam', "
. "adres ='$adres', "
. "postcode ='$postcode', "
. "plaats ='$plaats', "
. "geslacht ='$geslacht', "
. "emailadres ='$emailadres', "
. "telefoonnummer ='$telefoonnummer', "
. "mobielenummer ='$mobielenummer', "
. "geboortedatum ='$geboortedatum', "
. "bsn ='$bsn' "
. "WHERE id = '$id'")
or die(mysql_error());
If this isn't enough information, please tell me. I've tried a lot of things, but I can't seem to figure it out.

You mix up insert and update syntax. Replace
INSERT INTO `naw` voorletters ='$voorletters'...
with
UPDATE `naw` set voorletters ='$voorletters'....
And you should really use Prepared Statements to avoid syntax errors and SQL injections due to user input.

You have a wrong syntax
The INSERT syntax is
INSERT INTO `YourTableName`(`Field1`, `Field2`, `Field3`, `Field4)
VALUES ('value-1','value-2','value-3','value-4')
The UPDATE syntax is
UPDATE `YourTableName`
SET `Field1`='value-1',`Field2`='value-2',`Field3`='value-3',`Field4`='value-4'
WHERE YourConditions

Just use following code. Make sure that you are inserting data for every field sequentially-
mysql_query("INSERT INTO `naw` VALUES(
'".$voorletters."',
'".$tussenvoegsel."',
'".$achternaam."',
'".$roepnaam."',
'".$adres."',
'".$postcode."',
'".$plaats."',
'".$geslacht."',
'".$emailadres."',
'".$telefoonnummer."',
'".$mobielenummer."',
'".$geboortedatum."',
'".$bsn."')")
or die(mysql_error());

You should remove the `` around naw, it's ok in phpmyadmin but quite messy almost every where else.
And you souldn't concatenate every line, do it in one "..." and use backspace to make it more readable.
So:
mysql_query("INSERT INTO naw
VALUES('$voorletters',
'$tussenvoegsel',
... ,
WHERE id = '$id'");//you can't do that, maybe you should use an UPDATE

parsing error at line 17 how to fix it

It is showing parsing error on line 17 I have thoroughly checked it but unable to find error.So how do I fix this error.it is insert_city_query.php
<?php
include('../../Connections/autodealers.php');
//error_reporting(0);
$cityname=$_POST['cityname'];
$cityorder=$_POST['cityorder'];
$status=$_POST['status'];
if($status="Enabled")
$status=1;
else
$status=0;
$query = "INSERT INTO ".$db_prefix."city (cityname,cityorder,status) values
(
'" . addslashes($cityname) . "' ,
'" . addslashes($cityorder) . "' ,
'" . addslashes($status) . " '
WHERE LCASE='strtolower($_REQUEST['cityname'])')";
echo $query;
$result=mysql_query($query);
if(!$result)
{
die ('ERROR: '.mysql_error());
header("Location: " .$base_url. "admin/city_insert.php" );//if query fails
}
else
{
header("Location: " .$base_url. "admin/cities.php" );//if query suceeds
}
mysql_close($autodealers);
?>

Change your query to,
$query = "INSERT INTO ".$db_prefix."city (cityname,cityorder,status) values
('" . addslashes($cityname) . "' ,
'" . addslashes($cityorder) . "' ,
'" . addslashes($status) . " '
WHERE LCASE='" . strtolower($_REQUEST['cityname']) . "')";
Note: Please, don't use mysql_* functions in new code. They are no longer maintained and are officially deprecated. See the red box? Learn about prepared statements instead, and use PDO, or MySQLi - this article will help you decide which. If you choose PDO, here is a good tutorial.
Warning: The query is vulnerable with SQL Injection if the value (s) of the variables came from the outside. Please take a look at the article below to learn how to prevent from it.
How to prevent SQL injection in PHP?

You do not use strtolower() as a function.
You should change this line:
WHERE LCASE='strtolower($_REQUEST['cityname'])')";
to
WHERE LCASE='".strtolower($_REQUEST['cityname'])."')";

Database insertion error [duplicate]

This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 9 years ago.
The below echo statement,
$statement = "INSERT INTO $tbl_name VALUES(" . $_GET['username'] . "," . $_GET['password'] . "," . $_GET['PasswordHintQuestion'] . "," . $_GET['PasswordHintAnswer'] . "," . $_GET['firstname'] . "," . $_GET['lastname'] . "," . $_GET['genderSelect'] . "," . $_GET['date_in_format'] . "," . $_GET['nationality'] . "," . $_GET['refEmail'] . ")" ;
echo $statement;
gave the ouput as,
INSERT INTO ge_user_table VALUES([object HTMLInputElement],[object HTMLInputElement],[object HTMLInputElement],[object HTMLInputElement],[object HTMLInputElement],[object HTMLInputElement],[object NodeList],[object HTMLSelectElement]/[object HTMLSelectElement]/[object HTMLSelectElement],[object HTMLInputElement],[object HTMLInputElement])Database Insertion fault on registration
But during insertion into database I got the error as,
You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near '[object HTMLInputElement],[object HTMLInputElement],[object
HTMLInputElement],[o' at line 1
But, the below query is working fine.
INSERT INTO ge_user_table VALUES('Muthu2','1234','Who are you?','Iam Indian','Muthu','Ganapathy','MALE','1991-12-21','Indian','abc#abc.com');
EDIT :
I have changed the code to,
$username = mysql_escape_string($_GET['username']);
$password = mysql_escape_string($_GET['password']);
$hintQues = mysql_escape_string($_GET['PasswordHintQuestion']);
$hintAns = mysql_escape_string($_GET['PasswordHintAnswer']);
$firstname = mysql_escape_string($_GET['firstname']);
$hintQues = mysql_escape_string($_GET['lastname']);
$gender = mysql_escape_string($_GET['genderSelect']);
$date = mysql_escape_string($_GET['date_in_format']) ;
$nationality = mysql_escape_string($_GET['nationality']) ;
$email = mysql_escape_string($_GET['refEmail']) ;
$statement = "INSERT INTO $tbl_name VALUES('$username' ,'$password','$hintQues' ,'$hintAns','$firstname' ,'$lastname' ,".
"'$gender' ,'$date','$nationality','$email')" ;
But,the database has entry as,
Final Solution:
I have passed form.username in html instead of form.username.value. Now Got it correct.

It look like you have error in javascript. you send html DOM Node instead of value.
Also you should escape your get variables like
mysql_real_escape_string($_GET['username']);

TRY THIS
$username = mysql_escape_string($_GET['username']);
$password = mysql_escape_string($_GET['password']);
$hintQues = mysql_escape_string($_GET['PasswordHintQuestion']);
$hintAns = mysql_escape_string($_GET['PasswordHintAnswer']);
$firstname = mysql_escape_string($_GET['firstname']);
$hintQues = mysql_escape_string($_GET['lastname']);
$gender = mysql_escape_string($_GET['genderSelect']);
$date = mysql_escape_string($_GET['date_in_format']) ;
$nationality = mysql_escape_string($_GET['nationality']) ;
$email = mysql_escape_string($_GET['refEmail']) ;
$statement = "INSERT INTO $tbl_name VALUES('$username' ,'$password','$hintQues' ,'$hintAns','$firstname' ,'$lastname' ,".
"'$gender' ,'$date','$nationality','$email')" ;
echo $statement;
Always try to keep the statement as readable as possible .. also whenever string needs to be inserted .. it should be propery quoted Also always use mysql_escape_string() to avoid sql injection.
Possible problem can be ..you are passing html element itself instead of its value

Your sql syntax is wrong you can use mysql_real_escape_string but you also need to care about how you are passing values to sql.
In above query you symply passed text without quotes.
$statement = "INSERT INTO $tbl_name VALUES('".$_GET['username']."', '".$_GET['password']."', '".$_GET['PasswordHintQuestion']."', '".$_GET['PasswordHintAnswer']."', '".$_GET['firstname']."', '".$_GET['lastname']."', '".$_GET['genderSelect']."', '".$_GET['date_in_format']."', '".$_GET['nationality']."', '".$_GET['refEmail']."')" ;

MySQL UTF-8 Character insert issue

I am fetching some string from facebook , but i dont know whitch encoding in string . I need to convert this string into utf8 before inserting into database table . Getting this error message.
Here is my php code.
$email = (isset($this->_userinfo['email']) ? $this->_userinfo['email'] : '');
$fname = $this->_userinfo['first_name'];
$lname = $this->_userinfo['last_name'];
$name = $this->_userinfo['name'];
$sql = 'INSERT INTO users '
. '(fbid, fbuid, fullname, userlevel, email, name, sirname) '
. 'VALUES("'
. $this->_fbid . '","'
. $fbuid . '","'
. $name . '","'
. $userlevel . '","'
. $email . '","'
. $fname . '","'
. $lname . '")';

did you try this code ?
mysql_query('set names utf8');

You might want to take a look at this question:
Detect encoding and make everything UTF-8
especially the second answer by Sebastian Grinoli
He wrote a class (and offers the link to it) which would correctly encode Windows Extended ASCII to UTF8 and also correct UTF8 if necessary.
A really handy tool to have when you are in the UTF8 land :)

Take a look at utf8_encode to do this for you. Keep in mind this will only work if your data is actually UTF-8 encoded. Unfortunately there is no way to just look at the string and see what encoding it's using.

enter link description here
For me works following code:
$mysqli = mysqli_connect( ... );
mysqli_query( $mysqli, 'SET NAMES "utf8" COLLATE "utf8_general_ci"' );
or just:
mysqli_set_charset( $mysqli, 'utf8' );
Regards, good luck!

Categories