This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 6 years ago.
$type_of_poker = "hold'em no limit";
$sql = "INSERT INTO hands (type_of_poker) VALUES ('$type_of_poker')";
Im trying to put hold'em no limit into a SQL database but it won't let me
use ' i cant upload holdem no limit for a long list resones that have to do
with the rest of my code.
Instead of trying to escape the apostrophe, it is much better practice to use prepared statements and binded parameters which will also solve your problem. It solves your problem because you then don't need to escape the apostrophe ('):
$type_of_poker = "hold'em no limit";
//binding the parameters to your sql statement
$sql = "INSERT INTO hands (type_of_poker) VALUES (:type_of_poker)";
$stmt = $conn->prepare($sql);
$stmt->bindParam(':type_of_poker',$type_of_poker);
$stmt->execute();
Let me know if that worked for you! :)
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 7 years ago.
I have this mysql query:
$sql = "INSERT INTO lijsten(naam, niveau, nederlands, duits, frans, grieks,
engels, latijn, spaans, wiskunde, natuurkunde, scheikunde, geschiedenis,
economie, aardrijkskunde, ANW, godsdienst)
VALUES(\$_POST["naam"]\,\$_POST["niveau"]\,\$_POST["nederlands"]\,\$_POST["duits"]\,\$_POST["frans"]\,\$_POST["grieks"],\$_POST["engels"]\,\$_POST["latijn"]\,\$_POST["spaans"]\,\$_POST["wiskunde"]\,\$_POST["natuurkunde"]\,\$_POST["scheikunde"]\,\$_POST["geschiedenis"]\,\$_POST["economie"]\,\$_POST["aardrijkskunde"]\,\$_POST["ANW"]\,\$_POST["godsdienst"]\)";
It is sent to the database with this function:
function connectDB($sql) {
$DBcon = mysql_connect(host, user, pass) or die(mysql_error());
mysql_select_db(database);
$result = mysql_query($query) or die(mysql_error());
mysql_close($DBcon);
return $result;
But when i try to run it, it gives me a php parse error:
PHP Parse error: syntax error, unexpected 'naam' (T_STRING) in /media/usbdisk/website/www/boeken/naardb.php on line 11
Could somebody tell me what mistake i am making? I already have tried many ways of putting the query, but none of them worked.
You should never build queries like this.
This is not how you escape values
mysql_ is deprecated and you should be using prepared statements
Example in PDO:
$sql = "INSERT INTO lijsten(naam, niveau, nederlands, duits, frans, grieks,
engels, latijn, spaans, wiskunde, natuurkunde, scheikunde, geschiedenis,
economie, aardrijkskunde, ANW, godsdienst)
VALUES(:naam,:niveau .......)";
if($stmt = $pdo->prepare($sql)){
$stmt->bindValue(:naam, $_POST["naam"]);
.....
$stmt->execute();
}
There are several mistakes, but I'll start with the issue.
unexpected 'naam' (T_STRING)...
Is caused because PHP was not expecting a string there. You're escaping parts of the query, but you really just need to concatenate the $_POST variables.
I would advise setting the posts variables to their own variables to simplify your query and format the query like this answer outlines: Using php variables inside MySQL insert statement
IE: $naam = $_POST["naam"]; etc...
The biggest issue is that you're using a deprecated method, you should use PDO (Prepared) queries
PHP deprecated methods.
You should definitely look into using PDO and preparing your statement.
A couple quick reference for PDO:
http://code.tutsplus.com/tutorials/why-you-should-be-using-phps-pdo-for-database-access--net-12059
http://php.net/manual/en/book.pdo.php
Good luck!
Try to concat the variables in your query like this:
"INSERT INTO lijsten(naam, niveau, nederlands, duits, frans, grieks,
engels, latijn, spaans, wiskunde, natuurkunde, scheikunde, geschiedenis,
economie, aardrijkskunde, ANW, godsdienst)
VALUES("
.mysql_escape_string($_POST['naam']).
")";
and to read about sql injections too.
The #meda answer is the correct example of how to create SQL calls, using PDO.
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 7 years ago.
i am writing this command
$result = mysql_query("SELECT * FROM register where name= ‘lakhan’ ") or die(mysql_error());
and when running the php file it shows:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '‘lakhan’'
I am using MySql Server 5.5 AND INSTEAD OF = sign i have used LIKE also in query then too error is coming.Please help me to resolve it
Use single quotes arround the value:
$result = mysql_query("SELECT * FROM register where name= 'lakhan' ") or die(mysql_error());
Do not longer use the deprecated mysql_* API. Use mysqli_* or PDOwith prepared statements.
This question already has answers here:
Can PHP PDO Statements accept the table or column name as parameter?
(8 answers)
Closed 9 years ago.
I need to know can I use question marks (?) in PDO prepared statements as table name or not.
$table = $_POST['table'];
$id = $_POST['id'];
$sql = "UPDATE ? SET priority = priority + 1 WHERE id = ?";
$q = $db->prepare($sql);
$q->execute(array($table,$id));
I'm getting this error:
Warning: PDO::prepare() [pdo.prepare]: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '? SET priority = priority + 1 WHERE id = ?'
Aside from that simple problem, there is another one - your code smells of bad database design. In a properly planned database you would never need to receive a table name via POST request.
Most likely you are using multiple tables where you have to use only one.
You need to bind the parameters like this:
$q->bindParam(1, $table);
$q->bindParam(2, $id);
Source (see Example #2)
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
Whats wrong with this query mysql?
I am using mysql and php to update a record. Here is my code:
$n=mysql_query("UPDATE chondas SET model='$model1', yearstart=$yearstart1,
yearstop=$yearstop1, desc='$desc1', hp='$hp1',
engine='$engine1',trim='$trim1', weight='$weight1' WHERE id=$id1");
In the following code if I take out desc='$desc1' everything works perfectly. What would cause this error?
When i tested the following code in phpmyadmin I got this error:
#1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'desc='text of the textarea' at line 1.
DESC is a reserved word in mysql so you need to use backticks:
UPDATE chondas SET model='$model1', yearstart=$yearstart1, yearstop=$yearstop1, `desc`='$desc1', hp='$hp1', engine='$engine1',trim='$trim1', weight='$weight1' WHERE id=$id1
You should also switch to PDO (or mysqli) and prepared statements with bound variables to avoid potential sql injection.
DESC is a reserved word in MySQL.
Escape it with backticks
`desc` = '$desc1'
Your query won't run if you include the variable names in phpMyAdmin, such as:
UPDATE chondas SET model='$model1', yearstart=$yearstart1,
yearstop=$yearstop1, **desc='$desc1'**, hp='$hp1',
engine='$engine1',trim='$trim1', weight='$weight1' WHERE id=$id1
Also, the PHP won't run if you mix your "" and '' e.g: "UPDATE chondas SET model='$model1'...