I am facing problem which is mentioned as follows.
ERROR: Could not able to execute
INSERT INTO user_db (Name,UserId,Ip_addr) VALUES ('jayesh vyas', 'jay', ::1).
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version
for the right syntax to use near '::1)' at line 1.
My code is mentioned as below.
<?php
$link = mysqli_connect("localhost", "root", "", "apptitude");
$ip_user = $_SERVER['REMOTE_ADDR'];
// Check connection
if($link == false){
die("ERROR: Could not connect. " . mysqli_connect_error());
}
// Escape user inputs for security
$uname = mysqli_real_escape_string($link, $_REQUEST['uname']);
$username = mysqli_real_escape_string($link, $_REQUEST['username']);
// attempt insert query execution
$sql = "INSERT INTO user_db (Name,UserId,Ip_addr) VALUES ('$uname', '$username', " . $ip_user . ")";
if(mysqli_query($link, $sql)){
echo "Records added successfully.";
} else{
echo "ERROR: Could not able to execute $sql. " . mysqli_error($link);
}
// close connection
mysqli_close($link);
?>
can anyone please help me to understand that why it is happened???
Thanks in advance.
Your SQL statement is missing single quotes around the IP address.
So as you did it for $user and $username, just use it again on $_SERVER['REMOTE_ADDR'] (after connecting to the MySQL server): $ip_user = mysqli_real_escape_string($link, $_SERVER['REMOTE_ADDR']);.
And as tadman said, please use prepared statements.
Btw. $_SERVER['REMOTE_ADDR'] must not the clients IP address. Take a look at this Post.
Related
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 4 years ago.
I have a problem, I can't upload anything to database. In my database in the jelenlet table there is a jelen which is integer and a gyerekneve which is text.
Here is my php code:
<?php
$servername = "...";
$username = "...";
$password = "...";
$dbname = "...";
// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
$sql = "INSERT INTO 'jelenlet' ('gyerekneve', 'jelen') VALUES ('barmi', 0)";
if ($conn->query($sql) === TRUE) {
echo "Hozzaadtad ezt a nevet: ";
} else {
echo "Error: " . $sql . "<br>" . $conn->error;
}
$conn->close();
?>
And don't know what is the problem with the code. The page says:
Error: INSERT INTO 'jelenlet' ('gyerekneve', 'jelen') VALUES ('barmi',
0) You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near ''jelenlet' ('gyerekneve', 'jelen') VALUES ('barmi', 0)' at line
1
$sql = "INSERT INTO jelenlet (gyerekneve, jelen) VALUES ('barmi', 0)";
This will work. BUT make sure to use prepared statements when you will try to pass variables to this one and not static values. The problem was that you were using single-quotes when you didn't have to. If you want to escape fields in a query you can use this : `
This query would also work :
$sql = "INSERT INTO `jelenlet` (`gyerekneve`, `jelen`) VALUES ('barmi', 0)";
This question already has answers here:
Apache shows PHP code instead of executing it
(28 answers)
Closed 4 years ago.
Only recently started using mysql so I'm slowly getting to grips with it, but trying to use PHP prepared statements for a webform, and upon submitting the webform, it's just displaying the php code. Any suggestions?
Thanks
<?php
$link = mysqli_connect("localhost", "root", "", "contactform");
if($link === false){
die("ERROR: Could not connect. " . mysqli_connect_error());
}
$sql = "INSERT INTO contactform (firstname, surname, address1, address2,
towncity, county, postcode) VALUES (?,?,?,?,?,?,?)";
if($stmt = mysqli_prepare($link, $sql)){
mysqli_stmt_bind_param($stmt, "sssssss", $firstname, $surname, $address1,
$address2, $towncity, $county, $postcode);
$firstname = $_REQUEST['firstname'];
$surname = $_REQUEST['surname'];
$address1 = $_REQUEST['address1'];
$address2 = $_REQUEST['address2'];
$towncity = $_REQUEST['towncity'];
$county = $_REQUEST['county'];
$postcode = $_REQUEST['postcode'];
if(mysqli_stmt_execute($stmt)){
echo "Records inserted successfully.";
} else{
echo "ERROR: Could not execute query: $sql. " . mysqli_error($link);
}
} else{
echo "ERROR: Could not prepare query: $sql. " . mysqli_error($link);
}
mysqli_stmt_close($stmt);
mysqli_close($link);
?>
using eval( $text ); will execute your string as PHP code.
is that what you are looking for ?
PHP eval() function
Caution The eval() language construct is very dangerous because it allows execution of arbitrary PHP code. Its use thus is discouraged. If you have carefully verified that there is no other option than to use this construct, pay special attention not to pass any user provided data
I successfully configured ACRA to send my caught exceptions to my server, the problem is I can't insert the report into the database:
#AcraCore(buildConfigClass = BuildConfig.class)
#AcraHttpSender(uri = "http://www.myserver.com/crashreports/addreport.php",
httpMethod = HttpSender.Method.POST)
public class MyApplication extends Application {
#Override
protected void attachBaseContext(Context base) {
super.attachBaseContext(base);
ACRA.init(this);
}
}
I know it sends somethings because I see an empty entry in my phpMyAdmin, but I can't get the report inside the database:
<?php
$link = mysqli_connect("localhost", "root", "pass", "db");
// Check connection
if($link === false){
die("ERROR: Could not connect. " . mysqli_connect_error());
}
// Escape user inputs for security
$report = mysqli_real_escape_string($link, $_REQUEST['']);
// attempt insert query execution
$sql = "INSERT INTO VoiceRemoteCrash (report) VALUES ('$report')";
if(mysqli_query($link, $sql)){
echo "Records added successfully.";
} else{
echo "ERROR: Could not able to execute $sql. " . mysqli_error($link);
}
// close connection
mysqli_close($link);
?>
I've searched docs, but didn't find much info, and my PHP knowledge is somewhat basic.
$_REQUEST[''] will returns NULL and will throw an "undefined index" notice.
You could get your report from POST raw data using file_get_contents('php://input').
I suggest you to have a look to : How can I prevent SQL injection in PHP? and use parameterized queries.
This line references a nonsense variable:
$report = mysqli_real_escape_string($link, $_REQUEST['']);
You want something like:
$report = mysqli_real_escape_string($link, $_REQUEST['form_variable_name']);
But you shouldn't even do that, because the real_escape_string() functions can not be relied on to prevent SQL injection. Instead, you should use prepared statements with bound parameters, via either the mysqli or PDO driver. This post has some good examples.
I'm facing a weird problem, I'm trying to implement a simple Usercheck with PHP 7.1.
$con = getConnection();
//check connection
if(!$con){
die("Connection to database failed". mysql_connect_error() );
} else echo ("connection to database successfull");
//checking if nickname already exists
$checkUserExistanceSql = "SELECT nickname FROM user WHERE nickname='" + $nickname+ "'";
//sending query to sql database
$doesExist = mysqli_query($con, $checkUserExistanceSql)
or die ("Fehler in der Datenbankabfrage");
if(mysqli_num_rows($doesExist)>=1){
echo "Nickname not available, use another name";
}
But I'm getting this warning
Warning: A non-numeric value encountered in E:\XAMPP\htdocs... Line 29
Line 29 is the $checkUserExistanceSql. Any ideas where the problem is?
String concatenation on PHP uses . (dot) as operator, not + (plus).
You actual code uses +:
$checkUserExistanceSql = "SELECT nickname FROM user WHERE nickname='" + $nickname+ "'";
This is why PHP is telling that $nickname isn't a numeric variable. It cannot sum strings, only concatenate.
Change your operator to . and it will work:
$checkUserExistanceSql = "SELECT nickname FROM user WHERE nickname='" . $nickname . "'";
You can also use this syntax, with the same result but cleaner code:
$checkUserExistanceSql = "SELECT nickname FROM user WHERE nickname='{$nickname}'";
Security Alert
You code is sucessive to SQL injection. You should use prepared statements instead of concatenating your variables into the Query.
Thanks to the help of Yolo and Elias Soares.
The script runs flawless now, I also used prepared statement to counter the risk of sql injection as mentiones by elias.
$con = getConnection();
//check connection
if(!$con){
die("Connection to database failed". mysql_connect_error() );
} else echo ("connection to database successfull");
//prepared statement for sql query
$stmt = $con -> prepare("SELECT nickname FROM user WHERE (nickname=?)");
$stmt -> bind_param("s", $nickname);
$stmt->execute();
//checkking result, if nickname is already used
if($stmt->get_result()){
echo "0";
} else {
//insert user
}
I am using the following code to insert Event Logs and User Info from my Mobile App to a mysql database.
I am finding the " Character gives me issues later on when in use with JSON arrays that I pull from the db. What I would like to do is remove the " character in the php code completely before posting to the db.
Removing the " character by Javascript from the Mobile App is not really an option.
<?php
$servername = "localhost";
$username = "Fred";
$password = "Barney";
$dbname = "BamBam";
// Create connection
$conn = new mysqli ($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
// escape variables for security
$event_log = mysqli_real_escape_string($conn, $_POST['event_log']);
$logged_by = mysqli_real_escape_string($conn, $_POST['logged_by']);
$sql = "INSERT INTO time_event (event_log, logged_by)
VALUES ('$event_log', '$logged_by')";
if ($conn->query($sql) === TRUE) {
echo "Data entered successfully";
} else {
echo "Error: " . $sql . "<br>" . $conn->error;
}
$conn->close();
?>
Use mysqli_prepare and mysqli_stmt_bind_param to execute a parameterised query. I strongly advise this approach.
If you really want to just escape special characters for manual interpolation
into a query string, use mysqli_real_escape_string.
Hand-rolling a solution presents a real risk that you will
miss something important, leaving your program vulnerable
to SQL injection attacks.
I did not try, but this should do
$sql = sprintf("INSERT INTO time_event (event_log, logged_by)
VALUES ('%s' ,'%s'",$event_log,$logged_by);