We Keep Coding

Insert Into returning a syntax error in SQL [duplicate]

This question already has answers here:
How to include a PHP variable inside a MySQL statement
(5 answers)
Closed 1 year ago.
PHP
<?php
$server_name= "localhost";
$db_user="root";
$db_password="";
$db_name="digitalmarketing";
$connection=mysqli_connect($server_name,$db_user,$db_password,$db_name);
$dbconfig=mysqli_select_db($connection,$db_name);
session_start();
$_SESSION['message']='';
if($_SERVER['REQUEST_METHOD']=='POST')
{
$title= mysqli_real_escape_string($connection,$_POST['title']);
$Des= mysqli_real_escape_string($connection,$_POST['des']);
$imagepath= mysqli_real_escape_string($connection,'Projects/'.$_FILES['filename']['name']);
$link= mysqli_real_escape_string($connection,$_POST['link']);
echo $title," ";
echo $Des," ";
echo $imagepath," ";
echo $link," \n ";
if(preg_match("!image!",$_FILES['filename']['type'])){
if(copy($_FILES['filename']['tmp_name'],$imagepath)){
$query="INSERT INTO `project` (`id`, `Title`, `Description`, `Image`, `Site`) VALUES (NULL, $title, $Des, $imagepath, $link)";
if(mysqli_query($connection, $query))
{
echo "success";
}
else {
echo "Error: " . $query . "<br>" . mysqli_error($connection);
}
}
}
}
Error
Error: INSERT INTO project (id, Title, Description, Image, Site) VALUES (NULL, TitleHere, DescripHere, Projects/Screenshot 2021-03-18 222903.png, https://www.w3schools.com/tags/att_input_type.asp)
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '2021-03-18 222903.png, https://www.w3schools.com/tags/att_input_type.asp)' at line 1
Why am I getting this error?

Change
$query="INSERT INTO `project` (`id`, `Title`, `Description`, `Image`, `Site`) VALUES (NULL, $title, $Des, $imagepath, $link)";
to
$query="INSERT INTO `project` (`id`, `Title`, `Description`, `Image`, `Site`) VALUES (NULL, '$title', '$Des', '$imagepath', '$link')";
Extra: Read about using prepared statements and use it.
https://www.tutorialrepublic.com/php-tutorial/php-mysql-prepared-statements.php

SQL multi queries specific [duplicate]

This question already has answers here:
Why can't I run two mysqli queries? The second one fails [duplicate]
(2 answers)
Closed 5 years ago.
I have a very specific problem and nothing I could find online was able to tell me where my error was.
I want to pass two mysql queries at once. Separately, they work perfectly but together they fail. I've tries JOIN, adding ; and the multi_queries method. Everything fails.
Now I am stuck with this code:
// data insertion
$sql = "INSERT INTO comments (id, name, email, comment, article_id, date) VALUES ('$id', '$name', '$email', '$comment', '$article_id', '$date')";
$sql.= "DELETE FROM comments_validation WHERE id = $id";
if ($conn->multi_query($sql) === TRUE) {
header('Location: http://url.com/index.php?success');
} else {
echo "Error: " . $sql . "<br>" . $conn->error;
}
And the error:
Error: INSERT INTO comments (id, name, email, comment, article_id, date) VALUES ('some values')DELETE FROM comments_validation WHERE id = 'some other value'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'DELETE FROM comments_validation WHERE id = 'some other value' at line 1
Thanks in advance!

You have to add a ; at the end of this sql statement
$sql = "INSERT INTO comments (id, name, email, comment, article_id, date) VALUES ('$id', '$name', '$email', '$comment', '$article_id', '$date');";
^here

Please add semi-colon as string at the end of every query in multi query.
// data insertion
$sql = "INSERT INTO comments (id, name, email, comment, article_id, date) VALUES ('$id', '$name', '$email', '$comment', '$article_id', '$date');";
$sql.= "DELETE FROM comments_validation WHERE id = $id";
if ($conn->multi_query($sql) === TRUE) {
header('Location: http://url.com/index.php?success');
} else {
echo "Error: " . $sql . "<br>" . $conn->error;
}

mysqli PHP not inserting into DB, no errors on Log [duplicate]

This question already has an answer here:
What to do with mysqli problems? Errors like mysqli_fetch_array(): Argument #1 must be of type mysqli_result and such
(1 answer)
Closed 6 years ago.
My PHP Code:
<?php
//Connecting to sql db.
$mysqli = new mysqli("127.0.0.1", "admin", "pass", "enedpt_faculties");
if ($mysqli->connect_errno) {
echo "Failed to connect to MySQL: (" . $mysqli->connect_errno . ") " . $mysqli->connect_error;
}
mysqli_set_charset($mysqli,"utf8");
$user = $_POST['user'];
$pass = $_POST['pass'];
$nome = $_POST['nome'];
$apelido = $_POST['apelido'];
$fac = $_POST['fac'];
$data = $_POST['data'];
$email = $_POST['email'];
mysqli_query($mysqli,"`enedpt_faculties`.`users` (`user`, `pass`, `name`, `sname`, `facid`, `nasc`, `mail`)
VALUES ('$user', '$pass', '$nome', '$apelido, '$fac', '$data', '$email')");
?>
For some reason the query is not inserting, and there are no errors on the error Log. Please Help.

You have to uae correct SQL.
An insert statement looks like this:
'INSERT INTO "table" (columnnames) VALUES (values)';
In your specific case you also have to concatenate the variables to the SQL-string:
'INSERT INTO `users` (`user`, `pass`, `name`, `sname`, `facid`, `nasc`, `mail`) VALUES ('.$user.', '.$pass.', '.$nome.', '.$apelido.', '.$fac.', '.$data.', '.$email.')'
You also can use back tics on the variables. Also you had some mistakes like missing quotes.

INSERT INTO doesn't work in php codes [duplicate]

This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 6 years ago.
I know this question is sort of dumb but I can't find out where the problem is I checked it with the codes in documentation and similar codes in stackoverflow but I can't figure out the problem.
this is my code:
if (isset($_POST['buy'])) {
$id = (int) $_POST['id'];
$name = $_POST['name'];
$price = (int) $_POST['price'];
date_default_timezone_set("Europe/London");
$date = date("Y-m-d h:i:sa");
$insquery = "INSERT INTO `purchases` (file_id, file_name, price, date) VALUES ({$id}, '{$name}', {$price}, {$date})";
$insResult = mysqli_query($con, $insquery);
if ($insResult) {
//do sth
} else {
//do sth else
}
I have tested these:
1- the post array is not empty and returns exactly those that I assigned to variables.
2- I have a table called purchases and it configured properly because I insert data in SQL and get it back successfully.
3- I have tried on SQL statement without {} around SQL variables but no luck.
and another question is after the SQL statement done how can I use the OUTPUT Inserted.ID as a variable in PHP?
thanks in advance.

date is a keyword in MySql. So use backtick (`).
INSERT INTO purchases (`file_id`, `file_name`, `price`,
`date`) ...
Instead of using direct substitution values, you could use below methods to avoid sql injection.
Using MySQLi (for MySQL):
$stmt = $conn->prepare("INSERT INTO MyGuests (firstname, lastname, email) VALUES (?, ?, ?)");
$stmt->bind_param("sss", $firstname, $lastname, $email);
// set parameters and execute
$firstname = "John";
$lastname = "Doe";
$email = "john#example.com";
$stmt->execute();
Please refer How can I prevent SQL-injection in PHP?
Use mysqli::$insert_id for last inserted ID (Docs here)

MySql Query Error [syntax error, unexpected '' (T_ENCAPSED_AND_...] [duplicate]

This question already has answers here:
Reference - What does this error mean in PHP?
(38 answers)
Closed 9 years ago.
I've some problems with my query can some one help me fix it?
This is my code:
mysql_query ("INSERT INTO categories_to_sales (sales_id, categories_id, value) VALUES ('$sale_id','$catid', '$_POST['txtCategorie_' . '$catid']') ");
When I use this code I get the following error:
Parse error: syntax error, unexpected '' (T_ENCAPSED_AND_WHITESPACE), expecting identifier (T_STRING) or variable (T_VARIABLE) or number (T_NUM_STRING) in addsales.php on line 91
I think it might have something to do with the $_POST[].

I fixed the query by changing it into:
mysql_query("INSERT INTO categories_to_sales (sales_id, categories_id, value) VALUES ('$sale_id','$catid', '" . $_POST['txtCategorie_' . "$catid"] . "' )");

It is a quoting issue where you are handling the $_POST (as you suspected). Try this:
mysql_query ("INSERT INTO categories_to_sales (sales_id, categories_id, value) VALUES ('$sale_id','$catid', '".$_POST['txtCategorie_' . $catid]."') ");
Notice the added quotes around the $_POST portion.
As mentioned in the other comments, you really should be escaping the $_POST value, as well as using mysqli instead of mysql.
Even better would be something like this:
$sql = "INSERT INTO categories_to_sales
(sales_id, categories_id, value)
VALUES
('".mysqli_real_escape_string($db, $sale_id)."',
'".mysqli_real_escape_string($db, $catid)."',
'".mysqli_real_escape_string($db, $_POST['txtCategorie_' . $catid])."');";
mysqli_query($db, $sql);

This should work (and is a little bit more breakdown):
Version 1, if the "_" is part of the name of your post param:
$value = $_POST['txtCategorie_'];
$value .= $_POST['$catid'];
$query = "INSERT INTO categories_to_sales (sales_id, categories_id, value) VALUES
('$sale_id','$catid', '$value');
$result = mysql_query ($query);
Version 2, if the "_" is not part of the name of your post param and should just append to your value
$value = $_POST['txtCategorie'];
$value .= "_";
$value .= $_POST['$catid'];
$query = "INSERT INTO categories_to_sales (sales_id, categories_id, value) VALUES
('$sale_id','$catid', '$value');
$result = mysql_query ($query);
But as mentioned in the comments of course you should read some lecture about SQL-Injection and security.