Inserting special characters into SQL database from form - php

I am submitting form values into a database using PHP but I am running into an issue when user's enter special characters such as an apostrophe. For example if someone enters Bill's Pet Supply into organization, there will be an SQL error.
Here is my code:
$conn = new mysqli($servername, $username, $password, $dbname);
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
if(isset($_POST['submit'])) {
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$email = $_POST['email'];
$organization = $_POST['organization'];
$sql = $conn->prepare("INSERT INTO submissions VALUES (:firstname, :lastname, :email, :organization)");
$sql->bindValue(':firstname', $firstname);
$sql->bindValue(':lastname', $lastname);
$sql->bindValue(':email', $email);
$sql->bindValue(':organization', $organization);
$sql->execute();
}
$conn->close();
How can I change this code so that apostrophes and other special characters will be supported?


Use prepared statements with bind placeholders. Both PDO and mysqli provide support for those.
Your SQL text would look like this:
$sql = "INSERT INTO submissions (firstname, lastname, email, organization)
VALUES (?, ?, ?, ?)";
If you are using mysqli
mysqli_prepare
myslqi_bind_param
myslqi_execute
$sth = $mysqli->prepare($sql);
if(!$sth) {
// handle error
}
$sth->bind_param("ssss", $firstname, $lastname, $email, $organization);
if( $res = $sth->execute() ) {
// process resultset
}
Similar functions available in PDO, but you can use "bind value" instead of "bind param".
If there's some reason you can't use prepared statements with bind placeholders, then at a minimum, you will need to properly escape any potentially unsafe values included in the SQL text.
If you are using mysqli, then generating the SQL text would look something like this:
$sql = "INSERT INTO submissions (firstname, lastname, email, organization)
VALUES ('" . $mysqli->real_escape_string( $firstname )
. "', '" . $mysqli->real_escape_string( $lastname )
. "', '" . $mysqli->real_escape_string( $email )
. "', '" . $mysqli->real_escape_string( $organization )
. "')";
But don't do that. Use a prepared statement with bind placeholders.

Related

Unable to locate sql error in php

Error message i've been recieving
Parse error: syntax error, unexpected 'INTO' (T_STRING) in D:\ServerFolders\Web\tokens\insert.php on line 17
Line 17
$sql= INSERT INTO users(Forename, Surname, Email, Username, Password, DOB)
Full code
<?php
//Connect to DB
$con=mysql_connect(localhost,root, "",APROJECT) or die (mysql_error());
// Check connection
if (mysql_connect_errno()) {
echo "Failed to connect to MySQL: " . mysql_connect_error();
}
// escape variables for security
$Forename = mysql_real_escape_string($con, $_POST['Forename']);
$Surname = mysql_real_escape_string($con, $_POST['Surname']);
$Email = mysql_real_escape_string($con, $_POST['Email']);
$Username = mysql_real_escape_string($con, $_POST['Username']);
$Password = mysql_real_escape_string($con, $_POST['Password']);
$DOB = mysql_real_escape_string($con, $_POST['DOB']);
//SQL query to add data to DB
$sql= INSERT INTO users(Forename, Surname, Email, Username, Password, DOB)
VALUES ($Forename, $Surname, $Email, $Username, $Password, $DOB);
if (!mysql_query($con,$sql)) {
die('Error: ' . mysql_error($con));
}
echo "1 record added";
mysql_close($con);
?>

First of all, mysql_* is not supported anymore and advised to use PDO or mysqli_* instead.
You should put query into quotes;
$sql= "INSERT INTO users(Forename, Surname, Email, Username, Password, DOB)
VALUES ($Forename, $Surname, $Email, $Username, $Password, $DOB)";
It may not work! Because you have to put values into single quotes. So better approach is using parameterized query.
For this time only I suggest using sprintf() function.
$sql= sprintf("INSERT INTO users(Forename, Surname, Email, Username, Password, DOB)
VALUES ('%s', '%s', '%s', '%s', '%s', '%s', '%s')", $Forename, $Surname, $Email, $Username, $Password, $DOB);

Try adding quotes
$sql= "INSERT INTO users(Forename, Surname, Email, Username, Password, DOB)
VALUES ($Forename, $Surname, $Email, $Username, $Password, $DOB)";

$sql= INSERT INTO users(Forename, Surname, Email, Username, Password, DOB)
VALUES ($Forename, $Surname, $Email, $Username, $Password, $DOB);
The above line needs to be a string and in one line (variables in strings which start and end in " can be directly written into it):
$sql = "INSERT INTO users(Forename, Surname, Email, Username, Password, DOB) VALUES ($Forename, $Surname, $Email, $Username, $Password, $DOB)";
If you want it to be in multiple lines for better readability, you can use the nowdoc syntax with variables embeded in {}:
$sql <<<'EOD'
INSERT INTO users(Forename, Surname, Email, Username, Password, DOB)
VALUES ({$Forename}, {$Surname}, {$Email}, {$Username}, {$Password}, {$DOB})
EOD;
Last approach would be to concat the string with .:
$sql = "INSERT INTO users(Forename, Surname, Email, Username, Password, DOB) " .
"VALUES (" . $Forename . ", " . $Surname . ", " . $Email . ", " . $Username . ", " . $Password . ", " . $DOB . ")";
See this reference: http://php.net/manual/de/language.types.string.php
On a side note, don't forget to escape your variables in your mysql query with mysql_real_escape_string to prevent SQL Injection!
$sql = "INSERT INTO users(Forename, Surname, Email, Username, Password, DOB) " .
"VALUES (" . mysql_real_escape_string($Forename) . ", " . mysql_real_escape_string($Surname) . ", " . mysql_real_escape_string($Email) . ", " . mysql_real_escape_string($Username) . ", " . mysql_real_escape_string($Password) . ", " . mysql_real_escape_string($DOB) . ")";

It looks like you're just missing some quote around your sql query.
Something like
$sql= "INSERT INTO `users`(`Forename`, `Surname`, `Email`, `Username`, `Password`, `DOB`)
VALUES (".$Forename.", ".$Surname.", ".$Email.", ".$Username.", ".$Password.", ".$DOB.")";
Should fix your error.
It's also worth nothing that mysql_query is depreciated and can be pretty unsecure. It might be worth looking at PDO preapred statements if this is something that's going to be used in production. Check out http://php.net/manual/en/ref.pdo-mysql.php and Dream in Code PDO

how to insert in to database using prepared statments in php

hello i am a java developer but new to php here i am trying to insert data in to the database using prepared statements as mentioned in here http://www.php.net/manual/en/pdo.prepared-statements.php but i am getting an error may i know what sort of error is this and any help to resolve this.
Error: Fatal error: Call to undefined method mysqli_stmt::bindParam() in G:****\xampp\htdocs****\registrationControl.php on line 17
<?php
$con = new mysqli("127.0.0.1", "root", "", "ksbka");
// Check connection
if (mysqli_connect_errno()) {
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
// escape variables for security
$firstname = mysqli_real_escape_string($con, $_POST['username_first']);
$username_email = mysqli_real_escape_string($con, $_POST['username_email']);
$username_tele = mysqli_real_escape_string($con, $_POST['username_tele']);
echo $firstname."#####".$username_email;
$query="INSERT INTO instructorregistration (Id, Name, email, telephone) VALUES (?, ?, ?, ?)";
$pst = $con->prepare($query);
$pst->bindParam(1, "");
$pst->bindParam(2, $firstname);
$pst->bindParam(3, $username_email);
$pst->bindParam(4, $username_tele);
$pst->execute();
if (!mysqli_query($con,$pst)) {
die('Error: ' . mysqli_error($con));
}
echo "1 record added";
mysqli_close($con);
?>

I think if you want to use bindParam() method, the value should be an instance of PDOStatement .
The doc you see as bellow:
$stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (:name, :value)");
$stmt->bindParam(':name', $name);
$dbh is a PDO instance, I think, NOT mysqli instance. Because there is no mysqli::bindParam().
To solve this problem, you can:
use PDO class instead of Mysqli
create the query as the simplest way:
$query="INSERT INTO instructorregistration (Id, Name, email, telephone) VALUES (NULL, $firstname, $username_email, $username_tele)";

you have to use the mysqli methods, when you use mysqli
$stmt = $con->prepare($query);
$stmt->bind_param(1, "");
...
if (!$stmt->execute()) {
echo "Execute failed: (" . $stmt->errno . ") " . $stmt->error;
}
/* explicit close recommended */
$stmt->close();
/* Non-prepared statement */
$res = $mysqli->query("SELECT id FROM test");
var_dump($res->fetch_all());
edit: added some code from the official documentation

PHP Mysql Insert Into not working, no error given no data posted to DB

trying to setup a warranty registration page for a friends company and I'm not great at Mysql or PHP (Read: Noob). I've scoured the web for answers and have tried several variations to the code below with no success.
I have the table setup with the matching column names. The form submission is also setup correctly I believe.
Just not certain as to what is stopping it from actually posting the data to the database. Any help would be greatly appreciated.
Here's my post code.
<?php
error_reporting(-1);
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$address = $_POST['address'];
$city = $_POST['city'];
$state = $_POST['state'];
$zipcode = $_POST['zipcode'];
$country = $_POST['country'];
$phone = $_POST['phone'];
$email = $_POST['email'];
$ordernumber = $_POST['ordernumber'];
$receivedate = $_POST['receivedate'];
$placeofpurchase = $_POST['placeofpurchase'];
$newsletter = $_POST['newsletter'];
?>
<?php
$con = mysqli_connect("localhost","DB_Username","PASSWORD","DB_NAME");
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
$sql = ("INSERT INTO warrantyregistration (firstname, lastname, address, city, state, zipcode, country, phone, email, ordernumber, receivedate, placeofpurchase, newsletter)
VALUES
($firstname, $lastname, $address, $city, $state, $zipcode, $country, $phone, $email, $ordernumber, $receivedate, $placeofpurchase, $newsletter)");
if (mysqli_query($con,$sql))
{
die('Error: ' . mysqli_error($con));
}
echo "Success!";
mysqli_close($con)
?>

Change this line:
if (mysqli_query($con,$sql))
to:
if (!mysqli_query($con,$sql))
and you should see an error message.

You got the wrong syntax for the SQL statement. You have to set your Php variables into ´$variable´
See my working code here:
insert into user
(
userid,
signedin_at,
)
values
(
'$vp_userid',
now()
);

You should be paramaterizing your queries and using prepared statements. This would protect you from the SQL injection and fix your issues. An abridged version of what you need to do is:
$stmt = mysqli_prepare($con, "INSERT INTO warrantyregistration
(firstname, lastname, address) VALUES (?, ?, ?)");
mysqli_stmt_bind_param($stmt, "sss", $firstname, $lastname, $address);
mysqli_stmt_execute($stmt);

I got the same error. Without the paramaterizing you can fix that error in your sql statement:
...
$sql = "INSERT INTO warrantyregistration VALUES ($firstname, $lastname, $address, $city, $state, $zipcode, $country, $phone, $email, $ordernumber, $receivedate, $placeofpurchase, $newsletter)";
...

MySQL error, new to SQL

The following is my code:
Note: CONNECTDATA is valid data, substituted for security reasons.
$con = mysqli_connect(CONNECTDATA);
// Check connection
if (mysqli_connect_errno($con))
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
$username = mysql_real_escape_string($_POST["username"]);
$email = mysql_real_escape_string($_POST["email"]);
$igname = mysql_real_escape_string($_POST["gamename"]);
$pass = crypt($_POST["password"]);
if(!mysqli_query($con, "INSERT INTO users (username, email, igname, password) VALUES ($username, $email, $igname, $pass)")){
die('Error' . mysqli_error($con));
}
I am new to SQL and this is a learning experiment project, i am getting this error: ErrorYou have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '#mail.com, alphabravo, $1$dg1.iu3.$oZIgB6gFwjAcywv/zadG3/)' at line 1
I dont understand whats wrong with my syntax, help is much appreciated.

The reason this is happening is because you have to quote your string values e.g.
INSERT INTO users (username, email, igname, password) VALUES ('$username', '$email', '$igname', '$pass')
Even better would be to use prepared statements to prevent SQL injection and negate the need for using mysqli_real_escape_string
$con = mysqli_connect(CONNECTDATA);
...
$stmt = mysqli_prepare($con, "INSERT INTO users (username, email, igname, password) VALUES (?, ?, ?, ?)");
mysqli_stmt_bind_param($stmt, 'ssss', $username, $email, $igname, $pass);
mysqli_stmt_execute($stmt);
mysqli_stmt_close($stmt);

As andrewsi says on comment you need to use quotation marks when sending strings to the database.
So your sqlquery should be:
if(!mysqli_query($con, "INSERT INTO users (username, email, igname, password) VALUES ('$username', '$email', '$igname', '$pass')")){
If you want to pass an INTEGER (or other numerical values) then you dont need to use quotation marks (as long as the database field is numerical aswell).

Your SQL syntax is wrong.
A string have to be always quoted and escaped.
Proper function for escaping have to be used.
$username = mysqli_real_escape_string($con, $_POST["username"]);
$email = mysqli_real_escape_string($con,$_POST["email"]);
$igname = mysqli_real_escape_string($con,$_POST["gamename"]);
$pass = mysqli_real_escape_string($con,crypt($_POST["password"]));
$sql = "INSERT INTO users (username, email, igname, password)
VALUES ('$username', '$email', '$igname', '$pass')"
mysqli_query($con, $sql) or trigger_error($con->error);

Don't mix mysqli with mysql, use this with mysqli
$username = mysqli_real_escape_string($_POST["username"]);
$email = mysqli_real_escape_string($_POST["email"]);
$igname = mysqli_real_escape_string($_POST["gamename"]);
Edit
Use prepared statement like this
if(($stmt = mysqli_prepare($con, "INSERT INTO users (username, email, igname, password)
VALUES (?,?,?,?)"))) {
/* bind parameters for markers */
mysqli_stmt_bind_param($stmt, "s", $username);
mysqli_stmt_bind_param($stmt, "s", $email);
mysqli_stmt_bind_param($stmt, "s", $igname);
mysqli_stmt_bind_param($stmt, "s", $pass);
/* execute query */
mysqli_stmt_execute($stmt);
}

MySQL syntax:You have an error in your SQL syntax…

I am receiving the following error from the code below.
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '#doe.com,username,5f4dcc3b5aa765d61d8327deb882cf99,09/05/2011 1:11:13 AM)' at line 1
$username = $_GET['username'];
$password = md5($_GET['password']);
$firstname = $_GET['firstname'];
$lastname = $_GET['lastname'];
$email = $_GET['email'];
$date = uk_date();
$conn = mysql_connect('localhost', 'myuser', 'mypass');
mysql_select_db('dbname');
$query = "INSERT INTO accounts (FirstName, LastName, Email, Username, Password, LastLoginDate) VALUES (". $firstname . ",". $lastname ."," . $email . "," . $username . "," . $password . "," . $date . ")";
$result = mysql_query($query) or die(mysql_error());
echo 'Success';
mysql_close($result);
Please could you let me know what my problem is? I am new to MySQL and PHP so please can you provide an explanation to what I have done wrong for later reference.

You haven't quoted any of the values in your INSERT, you should be saying something more like this:
$query = "INSERT INTO accounts (FirstName, LastName, Email, Username, Password, LastLoginDate) VALUES ('". $firstname . "','". $lastname ."','" . $email . "','" . $username . "','" . $password . "','" . $date . "')";
You should also be using mysql_real_escape_string on all those variables to make sure that any embedded quotes and such are properly encoded.
A better version would be something like this:
$query = sprintf("INSERT INTO accounts (FirstName, LastName, Email, Username, Password, LastLoginDate) VALUES ('%s', '%s', '%s', '%s', '%s', '%s')",
mysql_real_escape_string($firstname),
mysql_real_escape_string($lastname),
mysql_real_escape_string($email),
mysql_real_escape_string($username),
mysql_real_escape_string($password),
mysql_real_escape_string($date));
You should also listen to BoltClock and use PDO and placeholders so you don't have to worry about your quotes and escaping so much. PDO will also make it easier to switch databases.

Probably user input have a single quote character, so it will be safe to escape special character before send it as query to database, this will prevent your script from sql injection.
$query = "INSERT INTO accounts (FirstName, LastName, Email, Username, Password, LastLoginDate) VALUES ('$firstname', '$lastname', '$email','$username','$password', '$date')";

Once you have escaped your variables like suggested by other, you need to surround them with quotes if they are string varialbles :
mysql_select_db('dbname');
$query = "INSERT INTO accounts
(FirstName, LastName, Email, Username, Password, LastLoginDate)
VALUES ('". $firstname . "','". $lastname ."','" . $email . "','" .
$username . "','" . $password . "','" . $date . "')";
$result = mysql_query($query) or die(mysql_error());
echo 'Success'; mysql_close($result);
In this case i added single quotes. you shouldnt have any errors now

Categories