This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 6 years ago.
I tried to create a script which will save all the IP address that came to my website (for adwords checking purposes). However when I try, the code doesnt save to database at all. Here is the code:
<?php
session_start();
// Create connection
$mysqli = new mysqli("localhost", "hashmicr_admineq", "monkeycool100", "hashmicr_sessionchecker");
date_default_timezone_set('Asia/Singapore');
$date = date("Y-m-d H:i:s");
$query = "INSERT INTO sessioncheck(ipaddress,date) VALUES (".$_SERVER['SERVER_ADDR'].", ".$date.")";
$mysqli->query($query);
/* close connection */
$mysqli->close();
?>
This is placed on the top of the PHP page.
Did I miss on any steps?
Need to add single quotes as both the field values contain non-numeric (other than 0-9) characters.
You can insert only numeric without single quotes.
Corrected SQL:
$query = "INSERT INTO sessioncheck(ipaddress,date)
VALUES ('".$_SERVER['SERVER_ADDR']."', '".$date."')";
Related
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
How can I prevent SQL injection in PHP?
(27 answers)
Closed 3 years ago.
I'm working on a website, and I have encountered with an strange MySQL behaviour. I'm trying to use an MySQL Update Query with multiple WHERE Clauses.
$name = $_POST['username'];
$updatequery1 = "UPDATE OTP SET 'Project' = 'ANETSignupUsed' WHERE Name = '$name' AND HashedOTP = '$hashedotp' ";
$sqlconnection->query($updatequery1);
die("DONE");
Note that I've already defined $hashedotp.
When I try doing the same thing in MySQL Console it works pretty well, and I've made sure that the user used to define $sqlconnection has Update rights.
I've tried solutions DESCRIBED
HERE
HERE
I've spent hours searching about it, but to no avail.
Thanks a lot in advance!
Try this Remove single quote from your query
$updatequery1 = "UPDATE OTP SET Project = 'ANETSignupUsed' WHERE Name = '$name' AND HashedOTP = '$hashedotp' ";
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 4 years ago.
So I'm a beginner with PHP, and currently, I'm studying MySQL right now, and I'm having trouble with this particular code.
$connection = mysqli_connect('localhost','root','','loginapp');
$username = $_POST['username'];
$password = $_POST['password'];
$query = "INSERT INTO users(username,password) VALUES ('$username','$password')";
$result = mysqli_query($connection,$query);
if ($result)
echo 1
else if(!$result)
echo 0;
*Basically it echoes 1 if the username and password have been transferred to the database successfully, and 0 when it doesn't.
If I remember correctly, you only use quotes ' ' for strings and when passing variables, you don't need to encase them with ' or ". So, I tried removing the quotes from the variables in VALUES($username,$password) and it starts to echo 0 instead. Can anyone provide me an explanation as to why the variables have to be enclosed with ' or " inside the VALUES so I'd have a better understanding of how it works?
You password and username fields must be strings in mysql, so you'll need to put them between quotes on the query.
I suggest you to take a look at prepared statments too, it will be a better way to do this query.
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 4 years ago.
I have a value in my MYSQL database, all I want to do is to increase the current value with a new one, this is what I have tried
} elseif ($gametype == "veckanskluring"){
$sql = "UPDATE users SET veckanskluring='veckanskluring'+'$score' WHERE id='$id'";
$retval = mysql_query( $sql, $link );
echo "GAME == $gametype";
}
But for some odd reason, this won't work.
I have searched online and found examples, but they all look, almost exactly the same as my code.
// Sidenote this is not the whole code, obviously.
Everything except the part where I add the new value to the old value works, and if I remove 'veckanskluring'+ it updates without any problems.
I strongly believe something is wrong with this part - 'veckanskluring'+ as the other part works fine.
//NOTE2 score is always 999, just have it set to $score if I want to change it later.
UPDATE -
MY fault, apparently I had put '' around veckanskluring.
$sql = "UPDATE users SET veckanskluring=veckanskluring +'$score' WHERE id='$id'"; <-- Working.
Assuming that $score and $id are number you shoudl not use sigle quote around this vars
and assuming that veckanskluring is column name you must not use single quote aroud column name
"UPDATE users SET veckanskluring= veckanskluring +$score WHERE id=$id";
But the use of php var in sql is deprecated you at risk for sql injection .. take a look at your mysql driver for bindig param
This question already has answers here:
UTF-8 all the way through
(13 answers)
Closed 7 years ago.
i'm tring to insert into my database the following string: "รจ" but each time i try in the database nothing is added. This is the code that i use to insert.
$string = mysql_real_escape_string($_REQUEST['string_passed']);
$query = "UPDATE my_table SET my_field = '$string' WHERE id = '$id'";
In my connection.inc.php file i have following code.
mysql_connect("localhost", "root", "") or die("Problem: ".mysql_error());
mysql_select_db("my_db") or die("Poblem: ".mysql_error());
mysql_query('SET NAMES utf8');
I know, i can insert $string using htmlentities but there is any other solution?
mysql_real_escape_string Escapes special characters in a string for use in an SQL statement.that is what you will see in its manual page. (by the way it is deprecated in php 5.5, use mysqli::real_escape_string)
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 9 years ago.
I have a simple comments page a user enter a text into a textarea and the hit comment button to send the comment to a php page :
<?php
$reply = strip_tags($_POST['reply']);
$comment_id = strip_tags($_POST['id']);
$id = strip_tags($_POST['user_id']);
$date = strip_tags($_POST['date']);
$time = strip_tags($_POST['time']);
$server_root = "./";
if(file_exists("{$server_root}include-sql/mysql.class.php"))
{
include_once("{$server_root}include-sql/mysql.class.php");
}
include_once("{$server_root}config.php");
$db1;
$db1 = new db_mysql($conf['db_hostname'],
$conf['db_username'],
$conf['db_password'],
$conf['db_name']);
$db1->query("SET NAMES utf8");
$current_server_date = date('Y-m-d H:i:s');// Your local server time
date_default_timezone_set('Asia/Istanbul');
$current_pc_date = date('Y-m-d H:i:s');
$sql = $db1->query(
'INSERT INTO replies1 (reply, comment_id, date, time, timestamp, user_id)
VALUES ("$reply", $comment_id, "$date", "$time", "$current_pc_date", $id)');
?>
the problem is : when a user enter any comment with apostrophe it does not store it in the database ? why does that happened? Is my code has something wrong? I added everything the double quotes and stripe_tags.? did i miss something?
You should escape all input which is coming directly from the user with mysqli_real_escape_string()!
Otherwise its not only not working properly but its also highly unsafe to hacker-attacks. (mysql-injection)
The strip_tags() seems unnecessary.
Instead, you should
either escape the DB input appropriately
or use prepared statements at the first place.
As you hide your MySQL implementation in an own class, I don't see how you implement these. How to escape or to prepare depends on the MySQL interface you use.
Keep in mind that mysql_*() is deprecated. You should either use mysqli or PDO.