This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 7 years ago.
I have this mysql query:
$sql = "INSERT INTO lijsten(naam, niveau, nederlands, duits, frans, grieks,
engels, latijn, spaans, wiskunde, natuurkunde, scheikunde, geschiedenis,
economie, aardrijkskunde, ANW, godsdienst)
VALUES(\$_POST["naam"]\,\$_POST["niveau"]\,\$_POST["nederlands"]\,\$_POST["duits"]\,\$_POST["frans"]\,\$_POST["grieks"],\$_POST["engels"]\,\$_POST["latijn"]\,\$_POST["spaans"]\,\$_POST["wiskunde"]\,\$_POST["natuurkunde"]\,\$_POST["scheikunde"]\,\$_POST["geschiedenis"]\,\$_POST["economie"]\,\$_POST["aardrijkskunde"]\,\$_POST["ANW"]\,\$_POST["godsdienst"]\)";
It is sent to the database with this function:
function connectDB($sql) {
$DBcon = mysql_connect(host, user, pass) or die(mysql_error());
mysql_select_db(database);
$result = mysql_query($query) or die(mysql_error());
mysql_close($DBcon);
return $result;
But when i try to run it, it gives me a php parse error:
PHP Parse error: syntax error, unexpected 'naam' (T_STRING) in /media/usbdisk/website/www/boeken/naardb.php on line 11
Could somebody tell me what mistake i am making? I already have tried many ways of putting the query, but none of them worked.
You should never build queries like this.
This is not how you escape values
mysql_ is deprecated and you should be using prepared statements
Example in PDO:
$sql = "INSERT INTO lijsten(naam, niveau, nederlands, duits, frans, grieks,
engels, latijn, spaans, wiskunde, natuurkunde, scheikunde, geschiedenis,
economie, aardrijkskunde, ANW, godsdienst)
VALUES(:naam,:niveau .......)";
if($stmt = $pdo->prepare($sql)){
$stmt->bindValue(:naam, $_POST["naam"]);
.....
$stmt->execute();
}
There are several mistakes, but I'll start with the issue.
unexpected 'naam' (T_STRING)...
Is caused because PHP was not expecting a string there. You're escaping parts of the query, but you really just need to concatenate the $_POST variables.
I would advise setting the posts variables to their own variables to simplify your query and format the query like this answer outlines: Using php variables inside MySQL insert statement
IE: $naam = $_POST["naam"]; etc...
The biggest issue is that you're using a deprecated method, you should use PDO (Prepared) queries
PHP deprecated methods.
You should definitely look into using PDO and preparing your statement.
A couple quick reference for PDO:
http://code.tutsplus.com/tutorials/why-you-should-be-using-phps-pdo-for-database-access--net-12059
http://php.net/manual/en/book.pdo.php
Good luck!
Try to concat the variables in your query like this:
"INSERT INTO lijsten(naam, niveau, nederlands, duits, frans, grieks,
engels, latijn, spaans, wiskunde, natuurkunde, scheikunde, geschiedenis,
economie, aardrijkskunde, ANW, godsdienst)
VALUES("
.mysql_escape_string($_POST['naam']).
")";
and to read about sql injections too.
The #meda answer is the correct example of how to create SQL calls, using PDO.
Related
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 5 years ago.
I have problem. in my database, I have a column email. When I make SQL query I get following error:
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '#gmail.com)' at line 1
This is my code:
$sql = "SELECT ID_Dijak from dijak WHERE (Email=".$mejl.")";
If I try to do query in php my admin it works if I put ' ' between my email, but how to do it in php? Thank you.
I'm sorry I made a mistake earlier... I tested this way and it should now work
$sql='SELECT ID_Dijak from dijak WHERE (Email = "' . $mejl . '")';
take datatype varchar() for email
I would suggest using a prepared statement in PHP, also to prevent injection attacks.
$stmt = $dbc->prepare("SELECT ID_Dijak from dijak WHERE Email=?");
$stmt->bind_param("s", $mejl);
$stmt->execute();
This question already has answers here:
PHP parse/syntax errors; and how to solve them
(20 answers)
Closed 6 years ago.
How can I select the 'description' row from my 'users' table? I want to just grab the description row depending on what user is logged in.
So far I have this code
$sql = "SELECT description FROM users WHERE uid="$_SESSION['uid']";
but I get this error:
Parse error: syntax error, unexpected '$_SESSION' (T_VARIABLE) in /Applications/XAMPP/xamppfiles/htdocs/login_sys/includes/profile.inc.php on line 19`
That's because your code is syntaxically wrong.
The correct code would be this:
$uid = $_SESSION['uid'];
$sql = "SELECT description FROM users WHERE uid='$uid'";
(I put the $_SESSION['uid'] in a variable to avoid the problem with lots of quotes in the query).
However, this solution is also wrong, in that you should never use a variable directly in the database like this, even when it's a session. You should read up on prepared queries, and make sure you use either mysqli_ or PDO as a database-handler in PHP.
you are getting this error beacause you are missing one " at end of query
$sql = 'SELECT description FROM users WHERE uid="$_SESSION['uid']"';
but always use prepare queries or pdo's as you query this is vulnerable to sql
injection
this should work
$sql = "SELECT description FROM users WHERE uid='$_SESSION[uid]'";
I need some help here!
I have a form on a site admin page, the owner fills in his projects and the get added to a mysql db, but sometimes the data contains single or double quotes so it won't add to the db.
I tried using addslashes but it still wont work.
Heres my code which Ive tried
$atitle = addslashes($_REQUEST['atitle']);
$acontent = addslashes($_REQUEST['acontent']);
$query = "INSERT INTO projects VALUES (NULL, '$atitle', '$acontent', '$remote_file', '$remote_file1', '$remote_file2')";
$result = mysql_query($query);
if(!$result){
$error = 'An error occured: '. mysql_error().'<br />';
$error.= 'Query was: '.$query;
echo $error;
die($message);
}
Can anyone help me with this?
mysql_query is part of an outdated php library that isn't supported anymore. The more reliable method of interacting with a database is mysqli. Using mysqli, you'll be able to use Prepared Statements. Prepared Statements are a way to validate input and to mitigate problems like this (your input having quotation ticks/marks). Take a look at this example:
$db = new mysqli("host","user","pw","database");
$stmt = $db->prepare("INSERT INTO projects VALUES (NULL, '?', '?', '?', '?','?')");
$stmt->bind_param('s', $atitle); // s means string in the first param
$stmt->bind_param('s', $acontent); // s means string in the first param
... // same for all other parameters in your query
$stmt->execute();
More on this: http://php.net/manual/en/mysqli.quickstart.prepared-statements.php
I heavily recommend using mysqli. It is current and supported. Prepared Statements are the best way to defend against SQL injections and also catching trip-ups like this. It will sanitize the input for you and account for quotation symbols.
you can try stripslashes() to un-quotes a quoted string. More details are available on the PHP documentation website here.
This question already has answers here:
Why is PDO better for escaping MySQL queries/querystrings than mysql_real_escape_string?
(6 answers)
Closed 9 years ago.
$q = "INSERT INTO articles VALUES( mysql_real_escape_string($_GET["article"]) )
$req = $bdd->prepare($q);
$req ->execute();
I've been working on another server where mysql_real_escape_string() is still not obsolete, and now I'm moving the site to another mysql server which apparently doesn't accept this function anymore. And, it's pretty clear I need to use some PDOs
SO what's the PDO equivalent for mysql_real_escape_string()? I'm trying something like this
$idc = new PDO(...);
$q = "INSERT INTO articles VALUES( $idc->quote(($_GET["article"])));
$req = $bdd->prepare($q);
$req ->execute();
I do use prepared statements, but I suspect my PDO::quote is wrong somewhere.
But it doesn't render the same result...
Thank you.
PDO::quote is the equivalent of mysql_real_escape_string. If there's some reason you can't use a prepared statement, you can use it like this:
$q = "INSERT INTO articles VALUES (" . $idc->quote($_GET["article"]) . ")";
A significant difference is that it includes the surrounding quotes around the string, while mysql_real_escape_string doesn't (so you would have to put quotes in your INSERT string).
Use prepared statements(preferred) or PDO::quote()
This question already has answers here:
Real escape string and PDO [duplicate]
(3 answers)
Closed 10 years ago.
I would like to know how to escape strings in pdo .
I have been escaping the springs like in the code bellow but now with pdo I do not know how to do it
$username=(isset($_POST['username']))? trim($_POST['username']): '';
$previlage =(isset($_GET['previlage']));
$query ="SELECT * FROM site_user
WHERE username = '".mysql_real_escape_string($_SESSION['username'])."' AND previlage ='Admin'";
$security = mysql_query($query)or die (mysql_error($con));
$count = mysql_num_rows($security);
Well, you can use PDO::quote, but, as said in its own docpage...
If you are using this function to build SQL statements, you are
strongly recommended to use PDO::prepare() to prepare SQL statements
with bound parameters instead of using PDO::quote() to interpolate
user input into an SQL statement.
In your case it can look like this:
$query = "SELECT *
FROM site_user
WHERE username = :username AND previlage = 'Admin'";
$sth = $dbh->prepare($query);
$sth->execute(array(':username' => $_SESSION['username']) );
mysql_* function will not work in PDO. WHY? Because PDO doesnt use mysql to connect to a databases, as far as input sanitization, PDO uses prepared statements you can find a good tutorial for that here: pdo