I'm trying to create a simple sql statement in my php file, to insert two values into the database. Its throwing the error I implemented for non valid sql statements, and I believe its because the VALUES( ) part is wrong. How do I concatenate the single quotes for the sql statement? The database values should be varchars.
$sql = "INSERT INTO visitor_log_marcusw1(email_user, email_provider) "
. "VALUES ('".$email_user."' , '".$email_provider."')";
mysqli_query($con, $sql);
if (mysqli_query($conn, $sql)) {
echo "New record created successfully";
} else {
echo "Error: " . $sql . "<br>" . mysqli_error($conn);
}
if (mysqli_query($conn, $sql)) {
Replace this with
if (mysqli_query($con, $sql)) {
$con not $conn
Try this:
$sql = "INSERT INTO visitor_log_marcusw1 (email_user, email_provider) VALUES ('{$email_user}' , '{$email_provider}')";
Also, there seems to be a typo with in the connection name ($conn vs $con).
Use mysql function mysql_real_escape_string($php_variable)
$sql = "INSERT INTO visitor_log_marcusw1(email_user, email_provider) \n"
. "VALUES (mysql_real_escape_string($email_user) , mysql_real_escape_string($email_provider)";
Related
I wish to post the users entered information into two different tables in the same data base. However my code does not seem to work, it only writes into the second table that I have asked it to write to. Why wont it write to the first table as well?
if ($_POST['entereddetail']) {
$sql = "INSERT INTO firsttable (thedetail, date)
VALUES ('". $_POST['entereddetail'] ."', NOW())";
$sql = "INSERT INTO secondtable (thedetail, code, branch, user, date)
VALUES ('". $_POST['entereddetail'] ."','". $_POST['codedetail'] ."', '', '', NOW())";
if(mysqli_query($conn, $sql)){
echo "Records inserted successfully.";
} else{
echo "ERROR: Could not execute $sql. " . mysqli_error($link);
}
}
I know my code could be subject to SQL injection. I am only learning the basics at the moment and then I deal with security after as I am only new to SQL and databases. My branch and users field are also left blank as I will be dealing with them later.
That's because you're overwriting your $sql variable.
Adapt your code like this:
$sql = "INSERT INTO firsttable (thedetail, date)
VALUES ('". $_POST['entereddetail'] ."', NOW());";
$sql .= "INSERT INTO secondtable (thedetail, code, branch, user, date)
VALUES ('". $_POST['entereddetail'] ."','". $_POST['codedetail'] ."', '', '', NOW());";
Notice: If you look closely, you'll see a ; at the of the sql-statements. The .= will combine the two $sql variables into one string of two MySQL-statements.
Your only executing the second query...
if ($_POST['entereddetail']) {
$sql = "INSERT INTO firsttable (thedetail, date)
VALUES ('". $_POST['entereddetail'] ."', NOW())";
if ( mysqli_query($conn, $sql) ) {
$sql = "INSERT INTO secondtable (thedetail, code, branch, user, date)
VALUES ('". $_POST['entereddetail'] ."','". $_POST['codedetail'] ."', '', '', NOW())";
if(mysqli_query($conn, $sql)){
echo "Records inserted successfully.";
} else{
echo "ERROR: Could not execute $sql. " . mysqli_error($link);
}
}
else{
echo "ERROR: Could not execute $sql. " . mysqli_error($link);
}
I try to insert some values from a form into my database with this code:
<?php
$link = mysqli_connect("myHost", "myUsername", "myPW", "myDB");
// Check connection
if($link === false){
die("ERROR: Could not connect. " . mysqli_connect_error());
}
// Escape user inputs for security
$name1 = mysqli_real_escape_string($link, $_REQUEST['plannercolumn1']);
$name2 = mysqli_real_escape_string($link, $_REQUEST['plannercolumn2']);
$name3 = mysqli_real_escape_string($link, $_REQUEST['plannercolumn3']);
$name4 = mysqli_real_escape_string($link, $_REQUEST['plannercolumn4']);
$name5 = mysqli_real_escape_string($link, $_REQUEST['plannercolumn5']);
$name6 = mysqli_real_escape_string($link, $_REQUEST['plannercolumn6']);
// attempt insert query execution
$sql = "INSERT INTO anmeldungen (FR_PM) VALUES ('$name1')";
$sql = "INSERT INTO anmeldungen (SA_AM) VALUES ('$name2')";
$sql = "INSERT INTO anmeldungen (SA_PM) VALUES ('$name3')";
$sql = "INSERT INTO anmeldungen (SO_AM) VALUES ('$name4')";
$sql = "INSERT INTO anmeldungen (SO_PM) VALUES ('$name5')";
$sql = "INSERT INTO anmeldungen (MO_AM) VALUES ('$name6')";
if(mysqli_query($link, $sql)){
echo "Name ", $name1, " erfolgreich eingetragen. Wir freuen uns auf dich!";
} else{
echo "ERROR: Could not able to execute $sql. " . mysqli_error($link);
}
// close connection
mysqli_close($link);
?>
When I submit the form, it's creating a new row, but it's not inserting any values in all of the columns, but the column MO_AM. Is there a fault in my PHP?
Your query should look like:
$sql = "INSERT INTO anmeldungen
(FR_PM,SA_AM,SA_PM,SO_AM,SO_PM,MO_AM)
VALUES ('$name1','$name2','$name3','$name3','$name4','$name5','$name6')";
Are you sure that the $name variables have values?
Your SQL Query should be:
$sql = "INSERT INTO `anmeldungen`(`FR_PM`,`SA_AM`,`SA_PM`,`SO_AM`,`SO_PM`,`MO_AM`)
VALUES ('$name1','$name2','$name3','$name4','$name5','$name6')";
Though you shouldn't be using $variable as the insert you should look to binding these to prevent SQL Injections.
What you did just overwrite the query.You can insert multiple values into the same table.
Change your query:-
EDIT:
If you use multiple lines for the query it should look like this.
Also When you append the variable.
$sql = 'INSERT INTO anmeldungen (FR_PM,SA_AM,SA_PM,...)'
.' VALUES ('.$name1.','.$name2.','. .... .)'
;
i have a php code that insert session value into database,but i get this error when trying to insert Error: INSERT INTO tbale name (amount,bankname) VALUES ( 20000.00,gtbank)
Unknown column 'gtbank' in 'field list'.the session has the value GTBANK
below is my code that insert session value to database
<?php
session_start(); {
//Include database connection details
include('../../dbconnect.php');
if($_SESSION["bn"]) {
}
$amount = strip_tags($_POST['cat']);
$field1amount = $_POST['cat'];
$field2amount = $field1amount + ($field1amount*0.5);
$sql = "INSERT INTO provide_help (amount,bankname) VALUES ( $field1amount,".$_SESSION['bn'].")";
if (mysqli_query($conn, $sql))
$sql = "INSERT INTO gh (ph_id, amount) VALUES (LAST_INSERT_ID(), $field2amount)";
if (mysqli_query($conn, $sql))
{
$_SESSION['ph'] ="<center><div class='alert alert-success' role='alert'>Request Accepted.</div></center>";
header("location: PH.php");
} else {
echo "Error: " . $sql . "<br>" . mysqli_error($conn);
}
mysqli_close($conn);
}
?>
anyone who can help please?.thanks
bankname field is type of varchar I think. So you need to pass string with quotes ''. See below your code should be like this.
$sql = "INSERT INTO provide_help (amount,bankname)
VALUES ( $field1amount,'".$_SESSION['bn']."')";
When inserting string (bankName) in data base it should be covered with quote.
Use this:
$sql = "INSERT INTO provide_help (amount,bankname) VALUES ( $field1amount,'".$_SESSION['bn']."')";
// ^ ^ --- Single quote added
I will suggest you to use bind_params like following:
$stmt = $conn->prepare("INSERT INTO provide_help (amount,bankname) VALUES (?, ?)");
$stmt->bind_param("ds", $field1amount, $_SESSION['bn']);
if ($stmt->execute()){
// handle success
} else {
// handle error
}
The argument may be one of four types while binding:
i - integer
d - double
s - string
b - BLOB
I keep getting this error in my php. It worked fine when I hard set the values but doesn't seem to work with variables.
Error: INSERT INTO ContactUS (name, email, subscribed) VALUES (TEST, my#email.com, 1)
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Anis, my#email.com, 1)' at line 1
// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
$sql = "INSERT INTO ContactUS (name, email, subscribed) VALUES ($name, $email, $subscribed)";
if ($conn->query($sql) === TRUE) {
echo "New record created successfully";
} else {
echo "Error: " . $sql . "<br>" . $conn->error;
}
Values should be quoted:
$sql = "INSERT INTO ContactUS (name, email, subscribed) VALUES ('$name', '$email', '$subscribed')";
Perhaps it's better to use prepared statements as this is done automatically for you and you won't be vulnerable to SQL injections.
Use quotes around variables, as PHP will replace its value, leaving an invalid query:
$sql = "INSERT INTO ContactUS (name, email, subscribed) VALUES ('$name', '$email', '$subscribed')";
but please use prepared statements, otherwise you'll be victim of SQL injection
I'm trying to insert a value into my sql table that has html in it: like follows
<?
$story ="<div class='post'><p class='date'>$mont<b>$day</b></p><h2 class='title'>lkjljt</h2><p class='meta'><small>Posted $name | $school, $date | Rating</small></p><div class='entry'>$message</div></div>";
$db = mysql_connect("host", "user", "password");
mysql_select_db("db", $db);
if (!$db)
{
die('Could not connect: ' . mysql_error());
}
$sql = "INSERT INTO Post VALUES ('', '$date', '$time', '$story', '$school','$location', '$sex', '$zipcode', '$name');";
$result = mysql_query($sql);
if($result)
{ $success = " Your hookup has been submitted ";}
else{
$error = "something went horribly wrong" . mysql_error();}
?>
I keep getting a syntax error when I submit this page, and if I comment $story out, the query runs fine. How can I fix this?
The most likely reason is that $story contains single quotes, which will break the query.
Protect it using mysql_real_escape_string
In general, this is a bad idea as it is open to SQL injection.
$sql = "INSERT INTO Post VALUES ('', '$date', '$time', '$story',
'$school','$location', '$sex', '$zipcode', '$name');";
At least, use mysql_real_escape_string which will protect the input for characters that have special meaning in a MySQL query. Use it on all textual columns.
$sql = "INSERT INTO Post VALUES ('', '$date', '$time', '" .
mysql_real_escape_string($story) . "','".
mysql_real_escape_string($school) . "','".
mysql_real_escape_string($location) . "', '$sex', '$zipcode', '" .
mysql_real_escape_string($name) ."');";
If you didn't care about SQL Injection ( though I dont know why would you wouldnt ) you could also use htmlspecialchars to fix your problem. mysql_real_escape_string is obviously the better choice though like #cyberkiwi said