SQLSTATE[42000]: Syntax error while syntax is OK - php

I'm really puzzled by error that comes from my simple insert. I've checked the syntax many times by different checkers and searched for similar troubles but haven't found solution.
The Error looks like this:
'SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' , , , , , , , , , , , , , , )' at line 1' in
And my code is basically this:
$yhteys = new PDO('mysql:host=localhost;dbname=XXXX', 'YYYY', 'ZZZZ');
$kysely = $yhteys->prepare("INSERT INTO hakija (Kutsumanimi, Etunimet, Sukunimi, SyntymAika, Syntymapaikka, Sahkoposti, Puhelinnumero, Postiosoite, Postinumero, Postitoimipaikka, Maa, Suosittelija, IPos, Lahetysaika, Vapaa_sana, Sosme) VALUES ($nimi, $etunimet, $sukunimi, $saika, $spaikka, $email, $puhelin, $osoite, $postinro, $postitmp, $maa, $suosittelija, $IPos, $lahetysaika, $vapaasana, $sosme)");
$kysely->execute();
If I use this INSERT directly via phpMyAdmin, it works, but from php.. Can anyone help me out?
PHP: native (5.4)
MySQL 5.6


You should use prepared statements. It will prevent sql injections and you wont have to deal with variables types
$yhteys = $dbh->prepare("INSERT INTO hakija (Kutsumanimi, Etunimet,...) VALUES (:kutsumanimi, :ktunimet, ...)");
$yhteys ->bindParam(':kutsumanimi', $kutsumanimi);
$yhteys ->bindParam(':ktunimet', $ktunimet);
...
$yhteys ->execute();
Have a look here : http://php.net/manual/en/pdo.prepared-statements.php


If values you are inserting are Strings you need to enclose it in quotes
$kysely = $yhteys->prepare("INSERT INTO hakija (Kutsumanimi, Etunimet, Sukunimi, SyntymAika, Syntymapaikka, Sahkoposti, Puhelinnumero, Postiosoite, Postinumero, Postitoimipaikka, Maa, Suosittelija, IPos, Lahetysaika, Vapaa_sana, Sosme) VALUES ('$nimi', '$etunimet', '$sukunimi', '$saika', '$spaikka', '$email', '$puhelin', '$osoite', '$postinro', '$postitmp', '$maa', '$suosittelija', '$IPos', '$lahetysaika', '$vapaasana', '$sosme')");
if values are integer you can skip quotes

Related

Why does Explicitly putting Null on sql statement yields SQLSTATE[42000] error?

Because putting NULLs inside the variables gives headache here in PHP, I resorted to explicitly putting NULL on the prepared statement
The script is a csvupload script originally came from here Import CSV into MySQL
$linemysql = implode("','",$linearray);
$linemysql = "'".$linemysql."'";
$sql="SELECT * FROM `".$tblmei."` WHERE `".$shuHint."` = ".$linearray[0];
$stmt = $setsu->query($sql);
$rwCnt=$stmt->rowCount();
if ($rwCnt==0){
$fumeiKazu=substr_count($linemysql,"'Unknown'");
echo "<br>fumeiKazu=".$fumeiKazu;
if ($fumeiKazu==1)
{
$fumeiPos=mb_strpos($linemysql,"'Unknown'");
$l1=mb_substr($linemysql,0, $fumeiPos);
echo "<br>l1=".$l1;
$sfumeiPos=$fumeiPos+9;
echo "<br>sfumeiPos=".$sfumeiPos;
$l2=mb_substr($linemysql,$sfumeiPos);
echo "<br>l2=".$l2;
echo "<br>".$l1.NULL.$l2;
$tsuika = $setsu->prepare("INSERT INTO ".$tblmei." VALUES (".$l1.NULL.$l2.")");
$tsuika->execute();
$dataHaitaKazu++;
}
}
The idea of this php script block is when it finds Unknown, post it as NULL as the row's Risk during query
I made sure the the Risk column in the table structure phpmyadmin accepts null and default is null.
This is what I came up
$tsuika = $setsu->prepare("INSERT INTO ".$tblmei." VALUES (".$l1.NULL.$l2.")");
And it yiedls this error:
SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ',,'testArea','0')' at line 1' in

Mysql Query Displays an error in SQL syntax when it's right

I got sick of this error. I'm pretty sure it works with '$_POST[name]' but sql doesn't accept it.
It gives me the error saying: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ')' at line 2
$syn = mysql_real_escape_string($_POST['syn']);
$fore = mysql_real_escape_string($_POST['fore']);
$localfore = mysql_real_escape_string($_POST['localfore']);
$save = mysql_query("INSERT INTO tblforecast (Issued,Valid,Synopsis,Forecast,Local_Forecast,Station11,Station12,Station13,Station14,Station15,Station16,Station17,Station18,Station19,Forecaster)
VALUES (now(),'24','$syn','$fore','$localfore','sample','$sample','sample','sample','sample','sample','sample','sample','sample',$id)");
What's going on?
PS. Line 2 points at the start of VALUES

Try this
$sql = "INSERT INTO tblforecast (Issued,Valid,Synopsis,Forecast,Local_Forecast,Station11,Station12,Station13,Station14,Station15,Station16,Station17,Station18,Station19,Forecaster)
VALUES ('{$datetime}',24,'{$_POST[syn]}','{$_POST[fore]}','{$_POST[localfore]}','sample','sample','sample','sample','sample','sample','sample','sample','sample',$id)";
echo sql;
$save = mysql_query($sql);

This is very bad practice to save post data directly. Instead you can use $syn = mysql_real_escape_string($_POST['syn']); and $syn put into your sql query.

If you write the query in a more eadable way, you can spot some mistakes:
INSERT INTO
tblforecast
(
Issued
,Valid
,Synopsis
,Forecast
,Local_Forecast
,Station11
,Station12
,Station13
,Station14
,Station15
,Station16
,Station17
,Station18
,Station19
,Forecaster
) VALUES (
'$datetime'
,24
,'$_POST[syn]'
,'$_POST[fore]'
,'$_POST[localfore]'
,'sample'
,'$sample]' // <-- is that supposed to be there?
,'sample'
,'sample'
,'sample'
,'sample'
,'sample'
,'sample'
,'sample'
,$id // <-- where are the closing brackets?

PHP - MySQL Transaction execution error

$tran = "START TRANSACTION;";
$tran_res = mysql_query($tran);
$qry_1 = "INSERT INTO docList (doc_ip , doc_country , doc_ref) VALUES ('$ip' , '$country' , '$http_ref');";
$res_1 = mysql_query($qry_1);
if(!$res_1)
die ("qry1 fail " . mysql_error() );
$ins_id = mysql_insert_id();
if(!$ins_id)
die ("ins id fail " . mysql_error() );
echo "<b>$ins_id</b>";
$qry_2 = "INSERT INTO docContent (doc_id , cont_date , cont_title , cont_aim , cont_obj , cont_theory , cont_sw , cont_code) VALUES ('$ins_id' , '$dt' , '$title' , '$aim' , '$obj' , '$th' , '$sw' , '$code');";
$res_2 = mysql_query($qry_2);
if(!$res_2)
die("qry2 fail " . mysql_error() ); `
The execution of above is returning the following error:
2 qry fail You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'login'); if($query->num_rows()>0) return $query->result_array(); } ' at line 1
In effect the execution of $qry_2 is failing, but I am perplexed by the error it is showing (there is no such code on line 1 as mentioned in the error note). Moreover, the query ($qry_2) executes properly in the MySql console.

Output the contents of $qry_2 to see the actual SQL statement be executed. Most likely you've got SQL injection vulnerabilities, and one of the variables you're inserting contains at least ' somewhere, causing the syntax error.
e.g. if you have
$var = "O'Reilly";
$sql = "INSERT INTO names (name) VALUES ('$var')";
you'll end up with
INSERT INTO names (name) VALUES ('O'Reilly');
which will be interpreted as:
'O' - string containing the letter "O"
Reilly - a field named "Reilly", with no operator between this "field" and the "O" previous
'); - a weird unterminated string, also with no operator between this and the previous field.
To get around this, you MUST pass your variables through mysql_real_escape_string(), which will prevent such errors from occuring. It'll turn O'Reilly into O\'Reilly, which is "safe" to use in your query.

You haven't posted the real query as received by the MySQL server, but I'd dare say you haven't used mysql_real_escape_string() to inject your data into your SQL.
(Are you trying to insert PHP code in the database?)

Erreur : SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax;

when i try to execute an update statement i got the following error :
Erreur : SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Issy-les-Moulineaux ' where ssiphone_idstation=46' at line 1
my update statement is :
$bdd->exec("update ssiphone_stationdeservice set $cle='$element' where ssiphone_idstation=$id");
this is in a php code, THX in advance for your help :)
$cle and $element are in array, my code is :
foreach($table1 as $cle => $element)
{
$bdd->exec("update ssiphone_stationdeservice set $cle='$element' where ssiphone_idstation=$id");
}
now table1 is an array which contain the columns name of my table and its values :
$table1=array();
$table1['ssiphone_etatstation']=$etat;
$table1['ssiphone_commerce']=$commerce;
$table1['ssiphone_stationdelavage']=$lavage;
$table1['ssiphone_typescarburants']=$lescarburants;
$table1['ssiphone_joursdelasemaine']=$jourssemaines;
$table1['ssiphone_horaires ']=$this->horaires;
$table1['ssiphone_telephone ']=$telephone;
$table1['ssiphone_sensdecirculation ']=$this->sensDeCirculation;
$table1['ssiphone_adresse ']=$this->adresse;
$table1['ssiphone_ville']=$this->ville;
$table1['ssiphone_departement']=$this->departement;
$table1['ssiphone_nomstation ']=$this->nomStation;

Most likely your $cle variable isn't set, making the query look like:
... set ='Issy-les-moulineaux ' where ...
comment followup:
Change your code to look like this, then:
$query = "update ssiphone_stationdeservice set $cle='$element' where ssiphone_idstation=$id";
$result = $bdd->exec($query);
if ($result === FALSE) {
print_r($bdd->errorInfo());
die("Query: " . $query);
}
This way you have the complete query string in a variable you can inspect (e.g. by echoing out). Obviously there's something wrong with the query - but the mysql error string doesn't show the entire query, so you have to take measures to capture it.

SQL Query Error Near ''

UPDATE ".$tablename." SET stock=%s WHERE itemname=".$itemname."
SQL Query throwing this error:
You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near '' at line 1
Can't find what it is talking about as it only gives me '' and not any text in the query. Thanks!

The string concatenation above looks really messy!
I would go for something simple:
$sql = "UPDATE $tablename SET stock='$stock' WHERE itemname='$itemname'";
If this doesn't work, you should debug the values of : $tablename, $stock and $itemname
ps. I've already given +1 to Nick :)

The example looking incomplete.
Is it possible that variables $tablename or $itemname to be empty?
you are mixing sprintf and string concatenation. The best way is to use the only one method. i.e.:
$sql = "UPDATE %s SET stock='%s' WHERE itemname='%s'";
sprintf($sql, $tablename, $stock, $itemname); //use this in mysql_query
But agree with Parker that you don't quote your string

Try, it doesn't look like you're quoting your strings.
UPDATE ".$tablename." SET stock='%s' WHERE itemname='".$itemname."'

Categories