I am using the following code to insert Event Logs and User Info from my Mobile App to a mysql database.
I am finding the " Character gives me issues later on when in use with JSON arrays that I pull from the db. What I would like to do is remove the " character in the php code completely before posting to the db.
Removing the " character by Javascript from the Mobile App is not really an option.
<?php
$servername = "localhost";
$username = "Fred";
$password = "Barney";
$dbname = "BamBam";
// Create connection
$conn = new mysqli ($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
// escape variables for security
$event_log = mysqli_real_escape_string($conn, $_POST['event_log']);
$logged_by = mysqli_real_escape_string($conn, $_POST['logged_by']);
$sql = "INSERT INTO time_event (event_log, logged_by)
VALUES ('$event_log', '$logged_by')";
if ($conn->query($sql) === TRUE) {
echo "Data entered successfully";
} else {
echo "Error: " . $sql . "<br>" . $conn->error;
}
$conn->close();
?>
Use mysqli_prepare and mysqli_stmt_bind_param to execute a parameterised query. I strongly advise this approach.
If you really want to just escape special characters for manual interpolation
into a query string, use mysqli_real_escape_string.
Hand-rolling a solution presents a real risk that you will
miss something important, leaving your program vulnerable
to SQL injection attacks.
I did not try, but this should do
$sql = sprintf("INSERT INTO time_event (event_log, logged_by)
VALUES ('%s' ,'%s'",$event_log,$logged_by);
Related
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 4 years ago.
I have a problem, I can't upload anything to database. In my database in the jelenlet table there is a jelen which is integer and a gyerekneve which is text.
Here is my php code:
<?php
$servername = "...";
$username = "...";
$password = "...";
$dbname = "...";
// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
$sql = "INSERT INTO 'jelenlet' ('gyerekneve', 'jelen') VALUES ('barmi', 0)";
if ($conn->query($sql) === TRUE) {
echo "Hozzaadtad ezt a nevet: ";
} else {
echo "Error: " . $sql . "<br>" . $conn->error;
}
$conn->close();
?>
And don't know what is the problem with the code. The page says:
Error: INSERT INTO 'jelenlet' ('gyerekneve', 'jelen') VALUES ('barmi',
0) You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near ''jelenlet' ('gyerekneve', 'jelen') VALUES ('barmi', 0)' at line
1
$sql = "INSERT INTO jelenlet (gyerekneve, jelen) VALUES ('barmi', 0)";
This will work. BUT make sure to use prepared statements when you will try to pass variables to this one and not static values. The problem was that you were using single-quotes when you didn't have to. If you want to escape fields in a query you can use this : `
This query would also work :
$sql = "INSERT INTO `jelenlet` (`gyerekneve`, `jelen`) VALUES ('barmi', 0)";
I am facing problem which is mentioned as follows.
ERROR: Could not able to execute
INSERT INTO user_db (Name,UserId,Ip_addr) VALUES ('jayesh vyas', 'jay', ::1).
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version
for the right syntax to use near '::1)' at line 1.
My code is mentioned as below.
<?php
$link = mysqli_connect("localhost", "root", "", "apptitude");
$ip_user = $_SERVER['REMOTE_ADDR'];
// Check connection
if($link == false){
die("ERROR: Could not connect. " . mysqli_connect_error());
}
// Escape user inputs for security
$uname = mysqli_real_escape_string($link, $_REQUEST['uname']);
$username = mysqli_real_escape_string($link, $_REQUEST['username']);
// attempt insert query execution
$sql = "INSERT INTO user_db (Name,UserId,Ip_addr) VALUES ('$uname', '$username', " . $ip_user . ")";
if(mysqli_query($link, $sql)){
echo "Records added successfully.";
} else{
echo "ERROR: Could not able to execute $sql. " . mysqli_error($link);
}
// close connection
mysqli_close($link);
?>
can anyone please help me to understand that why it is happened???
Thanks in advance.
Your SQL statement is missing single quotes around the IP address.
So as you did it for $user and $username, just use it again on $_SERVER['REMOTE_ADDR'] (after connecting to the MySQL server): $ip_user = mysqli_real_escape_string($link, $_SERVER['REMOTE_ADDR']);.
And as tadman said, please use prepared statements.
Btw. $_SERVER['REMOTE_ADDR'] must not the clients IP address. Take a look at this Post.
Hello I'm new in Android and I wanna send a text from Android with space (" My Name is Oliver Queen ") to MySQL database.
I use this script in PHP:
<?php
$servername = " ";
$username = " ";
$password = " ";
$dbname = " ";
$id=$_GET['id'];
$project=$_GET["a"];
// Create connection..
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
//echo "$project";
$sql= $sql= "UPDATE user SET project = \"$project\" WHERE id= '$id'";
$result = $conn->query($sql);
$conn->close();
?>
In MySQL I found only ("My") The first word before space!
Plzz someone Help Mee !!!!!!
Check the value of $project variable;
My bet is that you send values over a GET request, and not properly encoding them.
If your $project value is indeed "My" like I guess, then look up on you Android part, and look up on how to do url encoding (should be very simple in Java) - look for the equivalent of http://php.net/manual/en/function.urlencode.php - this should resolve your problem.
Also after you get it working, modify the code to deal with SQL Injections, switch to using PDO for DB access, and prepared statements, this would increase the security of your code.
first of all, you should fix your query by using single quotes around the varchar attribute not the numeric, also pay attention to $sql = $sql = you declared it twice:
$sql= "UPDATE user SET project = '$project' WHERE id= $id";
then, you are trying to receive a string by GET method $project=$_GET["a"];, so your URL should be well encoded.
I am very new to php programming. I have tried googling and searching this website for a fix to this but I don't know what to even type into google to really find my answer.
I get the error:
unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING
I am unsure what I can do avoid this.I know it is caused by the ['userid'] but I need that as part of my coding.
Here is my code:
<?php
include ('auth/userInfo.php');
$servername = "example";
$username = "example_1";
$password = "example";
$dbname = "example_enter";
// Create connection
$conn = mysqli_connect($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
$userprofile['userid'] = mysqli_real_escape_string($userprofile['userid']);
$sql="INSERT INTO today (accessed)
VALUES ('$userprofile['userid']')";
if ($conn->query($sql) === TRUE) {
echo "Success";
} else {
echo "Error: " . $sql . "<br>" . $conn->error;
}
$conn->close();
?>
In case my coding is so bad that no one knows what it is attempting to do. I am attempting to write to a MySQL DB when a user has signed in.
The problem is caused by the fact that you are (a) using quotes to reference an array index inside a literal string (b) inserting a line break inside that same string:
$sql="INSERT INTO today (accessed)
VALUES ('$userprofile['userid']')";
What you probably meant to write is:
$sql="INSERT INTO today (accessed) VALUES ('" . $userprofile['userid'] . "')";
However even this is problematic due to SQL injection attacks - I recommend you read up on parameterized queries (mysqli_prepare).
In my app i am trying to post image from android to phpmyadmin i have also created php code which is here:
MyPhp.php:
<?php
$servername = "dontneedthis";
$username = "also";
$password = "dont care";
$dbname = "bla bla";
$conn =mysqli_connect('localhost', $username, $password);
$db_selected = mysqli_select_db($conn, $dbname);
if (!$db_selected) {
die ('Can\'t use db : ' . mysql_error());
}
$base=$_REQUEST['image'];
$filename = $_REQUEST['filename'];
$binary=base64_decode($base);
$sql = "INSERT INTO table (image) VALUES('{$binary}')";
if ($conn->query($sql) === TRUE) {
echo "New record created successfully";
} else {
echo "Error: " . $sql . "<br>" . $conn->error;
}
$conn->close();
?>
When i upload image from android i get an error where it is shown that he doent understand this :
INSERT INTO table (image) VALUES
And he shows a lot of symbols which i do not recognise. I have created table where is a row where you can add 100 000 symbols of TEXT I tried to add the value as blob and tried to change collation to binary nothing worked do you have any ideas?
Why doesn't anyone ever bother to properly quote their stuff?
table is a keyword in all SQL dialects I know, and hence causes a syntax error.
But for that reason, quotes and backticks have been invented.
Do this:
INSERT INTO `table` (`image`) VALUES ...
and you should have one problem less.
Also, you have to escape your $binary variable, otherwise it's gonna break your ' quotes:
$binary = mysqli_real_escape_string($conn, base64_decode($base));