This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 7 years ago.
This is my PHP code:
$sql = "INSERT INTO `reviews`(`Departed`, `Returned`, `Name`, `Review`) VALUES ($departed,$returned,$name,$message)";
$sql_result = mysql_query ($sql, $connection ) or die ('request "Could not execute SQL query" '.$sql);
$review[] = mysql_fetch_assoc($sql_result);
The query fails to execute, but the string looks okay:
request "Could not execute SQL query" INSERT INTO `reviews`(`Departed`, `Returned`, `Name`, `Review`) VALUES (2015-08-01,2015-08-06,test,test)
You need to put quotes around the input strings
... VALUES ('2015-08-01', '2015-08-06', 'test', 'test')
or way better use Prepared Statements that do that and more for you.
VARCHAR and DATE must be enclosed in quotes. Only numbers may be stripped of quotes.
$sql = "INSERT INTO `reviews`(`Departed`, `Returned`, `Name`, `Review`) VALUES ('$departed','$returned','$name','$message')";
Related
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 5 years ago.
I am trying to insert data into a MySQL database using PHP. As far as I can see I am using the correct code, but it is not inserting - nothing changes in phpMyAdmin. Am I doing anything wrong? (I changed the database name and password here just for safety- it connects without any issues)
<?php
$link = mysqli_connect("localhost", "dbname", "password", "dbname");
if (mysqli_connect_error()) {
die ("Error connecting to the database");
}
$query = "INSERT INTO 'users' ('email', 'password')
VALUES ('example#example.com', '12345678')";
mysqli_query($link, $query);
?>
Use backticks `` instead of single quote ':
$query = "INSERT INTO `users` (`email`, `password`)
VALUES ('example#example.com', '12345678')";
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 7 years ago.
This is my code and I can't figure out how to update the product_info:
include_once "dbconnect.php";
session_start();
$p_id = $_SESSION['rbtn'];
$p_name=securethis( $_POST['p_name']);
$p_unit=securethis( $_POST['p_unit']);
$p_price=securethis( $_POST['p_price']);
$p_details=securethis($_POST['p_details']);
$query= "UPDATE product_info SET p_name=$p_name,p_unit=$p_unit,p_price=$p_price,p_details=$p_details,p_directory=hi WHERE p_id=$p_id";
mysql_query($query) or die(mysql_error()) ;
$_SESSION['rbtn'] = "";
header("Location: admin.php");
Your used query should be in valid format to execute by MySQL . May be there are some columns in product_info table are VARCHAR type like as p_name . So use single quote (') to create a valid query . You can also check it by echoing your query and execute this on MYSQL prompt . It will tell the exact problem.
echo $query= "UPDATE product_info SET p_name=$p_name,p_unit=$p_unit,p_price=$p_price,p_details=$p_details,p_directory=hi WHERE p_id=$p_id";
and execute the the printed query directly to the MYSQL shell .
Write the query like this-
$query= "UPDATE product_info SET p_name='$p_name',p_unit='$p_unit',p_price='$p_price',p_details='$p_details',p_diretory='hi' WHERE p_id='$p_id'";
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 7 years ago.
include("db_connector.php");
$soru = "asdasds";
$tip = 1;
$soruId = 0;
$sql = "insert into sor (anketId,soruMetni,tip) values (".$_SESSION['anket'].",".$soru.",".$tip.")";
$islem = mysql_query($sql)or die(mysql_error());;
if(isset($islem))
{
$soruId = mysql_insert_id();
}else
{
header("refresh:2;sorular.php");
}
this code give an error like this : Unknown column 'asdasds' in 'field list'
You need to change the SQL statement in this:
$sql = "INSERT INTO `sor` (anketId,soruMetni,tip)
VALUES ('".$_SESSION['anket']."','".$soru."',".$tip.")";
Strings needs to be encapsulated with a single quote. :)
I just add ' before and after every variable in query. You cannot pass string to query without adding single quote '.
Change From:
$sql = "insert into sor (anketId,soruMetni,tip) values (".$_SESSION['anket'].",".$soru.",".$tip.")";
to :
$sql = "INSERT INTO `sor` (anketId,soruMetni,tip)
VALUES ('".$_SESSION['anket']."', '".$soru."', '".$tip."')";
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 8 years ago.
Ignoring the fact that concatenating user input into SQL strings is possibly the worst thing you can do in terms of avoiding SQL injection (this is not for a production site), what is wrong with the following SQL?
"SELECT '_id', 'email', 'password', 'salt', 'banned', 'ban_reason' FROM 'tbl_users' WHERE 'email'='" . $email . "' LIMIT 1";
I'm getting the error message:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'_id\', \'email\', \'password\', \'salt\', \'banned\', \'ban_reason\' FROM \'tb' at line 1
I'm using mysqli_real_escape_string() on it right before running the query, hence the backslashes.
I also tried enclosing everything in backticks, but the error changed then to unknown column.
Exactly where it says. "near '\'_id\'"
You use `backticks` to surround column and table names. Not 'single quotes'.
You should be escaping your variables you're inserting, not your query, and using backticks around field names
$sql = "SELECT `_id`, `email`, `password`, `salt`, `banned`, `ban_reason` FROM `tbl_users` WHERE `email`='" . mysqli_real_escape_string($email) . "' LIMIT 1";
"SELECT `_id`, `email`, `password`, `salt`, `banned`, `ban_reason` FROM tbl_users WHERE `email`='" . $email . "' LIMIT 1"
You should use ` instead of ' when selecting fields.
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
How do I handle single quotes inside a SQL query in PHP?
Greeting ,
I have a small script which is used for applications and it saves questions answer into the database. The script is given below:
while(list($QKey,$QVal) = each($AppQuestions)) {
$result2= mysql_query("
INSERT INTO forum_app_answers (AID, AppID, Question, Answer)".
" VALUES (NULL, '$AppID', '$Questions[$QKey]', '$QVal')"
) or die(mysql_error());
Now the problem is that if someone write ' character in the answer , the data doesnt get saved. For simple writing its okay . The problem is only if the answer contains ' in it. any help will be highly appreciated tx
The following error occures:
You Have An Error In Your SQL Syntax; Check The Manual That Corresponds To Your MySQL Server Version For The Right Syntax To Use Near 's GF. Channel Services')' At Line 1
Use prepared statements. Look up PDO and use prepared statements.
mysql_ is deprecated.
After connecting with $dbh = new PDO(),
$sql = 'sql';
$stmt = $dbh->prepare($sql);
$stmt->execute($params);
do the following:
$QVal = $mysqli->real_escape_string($QVal);
$query = "INSERT INTO forum_app_answers (AID, AppID, Question, Answer)
VALUES (NULL, '$AppID', '$Questions[$QKey]', '$QVal')";
// $mysqli is previously defined
$mysqli->query($query);
if ($mysqli->errno !=0){
printf("you have an error in your query %s", $mysqli->error);
}
You may try:
while(list($QKey,$QVal) = each($AppQuestions)) {
$result2= mysql_query("
INSERT INTO forum_app_answers
(AID, AppID, Question, Answer)". "
VALUES (
NULL,
'$AppID',
'$Questions[$QKey]',
'". mysql_real_escape_string($QVal). "')
") or die(mysql_error());
Without mysql_real_escape_string() your script also has huge security issues.