I'm new in php and postgres sql.
I have this issue : "pg_query(): Query failed: ERROR: missing FROM-clause entry for table "manteau ^
$adresse=pg_escape_string($_POST['mail_user']);
if(isset($_POST['mail_user']))
{
$query="INSERT INTO newusers2 (email) VALUES ($adresse)";
pg_query($con,$query);
}
with mail_user = my address email manteau.b...
My table (newusers2) is really simple with only one column (email).
Can someone help me with the query?
Thanks
Put the value $adresse inside quotes:
$query="INSERT INTO newusers2 (email) VALUES ('$adresse')";
In addition to being incorrect due to lack of quoting your code is also terribly insecure.
$query="INSERT INTO newusers2 (email) VALUES ($adresse)";
pg_query($con,$query);
Imagine if someone submitted ');DELETE FROM newusers2;-- as their address? Whoops, there goes your user table.
See the PHP documentation on SQL injection and this site for details.
Use pg_query_params to solve this issue. It's very simple:
$query='INSERT INTO newusers2 (email) VALUES ($1)';
pg_query($con,$query,array($adresse));
(Note that new code in PHP really should use PDO, though).
Related
I have an http-bridge to exchange information between a Second Life application and a database. It was working fine but stopped recently after my provider changed the SQL version of my database to 5.5.38. Here is an example of my old php script:
<?php
$con=mysqli_connect("DB_HOSTNAME","DB_USERNAME","DB_PASSWORD", "DB_DATABASE");
if (mysqli_connect_errno()) {
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
$PKey = mysqli_real_escape_string($con, $_GET['playerKey']);
$HKey = mysqli_real_escape_string($con, $_GET['hudKey']);
echo $HKey, " and " , $PKey;
$sql="INSERT INTO test (HKey, PKey)
VALUES ('$HKey', '$PKey')";
echo $sql . '<br/>';
if (!mysqli_query($con,$sql)) {
die('Error: ' . mysqli_error($con));
}
echo "1 record added";
mysqli_close($con);
?>
I get the following error message:
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-get (HKey, PKey) VALUES ('XXXXXXX-fe56-XXXX-4bea-XXXXXXXXX', 'XXXXXX' at line 1
I have tried to use this insert statement which I found in a post on Stack Overflow:
$stmt = $mysqli->prepare("INSERT INTO test (HKey, PKey) VALUES (?, ?)");
$stmt->bind_param("ss", $HKey, $PKey);
$stmt->execute();
But when I insert that line of code, it doesn't work either and I don't get any error message at all.
right syntax to use near '-get (HKey, PKey)
What you posted vvv will NOT throw that error.
INSERT INTO test (HKey, PKey)
"Hi Fred, you are really good at guessing. my table name does contain a hyphen."
Your table name contains a hyphen. (and I wasn't guessing, the error told me)
How was I able to tell?
It's clear. The column names that you have HKey and PKey, and seeing the -get just before the column names in the error your posted.
Syntax: INSERT INTO table (column_1, column_2) VALUES ('value_1', 'value_2')
table = your table-get, column_1 = your HKey, and column_2 = your PKey
If your table is called "table-get" for example, then MySQL is interpreting that as "table minus get".
Either you use backticks around the table name, or rename it to "table_get" using an underscore.
I.e.:
INSERT INTO `table-get` (HKey, PKey)
or rename it without the use of ticks (if it doesn't contain a space or reserved word)
INSERT INTO table_get (HKey, PKey)
Read up on Identifier Qualifiers:
http://dev.mysql.com/doc/refman/5.0/en/identifier-qualifiers.html
Plus, as Halfer stated in a comment:
"I can't see the code you are using, as Fred says, and I can't see how it has ever worked. It should have blown up on the previous MySQL server version too."
Which I agree with also.
Tip on posting a question:
Whenever posting a question and do not want to post actual code for some reason or another, at least post a good representation of it.
For example:
INSERT INTO test-get (HKey, PKey)
At least everyone will be able to tell by pseudo-code, where the error could be.
It makes things clearer.
(Posted answer on behalf of OP).
Ok, the error was not on the side of my service provider, but me working with a new table that contained a hyphan. This was my first post and I made the mistake to confuse everyone by not publishing 100% original code. I have learned my lessan and won't do that again. Sorry for everyone that feels that they wasted their time. It has helped me anyway sorting out the errors.
I'm slowly progressing through PHP and SQL and have stumbled upon a small error, when trying to send a string into an SQL database. What I'm trying to do is insert a users's detail into one table (which currently works) and send the user name along with 5 blank entries into another table. The table examscore fields are username, exam, exam1, exam2, exam3, exam4 (it is these exam fields that I require blank for now).
The problem is that I receive the following message:
Parse error: syntax error, unexpected T_CONSTANT_ENCAPSED_STRING in C:\xampp\htdocs\E-LearningWebsite\addcustomertodb.php on line 11 (which line that starts $query1)
If possible could anyone explain what this error means and what i have done wrong?
<?php
require "dbconn.php";
$username = $_GET['username'];
$email = $_GET['email'];
$pass = $_GET['password'];
$query = "INSERT INTO customer VALUES ('".$username."','".$email."','".$pass."')";
$query1 = "INSERT INTO examscores VALUES ('".$username."','""','""','""','""','""')";
$results = mysql_query($query) or die (mysql_error());
$results1 = mysql_query($query1) or die (mysql_error());
?>
Kind regards Andy
change
$query1 = "INSERT INTO examscores VALUES ('".$username."','""','""','""','""','""')";
to
$query1 = "INSERT INTO examscores VALUES ('".$username."','','','','','')";
ps. you are inviting SQL injections but that is a different story...
The goggles! They do nothing! The sql injection vulnerabilities! And it's only Monday!
Why not just
$query ="INSERT INTO customer VALUES ('$username', '$email', '$pass');";
$query1 = "INSERT INTO examscores VALUES ('$username', '', '', '', etc...);";
PHP will happily replace $vars inside "" quoted strings for you. There's absolutely not need for all the concatentation you're doing. Any decent code editor will still highlight the vars for you.
you are missing dots to concatenate your strings
$query1 = "INSERT INTO examscores VALUES ('".$username."','"."','"."','"."','"."','"."')";
furthermore you dont need to have different strings
and still further more you dont need to include every column if you are not inserting them
Your immediate problem causing the errors is the missing .s from query1 from between the double-doublequotes, (or you should just delete the double-doublequotes altogether. Or even the unneeded columns...).
But there are way bigger issues in your code:
SQL injection: your code is vulnerable. You should at least escape th variables coming from the user...
mysql_* deprecation: as of PHP 5.5, these functions will be deprecated. Use either Mysqli or even ebtter PDO.
Hopefully a simple fix but has been stumping me all weekend.
I have a simple script to connect to my MYSQL databse, then using fields from an HTML form enter a new record into the database.
The script is working just fine, but I have not defined the database columns in the script, simply used insert into and then referenced the VALUES as the HTLM form fields.
WORKING
mysql_select_db("golfingdb", $con);
mysql_query("INSERT INTO Test1
VALUES
('$_POST[firstname]','$_POST[lastname]','$_POST[email]')");
mysql_close($con);
NOT WORKING
mysql_select_db("golfingdb", $con);
mysql_query("INSERT INTO 'Test1' (First Name, Surname, Email)
VALUES ('$_POST[firstname]','$_POST[lastname]','$_POST[email]')");
mysql_close($con);
However when I reference the database field names in the code then it fails to make a new record.
I have triple checked the spelling (including capitals) of the field names and it doesn't throw up any syntax errors.
Any help would be greatly appreciated.
Cheers
Paddy
You need to surround column names with backticks if the name contains a space.
(`First Name`,
Maybe it is the two word column name. You can use `First Name` or something like that when referencing the column.
Could you post the exact error MySQL gives you?
Try this
$firstname=$_POST["firstname"];
$lastname=$_POST["lastname"];
$email=$_POST["email"];
mysql_query("INSERT INTO Test1('First Name', 'Surname', 'Email')
VALUES ('$firstname','$lastname','$email')");
Make sure you have created the table structure with the right data types and lengths.
Backstick characters `` should be used to escape table and column names. Single quotes characters '' should be used to escape string values.
In your second example, the table name is escaped with single quotes instead of backsticks. In addition, the field names are not escaped at all, which probably causes a problem with the first field name that contains a space.
The correct form would be:
mysql_query("INSERT INTO `Test1` (`First Name`, `Surname`, `Email`)
VALUES ('$_POST[firstname]','$_POST[lastname]','$_POST[email]')");
It's also important to note that PHP's mysql_ functions have been deprecated. It's highly recommended to use one of the alternatives as discussed in Why shouldn't I use mysql_* functions in PHP?
I have tried and it doesn't grow my database. Here's the code:
<?php
// Connecting to Ganoderma genome database
include('../utils/config.php');
// Inserting new data into the table
$sql = "INSERT INTO $var2 ('$column_id', '$column_name', '$column_seq') VALUES ('$_POST[id]', '$_POST[name]', '$_POST[seq]')";
// Qualifying successful entry
if ($conn->query($sql) === TRUE) {
echo "New record created successfully";
} else {
echo "Error: " . $sql . "<br>" . $conn->error;
}
$conn->close();
?>
Bioinformatician,
Aizek
I'm having problems with an INSERT statement, and the error only says:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1
It's not helpful at all.
The version I have tried so far and failed is:
mysql_query("INSET INTO `cos` VALUES ('".$_GET['prod']."','".$_GET['page']."')");
[needless to say that the two variables when printed show the right values]
I've also tried versions with nothing around the table name, with ` or ', a million combinations really and nothing works. Not even with constants or into different tables. It just won't insert anything ever. I've checked the privileges (I'm logging into it with root), and it's all on.
I've tried similar stuff on two different machines with the same server (XAMPP 1.7.7) and it works. I'm completely baffled! What can it be?
Thank you for your time!
First and foremost, just type INSERT correctly.
Using _GET like that really opens you up to SQL INJECTIONS...
Do take a look into MySQL prepared statements.
It is also considered good practice to name the columns that you're inserting data into. That allows you to, latter on, insert extra-columns and keep application logic.
INSERT INTO cos(rowName1, rowName2) VALUES(?, ?)
Where ? would be prepared statements.
Correct:
mysql_query("INSERT INTO `cos` VALUES ('".$_GET['prod']."','".$_GET['page']."')");
Have you tried passing the $link to mysql_query ?
Like:
mysql_query("INSERT INTO `cos` VALUES ('".$_GET['prod']."','".$_GET['page']."')", $link);
EDIT:
And of course you must take some security measures before inserting anything into the database, maybe mysql_real_escape_string() or even prepared statements.
You are doing it wrong. Why aren't you escaping the values?
Php.net documentation is providing some good and safe working examples:
$query = sprintf("SELECT firstname, lastname, address, age FROM friends
WHERE firstname='%s' AND lastname='%s'",
mysql_real_escape_string($firstname),
mysql_real_escape_string($lastname));
// Perform Query
$result = mysql_query($query);
So adapted to your code:
$query = sprintf("INSERT INTO `cos` VALUES (%s, %s);",
mysql_real_escape_string($_GET['prod']),
mysql_real_escape_string($_GET['page']));
$result = mysql_query($query);
Please, always escape your values. And use INSERT, not INSET :)
first this is you are using INSET make it correct with INSERT like
$pro = mysql_real_escape_string($_GET['prod']);
$page = mysql_real_escape_string($_GET['page']);
mysql_query("INSERT INTO `cos` (column1, column2)
VALUES ('$pro', '$page')" );
you forget to set the column names...
Try this:
$prod = $_GET['prod'];
$page = $_GET['page'];
mysql_insert("INSERT INTO 'cos' VALUES('$prod','$page)");
This should very well do it :)
This question already has an answer here:
Syntax error due to using a reserved word as a table or column name in MySQL
(1 answer)
Closed 8 years ago.
I've been looking all over the internet for a solution to the following error;
"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'primary, username, password, password2) VALUES (null, 'hello', 'hello', 'hello')' at line 1"
I have no idea what is going on.. I know you will ask what my code is so here:
$con = mysql_connect("localhost","root","*****");
if (!$con)
{
die('Server overload, please try again' . mysql_error());
}
mysql_select_db("users", $con);
$sql = "INSERT INTO details (primary, username, password, password2) VALUES (null, '$_POST[username]', '$_POST[password]', '$_POST[password2]')";
if (!mysql_query($sql,$con))
{
die('Error: Server overload, try again' . mysql_error());
}
echo "You have signed up successfully!";
mysql_close($con);
I've been trying to figure it out for around 4/5 hours now and have had no success.
Thanks,
Lawrence
primary is a reserved keyword, in SQL, which means that you should either :
rename that column -- would be a good idea, to avoid that kind od situation
or use backticks arround that name
Here what the query would look like in the second case :
INSERT INTO details (`primary`, `username`, `password`, `password2`)
VALUES (null, 'hello', 'hello', 'hello')
Note : and you should escape your values, using mysql_real_escape_string, to avoid SQL Injections !
Try not to name your tables or columns with relitively common names like primary and details.
While they may not be reserved words in the flavor of SQL you are currently using, you never know when you might be supporting other types (Postgres, Oracle, etc.).
You can also use this handy-dandy reserved word checker.
Followup Question:
I would like to know who wrote the error statement you are getting, which essentially says RTM? Hilarious. I'm going to use that in my next try catch. :)
Primary is a reserved word. What is the table definition?
http://dev.mysql.com/doc/refman/5.1/en/reserved-words.html
I'd rename that first column to something else: "primary" is a reserved word in MySQL:
http://dev.mysql.com/doc/refman/5.0/en/reserved-words.html