Getting Error with qoutes in MySQL query - php

Here is my code:
$result = mysql_query("INSERT INTO clients (client_id, name, surname, tel1,tel2,id_num,address)
VALUES ('" .$updating_id . "','" .$updatedName1 . "','" .$updatedName1 . "', '" .$updatedSurname1
. "', '" . $updatedTel1 . "', '" .$updatedTel2 . ", '" .$updatedId_num1. "', '" .$updatedAddress1.
") ON DUPLICATE KEY UPDATE name='" . $updatedName1 . "', surname='" . $updatedSurname1 . "',
tel1='" . $updatedTel1 . "', tel2='" . $updatedTel2 . "', id_num='" . $updatedId_num1 . "',
address='" .$updatedAddress1 . "'");
if(mysql_query($result))
{ echo $updatedName1," ", $updatedSurname1, " updated successfully ";
}
else {
echo mysql_error();}
}
I am noticing that the first quote on the mysql_query("INSERT INTO...
is closing with the first quote of the VALUES ('" .$updating_id . "'... statement and yet the way I quoted is the one in my examples, I have assessed.


Use if($result) instead of if(mysql_query($result)). thx #Vinie
And you miss two simple quotes in your VALUES statement:
$updatedTel2 . "'
$updatedAddress1."'
And you need to have a look at mysql_real_escape_string(); or at least use PDO :)

Related

PHP mysqli_multi_query transaction in while loop

PHP version 5.3.3, mysql 5.0.95
Need to migrate data from an existing table to two identical tables. Data from original needs parsing before insert into the two new tables. (That code not shown as I'm hoping to isolate this problem.)
Wanted to use transaction to insure new tables are identical.
task_id field is autoincrement in test_timecard and is unsigned mediumint in test_timecar_2.
Engine is InnoDB for both tables.
Separate queries works:
$timecard_data_results = array();
$fill_old_data_array_def = " SELECT task_id, company_id, employee_id, location, task_name, task_start_time, task_end_time, tccomment FROM timecard WHERE company_id = '" . $company_request . "' AND employee_id = '" . $employee_request . "' AND DATE(task_start_time) < '" . $new_text_format_date . "' AND (DATE(task_end_time) > '2014-12-31' OR DATE(task_end_time) = '2000-01-01') ORDER BY task_start_time";
$timecard_data_results = mysqli_query($conn, $fill_old_data_array_def);
while($timecard_record = mysqli_fetch_assoc($timecard_data_results)) {
$company_id = $timecard_record['company_id'];
$employee_id = $timecard_record['employee_id'];
$location = $timecard_record['location'];
$task_name = $timecard_record['task_name'];
$task_start_time = $timecard_record['task_start_time'];
$task_end_time = $timecard_record['task_end_time'];
$tccomment = $timecard_record['tccomment'];
$troubleshoot_def = "INSERT INTO test_timecard (company_id, employee_id, location, task_name, task_start_time, task_end_time, tccomment) VALUES ('" . $company_id . "', '" . $employee_id . "', '" . $location . "', '" . $task_name . "', '" . $task_start_time . "', '" . $task_end_time . "', '" . $tccomment . "')";
$troubleshoot_2_def = "INSERT INTO test_timecard_2 (task_id, company_id, employee_id, location, task_name, task_start_time, task_end_time, tccomment) VALUES (LAST_INSERT_ID(), '" . $company_id . "', '" . $employee_id . "', '" . $location . "', '" . $task_name . "', '" . $task_start_time . "', '" . $task_end_time . "', '" . $tccomment . "')";
$troubleshoot = mysqli_query ($conn, $troubleshoot_def);
$troubleshoot_2 = mysqli_query ($conn, $troubleshoot_2_def);
}
transaction with mysqli_multi_query inserts one row only to both tables. No errors reported.
$timecard_data_results = array();
$fill_old_data_array_def = " SELECT task_id, company_id, employee_id, location, task_name, task_start_time, task_end_time, tccomment FROM timecard WHERE company_id = '" . $company_request . "' AND employee_id = '" . $employee_request . "' AND DATE(task_start_time) < '" . $new_text_format_date . "' AND (DATE(task_end_time) > '2014-12-31' OR DATE(task_end_time) = '2000-01-01') ORDER BY task_start_time";
$timecard_data_results = mysqli_query($conn, $fill_old_data_array_def);
while($timecard_record = mysqli_fetch_assoc($timecard_data_results)) {
$company_id = $timecard_record['company_id'];
$employee_id = $timecard_record['employee_id'];
$location = $timecard_record['location'];
$task_name = $timecard_record['task_name'];
$task_start_time = $timecard_record['task_start_time'];
$task_end_time = $timecard_record['task_end_time'];
$tccomment = $timecard_record['tccomment'];
$troubleshoot_def = "START TRANSACTION; INSERT INTO test_timecard (company_id, employee_id, location, task_name, task_start_time, task_end_time, tccomment) VALUES ('" . $company_id . "', '" . $employee_id . "', '" . $location . "', '" . $task_name . "', '" . $task_start_time . "', '" . $task_end_time . "', '" . $tccomment . "'); INSERT INTO test_timecard_2 (task_id, company_id, employee_id, location, task_name, task_start_time, task_end_time, tccomment) VALUES (LAST_INSERT_ID(), '" . $company_id . "', '" . $employee_id . "', '" . $location . "', '" . $task_name . "', '" . $task_start_time . "', '" . $task_end_time . "', '" . $tccomment . "'); COMMIT;";
$troubleshoot = mysqli_multi_query ($conn, $troubleshoot_def);
}
Stumped.

$troubleshoot_def = "INSERT INTO test_timecard (company_id, employee_id, location, task_name, task_start_time, task_end_time, tccomment) VALUES ('" . $company_id . "', '" . $employee_id . "', '" . $location . "', '" . $task_name . "', '" . $task_start_time . "', '" . $task_end_time . "', '" . $tccomment . "')";
$troubleshoot_2_def = "INSERT INTO test_timecard_2 (task_id, company_id, employee_id, location, task_name, task_start_time, task_end_time, tccomment) VALUES (LAST_INSERT_ID(), '" . $company_id . "', '" . $employee_id . "', '" . $location . "', '" . $task_name . "', '" . $task_start_time . "', '" . $task_end_time . "', '" . $tccomment . "')";
There are lot's of problems here. First is that it does not make any sense at all to insert nearly identical data into two different tables. In fact when the operation completes you have three tables with nearly identical data namely test_timecard_2, test_timecard and timecard
Secondly you are inserting unescaped data. Since data comes from another of your tables there isn't much chance of an sql injection but there is still a likelyhood that the queries will fail. Specifically I am talking about code like this:
VALUES ('" . $company_id . "', '" . $employee_id . "', '" . $location . "', '" . $task_name . "', '" . $task_start_time . "', '" . $task_end_time . "', '" . $tccomment . "')";
Thirdly, you almost never need to do SELECT - LOOP - INSERT because mysql has a built in INSERT SELECT command.
INSERT INTO test_timecard (company_id, employee_id, location, task_name, task_start_time, task_end_time, tccomment)
SELECT * FROM time_card
take care to get the columns right (the above is just a copy paste from two sections of your code)

Duplicate data is getting updated ob table

I am looking to update one of the table. After I update, all the duplicate data is getting inserted again. Especially, the cloneSQL part of the code. I tried using DISTINCT, NOT EXISTS but no luck.
if(DB_num_rows($checkResult) > 0){
$cloneSQL = "UPDATE DISTINCT pricematrixdiscount SET
discount='" . $vals[3] . "'
WHERE debtorno='" . $_POST['cloneTo'] . "',
product_line='" . $vals[1] . "',
salestype='" . $vals[2] . "' ";
}
else {
$cloneSQL = "INSERT into pricematrixdiscount
(debtorno,
product_line,
salestype,
discount) VALUES
('" . $_POST['cloneTo'] . "',
'" . $vals[1] . "',
'" . $vals[2] . "',
'" . $vals[3] . "')";
How can I insert only distinct values on the pricematricdiscount table without the duplicates being inserted?

How to sql update two conditions

I have a problem with the condition 'where'.
I want one more condition in this code:
$sql="UPDATE
coursegrade
SET
FirstExam='" . mysql_real_escape_string($_POST['FirstExam']) . "',
SecondExam='" . mysql_real_escape_string($_POST['SecondExam']) . "',
ThirdExam='" . mysql_real_escape_string($_POST['ThirdExam']) . "',
Assignments='" . mysql_real_escape_string($_POST['Assignments']) . "',
FinalExam='" . mysql_real_escape_string($_POST['FinalExam']) . "'
WHERE
SID=" . mysql_real_escape_string($_POST['SID']) ;
Tell now I have no problem .. but the problem is that I don't know how to set the second condition.
CourseID=" . mysql_real_escape_string($_POST['CourseID'])
I want the condition to be something like...
WHERE
SID=" . mysql_real_escape_string($_POST['SID'])
AND CourseID=" . mysql_real_escape_string($_POST['CourseID'])
How could I do it?

Unless you use heredoc syntax php will parse strings on a single line.
ie the rendered clause is:
"WHERE SID=19AND CourseID=45"
Basically you missed a space before
"AND CourseID=" . mysql_real_escape_string($_POST['CourseID'])
or you could put quotes around the values
"SID='" . mysql_real_escape_string($_POST['SID']) . "'
AND CourseID='" . mysql_real_escape_string($_POST['CourseID'])."'"

This is may help
WHERE
SID=" . mysql_real_escape_string($_POST['SID'])
OR CourseID=" . mysql_real_escape_string($_POST['CourseID'])
or
WHERE
SID in (
mysql_real_escape_string($_POST['SID']),
mysql_real_escape_string($_POST['CourseID'])
)
its will work for INT value of SID and CourseID

You can try this, and let me know if there is error message
$sql="UPDATE coursegrade
SET
FirstExam = '" . mysql_real_escape_string($_POST[' FirstExam ']) . "',
SecondExam = '" . mysql_real_escape_string($_POST[' SecondExam ']) . "',
ThirdExam = '" . mysql_real_escape_string($_POST[' ThirdExam ']) . "',
Assignments = '" . mysql_real_escape_string($_POST[' Assignments ']) . "',
FinalExam = '" . mysql_real_escape_string($_POST[' FinalExam ']) . "'
WHERE
SID = ". mysql_real_escape_string($_POST['SID'])."
AND
CourseID = " . mysql_real_escape_string($_POST['CourseID']) .";

change the format of the date inserted by PHP into MySQL database

I am trying to insert the current date into MySQL database in this format: (12/31/2013 10:26:12 PM). I've tried to make a simple code to change the format, but all I get is a syntax error
$sql = "INSERT INTO Students
VALUES
('','" . $info[$i]['firstname'] . "', '" . $info[$i]['lastname'] . "',
'" . $info[$i]['sex'] . "', '" . $info[$i]['major'] . "',
'" . $info[$i]['favorite'] . "', '" . $info[$i]['GPA']
"TO_CHAR(SYSDATE(),'dd/mm/yyyy')";
Tell me please what shall I do with it.

Just try this
$sql = "INSERT INTO Students VALUES ('','" . $info[$i]['firstname'] . "', '" . $info[$i]['lastname'] . "', '" . $info[$i]['sex'] . "', '" . $info[$i]['major'] . "', '" . $info[$i]['favorite'] . "', '" . $info[$i]['GPA'] . gmdate('m/d/Y g:i:s A').")";
or try this one
$sql = "INSERT INTO Students VALUES ('','" . $info[$i]['firstname'] . "', '" . $info[$i]['lastname'] . "', '" . $info[$i]['sex'] . "', '" . $info[$i]['major'] . "', '" . $info[$i]['favorite'] . "', '" . $info[$i]['GPA'] ."', '" . gmdate('m/d/Y g:i:s A').")";
You can also change gmdate with date
Have A nice day

USE
DATE_FORMAT(NOW(),'%m/%d/%Y %h:%i:%s %p') ;
i think some error in query also check:
$sql = "INSERT INTO Students
VALUES
('','" . $info[$i]['firstname'] . "', '" . $info[$i]['lastname'] . "',
'" . $info[$i]['sex'] . "', '" . $info[$i]['major'] . "','" . $info[$i]['favorite'] . "', '" . $info[$i]['GPA'] ."',DATE_FORMAT(NOW(),'%m/%d/%Y %h:%i:%s %p') )";
it should work.
check link:
http://www.w3schools.com/sql/func_date_format.asp

MySQL Syntax Error - Array to Query

I have a pre-constructed array created from some test data as I have not yet set up a post form. The array looks like this:
$ud = array('name' => 'name', 'username' => 'username', 'password' => 'password', 'location' => 'london', 'platform' => 'mobile', 'developer_or_designer' => 'developer', 'tags' => 'hello', 'paypal_email' => 'email#email.com', 'developer_or_client' => 'developer', 'email' => 'email#email.com');
foreach ($ud as $key => $value) {
$value = mysql_real_escape_string($value);
}
From this array, I then try to insert the data via a MySQL query into my database:
$query = mysql_query("INSERT INTO `Developers` (`Name`,`Email`,`Username`,`Password`,`Location`,`Platform`,`Developer_or_Designer`,`Tags`, `Paypal_Email`) VALUES (" . $ud['name'] . ", " . $ud['email'] . ", " . $ud['username'] . ", " .$ud['password'] . ", " . $ud['location'] . ", " . $ud['platform'] . ", " . $ud['developer_or_designer'] . ", " . $ud['tags'] . ", " . $ud['paypal_email'] . ")") or die(mysql_error());
However, it dies with the following error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '#email.com, username, password, london, mobile, developer, hello, email#email.com)' at line 1
Please can you tell me where I am going wrong?

You need quotes around each value in parenthases

Two things:
As Jeff notes, you need to put quotes around the strings.
Before putting quotes around them, you need to pass each string through mysql_real_escape_sring().

$query = mysql_query("INSERT INTO `Developers` (`Name`,`Email`,`Username`,`Password`,`Location`,`Platform`,`Developer_or_Designer`,`Tags`, `Paypal_Email`) VALUES ('" . $ud['name'] . "', '" . $ud['email'] . "', '" . $ud['username'] . "', '" .$ud['password'] . "', '" . $ud['location'] . "', '" . $ud['platform'] . "', '" . $ud['developer_or_designer'] . "', '" . $ud['tags'] . "', '" . $ud['paypal_email'] . "')") or die(mysql_error());
try it:)

From the sounds of the column names those are varchar column types so you need to wrap your values with quotes:
$query = mysql_query("INSERT INTO `Developers` (`Name`,`Email`,`Username`,`Password`,`Location`,`Platform`,`Developer_or_Designer`,`Tags`, `Paypal_Email`) VALUES ('" . $ud['name'] . "', '" . $ud['email'] . "', '" . $ud['username'] . "', '" .$ud['password'] . "', '" . $ud['location'] . "', '" . $ud['platform'] . "', '" . $ud['developer_or_designer'] . "', '" . $ud['tags'] . "', '" . $ud['paypal_email'] . "')") or die(mysql_error());
Also if the values are coming from user input you should run each value through mysql_real_escape_string to help prevent against SQL injection attacks

See this:
VALUES (" . $ud['name'] . ",
Nedd that:
VALUES ('" . $ud['name'] . "',
And for other columns too (if is not numberic)

Categories