pdo prepare escaping single quotes - php

I use PDO in a web application I am building. I always thought (I am wrong actually) that using prepare should help with single quotes in the inserted variables but it seems that I miss something. I get an error inserting values like L'Aquila where there is a single quote in the input data.
My actual code is:
$sql = "INSERT INTO anagrafiche SET
id_ndg = '$protocol',
nick = '$nick',
nome = '$nome',
cognome = '$cognome',
ragsoc = '$ragsoc',
leg_rappr = '$leg_rappr',
cod_fisc = '$cod_fisc',
p_iva = '$p_iva',
cf_estero = '$cf_estero',
SAE = '$sae',
RAE = '$rae',
ATECO = '$ateco',
CRCODE = '$crcode',
indirizzo = '$indirizzo',
civico = '$civico',
cap = '$cap',
citta = '$citta',
prov = '$prov',
tel = '$tel',
cell = '$cellulare',
mail = '$mail',
note = '$note',
file_ci = '$file_ci',
file_cf = '$file_cf',
file_visura = '$file_visura',
cittadinanza = '$cittadinanza',
res_fiscale = '$res_fiscale',
is_curatore = '$is_curatore',
is_legale = '$is_legale',
is_tribunale = '$is_tribunale',
is_fornitore = '$is_fornitore' ";
try{
$s = $pdo->prepare($sql);
$s->execute();
}
catch (PDOException $e){
$error = 'Errori nel caricamento: '.$e->getMessage();
}
and when I try to load a string containing the single quote I get an error like this while trying to load the string Piazza d'Armi
:
Errori nel caricamento: SQLSTATE[42000]: Syntax error or access
violation: 1064 You have an error in your SQL syntax; check the manual
that corresponds to your MySQL server version for the right syntax to
use near 'Armi', civico = '0', cap = '83100', citta = 'Avellino',
prov' at line 15
What am I missing? I don't think that PDO quote can do the job for me but maybe it's me that I don't get the point

It helps with single quotes only if you do parametrized prepared statements, otherwise all you are doing is string concatenation and have to be subject to properly forming your SQL.
Try something like:
$sql = "INSERT INTO anagrafiche SET
id_ndg = :protocol,
nick = :nick,
nome = :nome,
...
";
$params = array(
':protocol' => $protocol,
':nick' => $nick,
':nome' => $nome,
...
);
try{
$s = $pdo->prepare($sql);
$s->execute($params);
} catch (PDOException $e) {
...
}
This also gives you the added advantage of mitigating SQL injection attacks.
If you want to go a step further and enforce data types, you could use bindValue() or bindParam()
like:
$sql = "INSERT INTO anagrafiche SET
id_ndg = :protocol,
nick = :nick,
nome = :nome,
...
";
try{
$s = $pdo->prepare($sql);
$s->bindParam(':protocol', $protocol, PDO::PARAM_ST);
$s->bindParam(':nick', $nick, PDO::PARAM_ST);
$s->bindParam(':nome', $nome, PDO::PARAM_ST);
...
$s->bindParam(':some_integer', $some_integer, PDO::PARAM_INT);
...
$s->execute();
} catch (PDOException $e) {
...
}
bindValue() has similar syntax to bindParam() but only binds the value of the variable at the time of binding to the parameter rather than the value of the variable at the time of statement execution.

Related

Insert Multiple sql statements in php from an array from for loop or foreach

This is my code I have to insert an array each value in the insert statement
if(isset($_POST['add'])){
$batch = $_POST['batch'];
$course = explode(':', $_POST['course']);
$cid = $course[0];
$rowCount = count($_POST['branch']);
$branch = implode(',', $_POST['branch']);
$semester = $_POST['sem'];
$day = $_POST['day'];
$hour = $_POST['hour'];
for($i=0;$i<$rowCount;$i++){
$description = $_POST['branch'][$i];
$sql. = "INSERT INTO batch (batch,bdescription,branch,course,semester,day,hour,user) VALUES ('$batch','$description',$i,'$cid','$semester','$day','$hour','$usnid');";
}
if($conn->query($sql)){
$_SESSION['success'] = 'batch added successfully';
}
else{
$_SESSION['error'] = $conn->error;
}
}
Please help thanks
You can't execute multiple queries with a single call to $conn->query().
Change your query so it's just a single INSERT statement with multiple lists of values after VALUES.
$sql = "INSERT INTO batch (batch,bdescription,branch,course,semester,day,hour,user) VALUES "
for($i=0;$i<$rowCount;$i++){
$description = $_POST['branch'][$i];
$sql. = "('$batch','$description',$i,'$cid','$semester','$day','$hour','$usnid'),";
}
$sql = substr($sql, 0, -1); // remove last comma
You should also use $conn->real_escape_string() to escape all the inputs, to protect against SQL injection (it would be even better to do that with a prepared statement, but it's difficult to make a prepared statement in mysqli with dynamic parameters).
Barmar is correct, you can't execute multiple SQL statements with query(). There's mysqli_multi_query(), but there's hardly ever a justification for using that. The former Engineering Director for MySQL once told me unequivocally, "there's no reason for multi-query to exist."
You should use parameters instead of copying $_POST variables directly into your SQL strings. It's not hard, in fact it makes code easier than fiddling with confusing quotes-within-quotes and mysqli_real_escape_string() and so on.
I wouldn't bother with trying to insert multiple tuples in a single INSERT statement. How many branches can possibly be in a single POST? A few dozen at most? Not enough to make it necessary to make the INSERT into a single statement. So just call execute() for a prepared INSERT, once for each row.
$sql = "INSERT INTO batch
SET batch=?, bdescription=?, branch=?, course=?, semester=?,
day=?, hour=?, user=?";
$stmt = $conn->prepare($sql) or die($conn->error);
$description = '';
$stmt->bind_param('ssssssss', $batch, $description, $i, $cid, $semester, $day, $hour, $usnid);
for($i=0;$i<$rowCount;$i++){
$description = $_POST['branch'][$i];
$stmt->execute() or die($stmt->error);
}
Read the manual for https://www.php.net/manual/en/mysqli-stmt.bind-param.php for more code examples.
This is how I Fixed My Code. I Used for loop
if(isset($_POST['addstd'])){
$rowCount = count($_POST['student']);
for($i=0;$i<$rowCount;$i++){
$stdid = $_POST['student'][$i];
$course = $_POST['course'][$i];
$batch = $_POST['batch'][$i];
$branch = $_POST['branch'][$i];
//insert students into attendance table
$sqlsel = "SELECT year,student_id, student_rollno,firstname,lastname, branch,active, nr FROM student WHERE student.student_id = '$stdid' AND student.branch = '$branch'";
$querysel = $conn->query($sqlsel) or die($conn->error);
$rowsel = $querysel->fetch_assoc();
if($rowsel !== null){
$year = $rowsel['year'];
$rollno = $rowsel['student_rollno'];
$active = $rowsel['active'];
$branch = $rowsel['branch'];
$name = $rowsel['firstname'].$rowsel['lastname'];
$sql = "INSERT IGNORE INTO class (year,regno, rollno,name, programme,coursecode,batch,user,active,count) VALUES ('$year','$stdid','$rollno','$name','$branch','$course','$batch','$usnid','$active','$i');";
if($conn->query($sql)){
$_SESSION['success'] = 'Students Added To Batch Successfully';
}
else{
$_SESSION['error'] = $conn->error;
}
}
else{
continue;
}
}
}
else{
$_SESSION['error'] = 'Fill up add form first';
}

PHP MySQL UPDATE statement not working

I have a MySQL database with a table (opendpu) that has multiple columns including columns titled "ECRNUM" and "PE_REQUIRED".
I'm simply trying to test this update statement by specifying some values. I get this error:
Array ( [0] => 42000 [1] => 1064 [2] => You have an error in your
SQL syntax; check the manual that corresponds to your MySQL server
version for the right syntax to use near 'DOE WHERE ECRNUM = 81308' at
line 1 )
I cannot, for the life of me, figure out what is wrong here. Can anyone help?
<?php
require ('config.php');
$ecrno = '81308';
$pe_required = 'JOHN DOE';
while (true) {
try {
$db = new PDO($dsn, $uname, $pword);
$db->exec( "SET CHARACTER SET utf8" );
$db->setAttribute( PDO::ATTR_DEFAULT_FETCH_MODE, PDO::FETCH_ASSOC );
$db->setAttribute( PDO::ATTR_PERSISTENT, true );
break;
}
catch (Exception $e) {
$db = null;
$counter++;
if ($counter == $limit)
throw $e;
}
}
$stmt = $db->prepare("UPDATE opendpu SET PE_REQUIRED = $pe_required WHERE ECRNUM = $ecrno");
$stmt->execute() or die(print_r($stmt->errorInfo(), true));
?>
.
+1 for using prepared statements... but (and its a big BUT):
You should never use prepared statements without bind_param as this leaves you wide open to SQL injection and negates the benefits of prepared statements.
$stmt = $db->prepare("UPDATE opendpu SET PE_REQUIRED=? WHERE ECRNUM=?");
$stmt->bind_param('si', $pe_required, $ecrno);
$stmt->execute() or die(print_r($stmt->errorInfo(), true));
Change your syntax like this [Enclosed quotes around the variable]
$stmt = $db->prepare("UPDATE `opendpu` SET PE_REQUIRED = '$pe_required' WHERE ECRNUM = '$ecrno'");
Please check with below query
$stmt = $db->prepare("UPDATE opendpu SET PE_REQUIRED = '.$pe_required.' WHERE ECRNUM = '.$ecrno.'");

Updating multiple MySQL table columns using arrays with PDO

I'm trying to switch all my MySQL connections from the old mysql_query to PDOs. I'm trying to update multiple rows and columns of a MySQL table using different arrays and I'm receiving the following error:
[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '(accnt, car, radio, misc) values ('admin', '300.00', '400.00', '10.00') WHERE ID' at line 1
From the following code:
$account = $_POST['account'];
$car_lease = $_POST['car_lease'];
$radio_lease = $_POST['radio_lease'];
$misc_lease = $_POST['misc_lease'];
$lease_ID = $_POST['lease_ID'];
//$data = array_map(null,$account,$car_lease,$radio_lease,$misc_lease);
$A = count($lease_ID);
try {
$DBH = new PDO("mysql:host=$host;dbname=$dbname", $user, $pass);
$DBH->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );
$STH = $DBH->prepare('UPDATE lease (accnt, car, radio, misc) values (:account, :car_lease, :radio_lease, :misc_lease) WHERE ID = :lease_ID');
$i = 0;
while($i < $A) {
$STH->bindParam(':account', $account[$i]);
$STH->bindParam(':car_lease', $car_lease[$i]);
$STH->bindParam(':radio_lease', $radio_lease[$i]);
$STH->bindParam(':misc_lease', $misc_lease[$i]);
$STH->bindParam(':lease_ID', $lease_ID[$i]);
$STH->execute();
$i++;
}
}
catch(PDOException $e) {
echo "I'm sorry, but there was an error updating the database.";
file_put_contents('PDOErrors.txt', $e->getMessage(), FILE_APPEND);
}
I believe this problem is arising from the way I'm calling the statement handle, but I'm not sure what part of my syntax is incorrect. Also, is this the best way of handling such situations? Or is there a better method to update multiple rows in a table?
You have confused the syntax between INSERT and UPDATE statements. Instead of a VALUES() list, you need a SET clause:
$STH = $DBH->prepare('
UPDATE lease
SET
accnt = :account,
car = :car_lease,
radio = :radio_lease,
misc = :misc_lease
WHERE ID = :lease_ID
');
Review the MySQL UPDATE syntax reference for the full specification to use with UPDATE statements.
I think this would be the simplest and easiest solution, if you can trust your keys and values:
$update = 'SET ';
$fields = array_keys($_POST);
$values = array_values($_POST);
foreach ($fields as $field) {
$update .= $field . '=?,';
}
$update = substr($update, 0, -1);
$db->query("update sub_projects ${update} where id=${_GET['id']}");
$db->execute($values);
Simple way to update multiple fields .but very important that inputs on your editing page must be in same order with your data base table.
hope its help
if (isset($_POST['pageSubmit'])) {
echo '<pre>';
print_r($_POST['page']);
echo '</pre>';
$fields = array('id','name','title','content','metaKey','metaDescr','metaTitle');//fields array
$fields = array_map(function($field){
return "`$field`";
},$fields);
$queryArray = array_combine($fields,$_POST['page']);//createng array for query
$countFields = count($queryArray);//getting count fields
$id = array_splice($queryArray , 0,-($countFields-1));//getting id of page
$insertArray = $queryArray;//getting new fields array without first key and value
function updatePage($db, array $fields, array $id){
$where = array_shift($id);
$sql = array();
foreach ($fields as $key => $value) {
$sql[] = "\n".$key."" ." = "."'".$value."'";
}
$sql = implode(",",$sql);
try {
$query = $db->prepare("UPDATE `pages` SET $sql WHERE `id` = $where ");
$query->execute();
} catch (Exception $e) {
echo $e->getMessage();
}
}
updatePage($db, $insertArray, $id);
}
better way is CASE, it is 3-4 time faster than preapared stmt

Syntax error at update query where clause mysql

if(isset($_POST['Update'])) {
$placename = $_POST['placename'];
$description = trim(addslashes($_POST['description']));
$hotel = $_POST['hotel'];
$transport = $_POST['transport'];
$map = $_POST['map'];
$sqlp = "UPDATE places SET placename = $placename, description = $description, hotel = $hotel, transport = $transport, map = $map WHERE place_id = ". $sPlace['place_id'];
connection();
if(mysql_query($sqlp)) {
echo "Successfully Updated";
} else {
echo mysql_error();
}
}
Error Message is following-
You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near '
map = map WHERE place_id = 54' at line 1
You error in that code is that you don't add quotes around variables, it should be like this:
$query = "UPDATE `table` SET `name`='".mysqli_real_escape_string($_POST['name'])."' WHERE `id`=1";
But please try to use PDO with transaction as you will be able to debug any errors and you don't have to worry about SQL Injection.
Try this: (you will see errors, and if it's not ok, it will rollback)
$db = new PDO('mysql:host=localhost;dbname=databaseName', 'username', 'password', array(PDO::ATTR_EMULATE_PREPARES => false));
$placename = $_POST['placename'];
$description = trim(addslashes($_POST['description']));
$hotel = $_POST['hotel'];
$transport = $_POST['transport'];
$map = $_POST['map'];
try {
$db->beginTransaction();
$stmt = $db->prepare("UPDATE `places` SET `placename`=:placename, `description`=:description, `hotel`=:hotel, `transport`=:transport, `map`=:map WHERE `place_id`=:place_id");
$stmt->execute(array(':placename' => $placename, ':description' => $description, ':hotel' => $hotel, ':transport' => $transport, ':map' => $map, ':place_id' => $sPlace['place_id']));
$db->commit();
} catch(PDOException $ex) {
$db->rollBack();
echo $ex->getMessage();
}
You have an error in your SQL syntax ... 'map = map WHERE place_id = 54' at line 1
map = map <-- is invalid. the right-side should be an sql value (quoted string, number, etc). Perhaps map = 'map' (quote the value) is the intended result?
The problem you are seeing has come about because none of your string literals have been quoted, so the comma in the value of $transport is being evaluated as a separator between SQL SET clauses and so gives rise to the syntax error that you witness.
You should quote your string literals—or better yet, use parameterised statements so that your variables do not get evaluated for SQL at all (which avoids all forms of SQL injection attack).

pdo select statement returning no rows

I am making a simple select from mySQL using PHP. I am doing something wrong that I can't seem to track down.
Here's my statement:
$storyTitle = $_GET['title'];
$storyDate = urldecode($_GET['date']);
$SQL = "SELECT
*
FROM
tblContent
WHERE
REPLACE(contentTitle,' ' , '-') = :storyTitle
AND
date(publishDate) = date(:storyDate)";
$conn = new PDO("mysql:host=$dbhost;dbname=$dbname",$dbuser,$dbpass);
$q = $conn->prepare($SQL);
$q->execute(array(':storyTitle' => $storyTitle, ':storyDate' => $storyDate));
while($r = $q->fetch()){
echo $SQL;
};
This throws no errors and gives no rows.
If I replace the identifiers :storyTitle and :storyDate with a hard coded SQL statement, I get the correct results. I've stepped through and looked at the variables, and they seem right... I've already wasted so much time hunting, but I lack the expertise to pick out what I'm doing wrong.
Dump the contents of your variables. I'm suspicious of:
$storyDate = urldecode($_GET['date']);
$_GET parameters automatically are url-decoded.
you have to ask PDO to throw an error explicitly
try {
$conn = new PDO("mysql:host=$dbhost;dbname=$dbname",$dbuser,$dbpass);
$conn->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );
$q = $conn->prepare($SQL);
$q->execute(array(':storyTitle' => $storyTitle, ':storyDate' => $storyDate));
} catch (PDOException $e) {
echo $e->getMessage();
}

Categories