So, I have this code that returns into a syntax error. Can you please help me figure out what the problem is?
$query = mysql_query("INSERT INTO tablename (column)
VALUES('".$php_var."') WHERE cat = $php_var2") or die(mysql_error());
You cant use WHERE clause with INSERT. If you want to insert then the query will be -
"INSERT INTO tablename (column) VALUES('".$php_var."')"
Or if it is update then -
"UPDATE tablename SET column = '".$php_var."' WHERE cat = '" . $php_var2 . "'"
Try to avoid mysql. Use mysqli or PDO
You can't do INSERT with WHERE clause unless it's WHERE NOT EXISTS, so just do:
$query = mysql_query("INSERT INTO tablename (column) VALUES('$php_var')");
Maybe you needed to do UPDATE
$query = mysql_query("UPDATE tablename SET column='$php_var' WHERE cat = '$php_var2' ");
INSERT INTO syntax can't accept a WHERE.
The good syntax is:
INSERT INTO table_name
VALUES(...);
Or, if you prefer not to insert in all the table columns:
INSERT INTO table_name(column_name1, column_name2, ...)
VALUES(column1_value, column2_value, ...);
As a side note, in your request you don't insert your PHP variable, but some text.
Related
$queryInsertUrl= "INSERT INTO oc_url_alias SET query = :pid, keyword = :keyw";
$pid = 'product_id=100002';
$stmtInsertUrl->bindParam(':pid',$pid);
$stmtInsertUrl->bindParam(':keyw',$producturl['keyword']);
$stmtInsertUrl = $connin->prepare($queryInsertUrl);
$stmtInsertUrl->execute();
echo $queryInsertUrl;
Result:
INSERT INTO oc_url_alias SET query = 'product_id=100002', keyword = 'yesssss'
Above query I tried to insert using PDO, but when I run the code it will return error. Because of 'product_id=100002'. Everyone know how to fix that? If I delete the = in product_id=100002 it will return success
Use backticks around names, so you don't end up using keywords and reserved words.
Your query should then look like this:
INSERT INTO `oc_url_alias` SET `query` = 'product_id=100002', `keyword` = 'yesssss'
In your changed question you should use this:
$queryInsertUrl= "INSERT INTO `oc_url_alias` SET `query` = :pid, `keyword` = :keyw";
I'm trying to use this query:
$cert= 125125161241261241261;
$cert= $cert + 1;
INSERT into table (column) values ($cert);
however, when the insertion is done.
I get something like 12512516124126124+E17 or something like that.
I already have put the datatype into varchar(max) and var_dump'ed my variable
SQL Server 200x.
Insert quotes '
$cert= 125125161241261241261;
$query = mysql_query("INSERT INTO table (column) VALUES('".$cert."'");
^^^ ^^^
INSERT QUOTES.
BEWARE OF SQL INJECTION
USE this way
$cert= 125125161241261241261;
$sql = "INSERT INTO table (column) VALUES(?)";
$stmt = $dbConnection->prepare($sql);
$stmt->bind_param('s', $cert); -- 's' indicate is a string parameter
$stmt->execute();
I used a SQL procedure that does the insert and used it in my PHP insertion, Thanks for whoever tried to help.
this is my upadating script--
$cno = $data[6];
$result = mysql_query("select *
from courier_details
where consignment_no = '".$cno."'");
if($result >0)
{
$update = "UPDATE `courier_details`
SET(`shipper_name`, `shipper_phone`, `shipper_address`, `receiver_name`,
`receiver_phone`, `receiver_address`, `consignment_no`,
`type_of_shippment`, `weight`, `volumetric_weight`, `packages`,
`product`, `qnty`, `booking_mode`, `total_freight`, `mode`,
`dept_time`, `origin`, `destination`, `pickup_date`, `pickup_time`,
`status`, `excepted_dly_date`, `comments`, `delivered_date`,
`delivered_time`, `deboy`, `career`,`originbr`, `destinationbr`,
`email`)
VALUES('$data[0]','$data[1]','$data[2]','$data[3]','$data[4]','$data[5]',
'$data[6]','$data[7]','$data[8]','$data[9]','$data[10]','$data[11]',
'$data[12]','$data[13]','$data[14]','$data[15]','$data[16]',
'$data[17]','$data[18]','$data[19]','$data[20]','$data[21]',
'$data[22]','$data[23]','$data[24]','$data[25]','$data[26]',
'$data[27]','$data[28]','$data[29]','$data[30]')
WHERE `consignment_no` = '".$cno."'";
mysql_query($update) or die(mysql_error());
}
there is show an error while execute code--
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use
near '(shipper_name, shipper_phone, shipper_address, receiver_name, `receiver_' at line 1
Your update query seems wrong.
You cannot use UPDATE query like INSERT query. Syntax should be:
Update TableName
Set col1=val1,
col2=val2,
col3=val3,
.......
On the other hand, INSERT can be used like:
INSERT INTO TableName
(col1,col2,col3) VALUES (val1,val2,val3)
You were mixing update and insert query you need to learn about the differences between them
UPDATE
UPDATE table_name SET field1=new-value1, field2=new-value2
[WHERE Clause]
INSERT
INSERT INTO TABLE_NAME (column1, column2, column3,...columnN)]
VALUES (value1, value2, value3,...valueN);
So your query will be like
"UPDATE `courier_details` SET `shipper_name` = '$data[0]',
`shipper_phone` = '$data[1]'.....
WHERE `consignment_no` = '$cno'"
use mysql_num_rows() to count number of row
this is wrong
if($result >0)
And don't use update query as insert query both are different
It would be:-
$result = mysql_query("select * from courier_details where consignment_no = '" . $cno . "'");
if (mysql_num_rows() > 0) {
$update="UPDATE table_name SET field1=value1, field2=value2";
mysql_query($update) or die(mysql_error());
}
i used `` for column name though im getting error...
my code is
$sql = "INSERT INTO order(`pcode`) VALUES ('$pcode')";
if(!mysql_query($sql,$con))
die('cant connect ' .mysql_error());
Order is a reserved word for the "ORDER BY" clause
try
"INSERT INTO `order`(pcode) VALUES ('$pcode')";
Note: Please ensure $pcode is being run through mysql_real_escape_string, or better yet look into the PDO extension and their prepared queries
if order is your table name and pcode is your column name then you can use this:
$sql = sprintf("INSERT INTO `order` (pcode) VALUES('%s')", $pcode);
i wrote the following code,but its not updating the database,,its a part of a script and it cease to work..cant find a way around it .. need suggestions
<?php
$link = mysql_connect('xxxxxxxx');
if (!$link) {
die('Could not connect: ' . mysql_error());
}
mysql_select_db("xxx", $link);
$usernames='aneeshxx';
echo $usernames;
$update = "INSERT sanjana SET $name ='$usernames'";
mysql_query($update, $link);
$update1 = "INSERT INTO sanjana (name)VALUES ($usernames)";
mysql_query($update1, $link);
?>
$update = "INSERT sanjana SET $name ='$usernames'";
this probably is meant as an UPDATE statement, so for an update it should be
$update = "UPDATE sanjana set name = '$usernames'";
I put name and not $name due to your second query and not seeing $name being defined anywhere. Be aware that this will change the value in the column name of every row in the sanjana table to the value of $usernames, normally a statement such as this gets limited by conditions, e.g. WHERE userid = 33
$update1 = "INSERT INTO sanjana (name) VALUES ($usernames)";
for an INSERT statement it needs to have the values quoted so
$update1 = "INSERT INTO sanjana (name) VALUES ('$usernames')";
Be wary that this way of putting variables directly into your query string makes you vulnerable to SQL injection, to combat this please use the PDO or mysqli extensions, they both protect you from injection by providing you with prepared statements ; plain old mysql_* is not recommended for use anymore.
using pdo you'd use prepared statements like this
<?php
// we got $usernames from wherever you define it
$pdo = new PDO('mysql:dbname=mydb;host=localhost','username','password');
// to insert
$statement = $pdo->prepare('INSERT INTO `sanjana` (name) VALUES (:name)');
// the following replaces :name with $usernames in a safe manner, defeating sql injection
$statement->bindParam(':name',$usernames);
$statement->execute(); // it is done
// to update
$statement = $pdo->prepare('UPDATE `sanjan` SET `name` = :name');
$statement->bindParam(':name',$usernames);
$statement->execute(); // it is done
so as you can see protecting your code from malicious input is not hard and it even makes your SQL statements a lot easier to read. Did you notice that you didn't even need to quote your values in the SQL statement anymore? Prepared statements take care of that for you! One less way to have an error in your code.
Please do read up on it, it will save you headaches. PDO even has the advantage that it's database independent, making it easier to use another database with existing code.
The right update sql clause is like so:
UPDATE table
SET column = expression;
OR
UPDATE table
SET column = expression
WHERE predicates;
SQL: UPDATE Statement
Your query should be like this:
$update = "UPDATE sanjana SET $name ='$usernames'";
mysql_query($update, $link);
Of course you need to specify a row to update (id), other wise, the whole table will set column $name to $usernames.
UPDATE:
Because you are inserting a data in empty table, you should first execute $update1 query then execute $update query. UPDATE clause will make no change/insert on empty table.
Problem 1: use the correct "insert into" (create new record) vs. "update" (modify existing record)
Problem 2: It's good practice to create your SQL string before you call mysql_query(), so you can print it out for debugging
Problem 3: It's also good practice to detect errors
EXAMPLE:
<?php
$link = mysql_connect('xxxxxxxx')
or die('Could not connect: ' . mysql_error());
mysql_select_db("xxx", $link);
$usernames='aneeshxx';
$sql = "INSERT INTO sanjana (name) VALUES ('" . $usernames + ")";
echo "sql: " . $sql . "...<br/>\n";
mysql_query($sql, $link)
or die(mysql_error());
You have INSERT keyword for your update SQL, this should be changed to UPDATE:
$update = "UPDATE sanjana SET $name ='$usernames'";