This question already has an answer here:
Syntax error due to using a reserved word as a table or column name in MySQL
(1 answer)
Closed 7 years ago.
I'm getting an error with PDO:
PDOStatement::execute() [pdostatement.execute]: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'key, pseudo, ip, date) VALUES ('mykeyperso', 'mrthebigbosseur', '86.208.78.145',' at line 1 in /home/a1394006/public_html/api/skype.php on line 51
And I don't know why
My source code:
$req = $bdd->prepare('INSERT INTO logs (key, pseudo, ip, date) VALUES (:key, :pseudo, :ip, :date)');
$req->bindParam(":key", $key1, PDO::pARAM_STR);
$req->bindParam(":pseudo", $pseudo1, PDO::pARAM_STR);
$req->bindParam(":ip", $ip1, PDO::pARAM_STR);
$req->bindParam(":date", $date, PDO::pARAM_STR);
$req->execute();
My variable:
$key1 = $_GET['key'];
$pseudo1 = $_GET['pseudo'];
$ip1 = $_SERVER['REMOTE_ADDR'];
$date = $_SERVER['REQUEST_TIME'];
My database: http://prntscr.com/6zjsmd
So if someone can help me plz
Key is a reserved word in mysql. To use it as a column name, wrap it in backticks (`key`). Double quotes would apparently also work in ANSI SQL mode.
Related
This question already has answers here:
Syntax error due to using a reserved word as a table or column name in MySQL
(1 answer)
MySQL: "error in your SQL syntax ... near key ..."? [closed]
(6 answers)
Reference - What does this error mean in PHP?
(38 answers)
Closed 4 years ago.
I'm trying to execute an SQL INSERT but I am getting the error:
SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'key) VALUES (example#example.com, hello)' at line 1
The values in the table are: id(auto increment), email and key which are both varchar(255) with the id being (int).
function validate($data)
{
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;
}
$key = 'hello';
$email = validate($_POST['email']);
$insert = $user->recordPasswordReset($email, $key);
public function recordPasswordReset($email, $key)
{
try
{
$db = DB();
$sql = "INSERT INTO password_reset(email, key) VALUES (:email, :key)";
$stmt = $db->prepare($sql);
$stmt->bindParam(':email', $email, PDO::PARAM_STR);
$stmt->bindParam(':key', $key, PDO::PARAM_STR);
$stmt->execute();
}
catch (PDOException $e)
{
echo ($e->getMessage());
}
}
Can anybody see any errors in my code?
Firstly, as per the documentation, your field name key is a reserved keyword. You need to use back ticks around it.
Change,
INSERT INTO password_reset(email, key) VALUES (:email, :key)
To,
INSERT INTO password_reset(email, `key`) VALUES (:email, :key)
Secondly, please don't use an all-in-one sanitize function as they generally have some form of flaw in them.
Thirdly, you are using visibility keywords outside of a class.
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 5 years ago.
I'm trying to do MySQL query with update on duplicate key but I can't see whats wrong with syntax because getting "syntax error or access violation" error.
code:
$sql = "INSERT INTO site_configuration
(configuration_key, configuration_value, additional_data)
VALUES
(:config_key, :site_new_background, :site_background_meta)
ON DUPLICATE KEY UPDATE
'configuration_value' = VALUES(:site_new_background), 'additional_data' = VALUES(:site_background_meta)";
$smth = $database->prepare($sql);
$smth->bindParam(':config_key', $config_key, PDO::PARAM_STR);
$smth->bindParam(':site_new_background', $site_new_background, PDO::PARAM_STR);
$smth->bindParam(':site_background_meta', $site_background_meta, PDO::PARAM_STR);
Error message:
'PDOException' with message 'SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''configuration_value' = VALUES(?), 'additional_data' = VALUES(?)'
remove the single quote from the statement
$sql = "INSERT INTO site_configuration
(configuration_key, configuration_value, additional_data)
VALUES
(:config_key, :site_new_background, :site_background_meta)
ON DUPLICATE KEY UPDATE
configuration_value = VALUES(:site_new_background), additional_data = VALUES(:site_background_meta)";
This question already has answers here:
How to apply bindValue method in LIMIT clause?
(11 answers)
Closed 7 years ago.
$conn = getConn();
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$sql = "select * from posts where fk_user_id in (select id_user_1 from contacts where id_user_2=:_id) or (select id_user_2 from contacts where id_user_1=:_id) or :_id order by date desc limit 15 offset :_offset";
$stmt = $conn->prepare($sql);
$stmt->bindParam('_id', $id);
$o = "0";
$stmt->bindParam('_offset', $o);
Connection failed: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''0'' at line 1
For some reason it doesn't bind the param correctly; if I manually put a 0 in the SQL everything works.
Fix: I fixed if by adding PDO::PARAM_INT. $stmt->bindParam(':_offset', $offset, PDO::PARAM_INT);
You're binding parameters incorrectly. It should be:
$stmt->bindParam(':_id', $id);
$offset = 0;
$stmt->bindParam(':_offset', $offset, PDO::PARAM_INT);
I am trying to insert using a prepare PDO statement but it doesn't seem to be working how I would like it to be. Heres my code:
$conn = new PDO('mysql:host=localhost;dbname=myDB', $username, $password);
$sql = "INSERT INTO posts (`text`,`name`) VALUES (:text,:username)";
$q = $conn->prepare($sql);
$q->bindParam(':text', $_GET['textField'], PDO::PARAM_STR);
$q->bindParam(':username', $_SESSION['myusername'], PDO::PARAM_STR);
$q->execute();
print_r($q->errorInfo());
The issue is that this doesn't do anything and I am not sure why, I am using following the guidelines here to help me do it.
Edit: When I use print_r I get the following MySQL error:
Array ( [0] => 42000 [1] => 1064 [2] => You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''text','name') VALUES ('a','user')' at line 1 )
Because text is a type in MySQL (look here), the query fails, because the syntax is wrong.
Add ticks around your text name and try again.
$sql = "INSERT INTO posts (text,name) VALUES (:text,:username)";
----
This is the error.
i recently started working with PHP and MYSQL, everything was going fine till I starter to get this error. Code works when I insert it into the query window at phpMyAdmin, but it doesnt work inside php code when i open it with a browser. Im already connected to database, so thats not the problem.
this is the error i get:
SQLSTATE[42000]: Syntax error or access violation: 1064 You have an
error in your SQL syntax; check the manual that corresponds to your
MySQL server version for the right syntax to use near ''fatmam' (user,
messageid) VALUES ('ayihan', '5')' at line 1
try
{
$alicengiz = $_POST['actor'].'m';
$sql = 'INSERT INTO :tablename (user, messageid) VALUES
(:user, :messageid)';
$s = $pdo->prepare($sql);
$s->bindValue(':user', $_SESSION['username']);
$s->bindValue(':messageid', $_POST['action1']);
$s->bindValue(':tablename', $alicengiz);
$s->execute();
}
catch (PDOException $e)
{
$error = 'Error 1qqq. '. $e->getMessage();
include 'error.php';
exit();
}
No. You cannot prepare table names, field names and sql keywords.
Problem is, that prepare() will add single quotes around the input, but table names and field names require backticks around them when you want to escape them.
This time you need to escape manually (*real_escape_string doesn't help here):
$sql = 'INSERT INTO `'.addcslashes($alicengiz, "\\'").'` (user, messageid) VALUES
(:user, :messageid)';
$s = $pdo->prepare($sql);
$s->bindValue(':user', $_SESSION['username']);
$s->bindValue(':messageid', $_POST['action1']);
P.s.: but really, this is a bad idea. I'd use a whitelist instead of escaping, because when $_POST["actor"]."m" isn't a table name, a PDOException will be thrown.
How about this?
$alicengiz = $_POST['actor'].'m';
$sql = 'INSERT INTO messages (user, messageid) VALUES
(:user, :messageid)';
$s = $pdo->prepare($sql);
$s->bindValue(':user', $_SESSION['username']);
$s->bindValue(':messageid', $_POST['action1']);
$s->execute();