SQL optional values breaking statement - php

I am trying to do simple insert in php and MySQL.
The HTML form has 3 fields with 1st one being mandatory and other 2 optional.
their names being :
name, address and phoneno
table name is users : id(int)|name(varchar)|address(varchar)|phoneno(int) , id is primary-key and auto-increment
and all except name and id are allow-nulls
assuming i have connection created and held in $con ,providing a value just for name and submitting the form
$name = $_POST['name']?$_POST['name']:NULL;
$address= $_POST['address']?$_POST['address']:NULL;
$phoneno= $_POST['phoneno']?$_POST['phoneno']:NULL;
$q="INSERT INTO users (name,address,phoneno)
VALUES('{$name}','{$address}',{$phoneno})";
if(mysql_query($q,$con)){
echo "data inserted successfully";
}
else{
echo "ERROR: ".mysql_error();
}
Is giving me
ERROR: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ')' at line 1


Never do this in production environments! But for learning, try this:
$name = $_POST['name']?$_POST['name']:'NULL';
$address= $_POST['address']?$_POST['address']:'NULL';
$phoneno= $_POST['phoneno']?$_POST['phoneno']:'NULL';
$q="INSERT INTO users (name,address,phoneno) VALUES('$name','$address',$phoneno)";
if(mysql_query($q,$con)){
echo "data inserted successfully";
}
else{
echo "ERROR: ".mysql_error();
}
You have to use 'NULL' as string
Do not wrap variables with {}. this is only needed when you use object properties like {$obj->foo}
There are some other serious security issues in this code like sql injection. So never do this in production environments!

Related

insert into error sql syntax

My test code is:
<?php
$connessione = mysql_connect("***", "***", "***");
mysql_select_db("***", $connessione);
$risultato = mysql_query("SELECT * FROM servem_vote", $connessione);
if(mysql_query("INSERT INTO servem_vote (uid,lastvote) VALUES ($uid,now()) ON DUPLICATE KEY UPDATE lastvote=now();
")) {
header('location:/home.php'); }
else {
echo "Error: " . mysql_error(); }
mysql_close($con);
?>
Error: You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near 'now()) ON DUPLICATE KEY UPDATE lastvote=now()' at line 1
DB:
http://prntscr.com/ef7544
Where am I doing wrong?

You are missing $uid in the code you shared. You don't set that value anywhere but you attempt to use it as part of your INSERT query.
If it's coming from form data, grab it from $_REQUEST superglobal variable before attempting to use it:
$uid = $_REQUEST['uid']
If it's NOT an integer in the MySQL table, you need to wrap it in single quotes as part of your statement.
INSERT INTO servem_vote (uid,lastvote) VALUES ('$uid',now())
ON DUPLICATE KEY UPDATE lastvote=now();
I don't know what purpose this line serves:
$risultato = mysql_query("SELECT * FROM servem_vote", $connessione);
You don't seem to do anything with the result set from this query.
MOST IMPORTANTLY: As many others have commented you need to be sanitizing your data and you should be relying on PDO or mysqli* functions to safely interact with your database. See answers here

1064: SQL syntax (MySQL INSERT)

To Start.. I am using mysqli_real_escape_string() on every text field, and leaving INT as they are:
The following query successfully inserts the record into the table without fail, every field is correctly stored... There has to be something I'm being glib about, I have blurry coding eyes at this point... But after the INSERT statement is run, mysqli_error($con) tosses the following error:
1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1' at line 1
(I'm nearly 100% certain I do not even use the number 1 at all, whether it be in the php code or a value)
$query = mysqli_query($con,"INSERT INTO hj_media
(mediaID,MedDropID,MediaName,GLCode,Store,MediaType,MiscDetail,ArtDueDate,RunDate,EndDate,AdvMonth,Size,Dimensions,TotalCost,HJShare,CoOpShare,Vendor,HamiltonFiscal,VendorFiscal,AdDescription,Category,AddedtoVCM,ArtworkRequested,InvoiceProcessed,BilledVendor,NetCost,ProductionCost,CostPiece,QuantityOrdered,HJCostPrinting,Postage,DDFee,EventDescription,EventDate,DateToPrint,DateInMail,DateInHome,TotalPrintQuantity,TotalMailFile,TotalActualMail,ReturnedPieces,SalesResultsUnits,SaleResultsDollars,SpendNonPrint,SpendPrint,SpendAdvertising,SpendPR,MediaNameOther,ClientPersona,Campaign)
VALUES(NULL,$add_medid,'$add_vehicle',$add_glcode,'$add_loclist','$add_type','$add_miscdetails','$add_artdate','$add_rundate','$add_enddate','$add_month','$add_size','$add_dimensions','$add_totalcost','$add_hjshare','$add_coopshare','$add_vendor',$add_hamiltonfiscal,$add_vendorfiscal,'$add_addescription','$add_category','$add_addedtovcm','$add_artworkrequested','$add_invoiceprocessed','$add_billedvendor','$add_netcost','$add_productioncost','$add_costperpiece',$add_quantityordered,'$add_hjprintcost','$add_postage','$add_ddfee','$add_eventdescription','$add_eventdate','$add_datetoprint','$add_dateinmail','$add_dateinhome',$add_printquantity,$add_totalmailfile,$add_totalactualmail,$add_returnedpieces,$add_salesunits,'$add_salesdollars','$add_spendnonprint','$add_spendprint','$add_spendadvertising','$add_spendpr','$add_medianameother','$add_persona','$add_campaign')");
if (mysqli_query($con, $query)) {
echo "New record created successfully";
}
else {
echo mysqli_errno($con) . ": " . mysqli_error($con) . "\n";
}

UPDATED QUERY, TRY THIS
$query="INSERT INTO hj_media
(mediaID,MedDropID,MediaName,GLCode,Store,MediaType,MiscDetail,ArtDueDate,RunDate,EndDate,AdvMonth,Size,Dimensions,TotalCost,HJShare,CoOpShare,Vendor,HamiltonFiscal,VendorFiscal,AdDescription,Category,AddedtoVCM,ArtworkRequested,InvoiceProcessed,BilledVendor,NetCost,ProductionCost,CostPiece,QuantityOrdered,HJCostPrinting,Postage,DDFee,EventDescription,EventDate,DateToPrint,DateInMail,DateInHome,TotalPrintQuantity,TotalMailFile,TotalActualMail,ReturnedPieces,SalesResultsUnits,SaleResultsDollars,SpendNonPrint,SpendPrint,SpendAdvertising,SpendPR,MediaNameOther,ClientPersona,Campaign) ";
$query.=" VALUES(NULL,$add_medid,'$add_vehicle',$add_glcode,'$add_loclist','$add_type','$add_miscdetails','$add_artdate','$add_rundate','$add_enddate','$add_month','$add_size','$add_dimensions','$add_totalcost','$add_hjshare','$add_coopshare','$add_vendor',$add_hamiltonfiscal,$add_vendorfiscal,'$add_addescription','$add_category','$add_addedtovcm','$add_artworkrequested','$add_invoiceprocessed','$add_billedvendor','$add_netcost','$add_productioncost','$add_costperpiece',$add_quantityordered,'$add_hjprintcost','$add_postage','$add_ddfee','$add_eventdescription','$add_eventdate','$add_datetoprint','$add_dateinmail','$add_dateinhome',$add_printquantity,$add_totalmailfile,$add_totalactualmail,$add_returnedpieces,$add_salesunits,'$add_salesdollars','$add_spendnonprint','$add_spendprint','$add_spendadvertising','$add_spendpr','$add_medianameother','$add_persona','$add_campaign');";
$result =mysqli_query($con,$query);
If($result){
echo "Success"';
}
else{
echo " query failed ". mysqli_errno();
}

The problem is yoir sending a boolean gotten from the first query test into another mysqli query function. It's a good thing to have set a variable that refernces your query string, so that you use but this value in the mysqli query function . Try this
$query="put your myqli query here;";
$result =mysqli_query($con,$query);
If($result){
echo "Success"';
}
else{
echo " query failed ". mysqli_errno();
}
can you knidly thick the question answered if this solves your problem ?

PHP file showing syntatical error

I'm trying to send title and content to my table named write . But i'm having error while running this php file .
Below is the error shown
not sucessfullyYou have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'write values('','','')' at line 1
<?php
require "connection.php";
$id = $_POST["id"];
$title =$_POST["title"];
$content =$_POST["content"];
$sql_query ="insert into write values('$id','$title','$content');";
if(mysqli_query($con,$sql_query))
{
echo"data insertion sucess";
}
else
{
echo "not sucessfully".mysqli_error($con);
}
?>

WRITE is a reserved keyword in MySQL so you should escape it using backticks:
insert into `write` ...
But I would recommend you rename the table into something more sensible.

MYSQL error while inserting data using php

I am practicing php and sql. at a stage when I'm trying to enter a record into a table with 2 exiting records. but it doesn't add and show an error
"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '=('Aqeela','Nasreen','Hakeem Chattah')' at line 1"
Why is it not entering a record in data base. Is there any syntax error?
$username="root";
$pass="";
$database="addressbook";
$server="127.0.0.1";
$con=mysql_connect($server,$username,$pass);
$db_found=mysql_select_db($database,$con);
if($db_found)
{
$sql_insert="INSERT INTO table_address_book(f_name,l_name,address) VALUES=('Aqeela','Nasreen','Hakeem Chattah')";
$result=mysql_query($sql_insert);
if(!$result){
print "sorry cannot proceed your request<br>".mysql_error();
}
else
{
// print "recorded entered successfuly<br>";
// print "now dATABASES AFTER EDITING ARE<BR><br>";
$new_sql="SELECT*FROM table_address_book";
$result_after_editing=mysql_query($new_sql);
while($db_field_edited=mysql_fetch_assoc($result_after_editing))
{
print $db_field_edited['ID']."<br>";
print $db_field_edited['f_name']."<br>";
print $db_field_edited['l_name']."<br>";
print $db_field_edited['address']."<br>";
print "<BR><BR><BR>";
}
mysql_close($con);
}
}
else
{
die("unable to connect database ".mysql_error());
}

The error clearly shows place where error in syntax occur.
Remove that =
INSERT INTO table_address_book(f_name,l_name,address) VALUES('Aqeela','Nasreen','Hakeem Chattah')"

I think there is an error in your INSERT INTO statment, you have written wrong VALUES part.
$sql_insert="INSERT INTO table_address_book(f_name,l_name,address) VALUES=('Aqeela','Nasreen','Hakeem Chattah')";
you need to remove "=" from your VALUES= part like this.
$sql_insert="INSERT INTO table_address_book(f_name,l_name,address) VALUES('Aqeela','Nasreen','Hakeem Chattah')";
please correct this line of code in your code and check it again.

Remove the = sign from VALUES=(...)

There's no '=' after VALUES, just:
VALUES (val1, val2, .., valN)

SQL syntax error

Im fairly new to both PHP and SQL but what i want is for the details entered into my form to be inserted into a database.
The code i have written works and the data is submitted into the database but there are a couple things not right.
Firstly here is the code;
<?php
include "credentials.php";
function insert_post($cnhost,$cnusername,$cnpassword,$cndatabase,$titlein,$contentin,$comment_optionin) {
$connect = mysqli_connect($cnhost,$cnusername,$cnpassword,$cndatabase);
if (mysqli_connect_errno($connect))
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}else{
echo "Connection Success! <br>";
$submitpost_query = mysqli_query($connect,"INSERT INTO blog_posts (title,content,comment_option) VALUES ('".$titlein."','".$contentin."','".$comment_optionin."')");
if (!mysqli_query($connect,$submitpost_query))
{
die('Error: ' . mysqli_error($connect));
}else{
echo "Post submitted.";
}
mysqli_close($connect);
}
}
$title = $_POST["title"];
$content = $_POST["content"];
$comment_option = $_POST["comment_option"];
insert_post($host,$username,$password,$database,$title,$content,$comment_option);
?>
Although the data is submitted into the database as i want i get the following error;
"Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1' at line 1"
The $comment_option variable contains the value 1 or 0, depending on which radio button is selected so this error might be referring to this variable but this SQL error is the same whether the value of $comment_option is 1 or 0.
I do see "Connection success!" before this error but do not see "Post submitted" even though the post is actually submitted. Any ideas why?
As well as helping me with this problem i would be very grateful if somebody could give me some general tips to improve what iv wrote. I am a noob so im sure there's a few things that could be improved here!
Thanks very much!

The problem is here:
if (!mysqli_query($connect,$submitpost_query))
You're passing a mysqli_query result which is $submitpost_query to another mysqli_query which is in the if statement.

The problem is with following chunk of code
if (!mysqli_query($connect,$submitpost_query))
it should be instead following
if (!$submitpost_query)
Reason : You are executing return object again through mysql_queri function that is causing warning, invalid resource, as this function only excepts valid sql query or connection object

I know your question is answered but I seriously recommend you to sanitize the POST data before concatenating it in a query.

Categories