I have an PHP registration script with MySQLi and OOP.
But i get an mysql syntax error when executing an query.
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-mail, ip_register, ip_lastlogin, lastlogin) VALUES ('', Aarivex, ******, ****' at line 1
PHP Code:
$register_sql = "INSERT INTO users (id, username, password, pin, e-mail, ip_register, ip_lastlogin, lastlogin) VALUES ('', $username, $password, $pin, $email, $ip, $ip, $lastlogin)";
Wheres the problem?
...for the right syntax to use near '-mail
SQL's telling you where error starts ^ the offending character
You need to wrap/encapsulate the e-mail column in backticks since it contains a hyphen.
SQL figures you want to do math which translates to: e minus mail
Plus, missing quotes in your values
$register_sql = "INSERT INTO users (id, username, password, pin, `e-mail`, ip_register, ip_lastlogin, lastlogin) VALUES ('', '$username', '$password', '$pin', '$email', '$ip', '$ip', '$lastlogin')";
Those are strings and must be inside quotes.
Another option would be to rename your column to e_mail using an underscore as you did for some of the other columns. That way, you would not need to use backticks.
Look into using one of the following also:
Prepared statements
PDO with prepared statements.
Having used or die(mysqli_error($con)) to mysqli_query() would have signaled the error(s).
$con being your DB connection, this could/stand to be different than yours.
Adjust accordingly.
Identifiers (table/columns)
More on this topic: http://dev.mysql.com/doc/refman/5.0/en/identifier-qualifiers.html
Tip:
Try and avoid using hyphens, or spaces or any other character that SQL may complain about, this includes using a space in between words.
I.e.:
INSERT INTO your_table (column 1, column-2) <= will cause/throw an error
you would need to use backticks:
INSERT INTO your_table (`column 1`, `column-2`) <= correct / valid
Although spaces are allowed (yet discouraged), they too need to be encapsulated in backticks.
If you're going to have a dash in a column identifier (which is a bad idea) you must wrap it in ticks. Otherwise you are subtracting the value of the mail column from the e column which not not valid in an INSERT statement.
You're also missing quotes around your string values.
$register_sql = "INSERT INTO users (id, username, password, pin, `e-mail`, ip_register, ip_lastlogin, lastlogin) VALUES ('', '$username', '$password', '$pin', '$email', '$ip', '$ip', '$lastlogin')";
Try changing e-mail fieldname to email OR you need to encompass your that field name with back quotes like this:
`e-mail`
I suppose your id is set to Auto Increment.
If it is just remove the first column from the insert statement and it should work fine.
$register_sql = "INSERT INTO users (username, password, pin, e-mail, ip_register, ip_lastlogin, lastlogin) VALUES ($username, $password, $pin, $email, $ip, $ip, $lastlogin)";
And yes, change the e-mail field to `e-mail`.
Related
Can't believe there are no questions like this... Must be something really simple, but I spend 2 days trying to figure this one out.
I have a table and one of the coloumns has values in a JSON format. In PHP my syntax is like this (it's in a class function):
$sql = "INSERT INTO users.users (username, class, settings, email, password) VALUES ($this->username, $this->class, ".json_encode($this->settings).", $this->email, $this->hashpwd);";
$STH = $DBH->prepare($sql);
$STH->execute();
However this one of course breaks because JSON format contains commas and these commas are also separating the Insert values, so it breaks the query. And escape functions (like PDO->quote or mysqli_real_escape_string) don't escape commas either.
Error I am getting is of course:
...You have an error in your SQL syntax;
check the manual that corresponds to
your MySQL server version for the right
syntax to use near
'"usersetting1":"value","usersetting2":"value"}, email#interwebz.net, 712985cc'...
So is there any way to do this or do I have to use some kind of alt syntax for the query?
Try this:
$sql = "INSERT INTO users.users (username, class, settings, email, password) VALUES (:username, :class, :json, :email, :password);";
$STH = $DBH->prepare($sql);
$STH->bindParam(':username', $this->username);
$STH->bindParam(':class', $this->class);
$STH->bindParam(':json', json_encode($this->settings));
$STH->bindParam(':email', $this->email);
$STH->bindParam(':password', $this->hashpwd);
$STH->execute();
Im pretty new to PHP and SQL and I have been following some tutorials. I am trying to insert some simple items into an existing table (and yes the names are exact on the table, login info etc...)
Here is the error I am getting:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''user' ('username', 'email') VALUES ('Testname', '123')' at line 1
Here is my string:
mysql_query("INSERT INTO 'user' ('username', 'email') VALUES ('Testname', '123')") or die(mysql_error());
any ideas?
there is a difference between ' and ` sign, when you need to call columns you need to cover them with
` sign not with single quote sign '
mysql_query("INSERT INTO `user` (`username`, `email`) VALUES ('Testname', '123')") or die(mysql_error());
Replace your code:
mysql_query("INSERT INTO `user` (username, email) VALUES ('Testname', '123')") or die(mysql_error());
Replace your code to
mysql_query("INSERT INTO user VALUES ('Testname', '123')") or die(mysql_error());
Try this..
Use table name correctly (user).
mysql_query("INSERT INTO user('username', 'email') VALUES('Testname', '123')") or die(mysql_error());
There is a difference in mysql queries between the quote (') and the back-quote (`). The back quote is used to quote names of tables, databases and columns. The normal quote is used to undicate that the given value is a string and not a reference.
so your query should look like
mysql_query("INSERT INTO `user` (`username`, `email`) VALUES ('Testname', '123)")
because "user" is a preserved word as "username" so I put those around back-quotes so mysql knows it's an reference and not a function or property.
in PHP MYSQL Single quote is not use for field name and table name unlike Oracle
You can use
INSERT INTO user (username, email) VALUES ('Testname', '123')
OR
INSERT INTO `user` (`username`, `email`) VALUES ('Testname', '123')
instead of ' single quote Tiled can be used.....
if you dont want to use then its okey just use Tiled for reserve words in query like status or order etc
and as per #Andy said use mysqli driver for connection because mysql_query will bedeprecated in next version
I am trying to store some form data to a SQL database using the following query:
$sql = "INSERT INTO attendees (first_name, surname, partner, phone) VALUES ($first_name, $surname, $partner, $phone)";
It works perfectly if I hard code the values to test it, but when using these variables, it breaks and gives me Error 1054
$first_name = $_POST['first_name'];
$surname = $_POST['surname'];
$partner = $_POST['partner'];
$phone = $_POST['phone'];
Could anyone help?
$sql = "INSERT INTO attendees (first_name, surname, partner, phone) VALUES ($first_name, $surname, $partner, $phone)";
should be
$sql = "INSERT INTO attendees (first_name, surname, partner, phone) VALUES ('$first_name', '$surname', '$partner', '$phone')";
you are missing quotes around field content.
Warning: your code is vulnerable to SQL injection attacks
try to use PHP Prepared statement and wiki page http://en.wikipedia.org/wiki/Prepared_statement . Or at-least use mysqli_real_escape_string
Err 1054 means that you are using a column name that doesn't exist.
In this case, as there doesn't seem to be anything wrong with your insert statement (assuming that all the variables have data in them) it means you have likely typo'ed a column name.
On second thoughts, you probably need single quotes around the strings, but the first part of my answer still stands.
First of all, stop using mysql_ functions and look for PDO and prepared statements: if you'll do as suggested, this problem will sort by itself.
Anyway, the problem is that the query will replace the values with the strings contained in your $_POST array... but without string delimiters.
This means that mysql will look at them as column names, and spaces will break them!
solution:
$sql = "INSERT INTO attendees (first_name, surname, partner, phone) VALUES ('$first_name', '$surname', '$partner', '$phone')";
NOTICE that this will leave you wide open to SQL injection attacks!
with PDO it'll look something similar to this:
$stmt = $db->prepare("INSERT INTO attendees (first_name, surname, partner, phone) VALUES (:fname, :sname, :partn, :phone)");
$stmt->execute(array(':fname' => $first_name, ':sname' => $surname_name, [the others]))
which will is much more secure and plainly better all around.
Please escape and verify your inputs, otherwise you'll be vulnerable to SQL injections.
Here's a list of good solutions on how to do that: http://bobby-tables.com/php.html
Basically try to use prepared statements if possible, otherwise use mysql_real_escape_string()
I am using following insert command to insert value in my db table called demo_organization
$sql = "INSERT INTO demo_organization (org_name, abn_acn_no, org_url,city,
state, country, pin, street, primary_mobile,
secondary_mobile, primary_landline,
secondary_landline, primary_email, secondary_email)
VALUES ($org_name, $abn_acn_no, $org_url, $city, $state, $country,
$pin, $street, $primary_mobile, $secondary_mobile,
$primary_landline, $secondary_landline, $primary_email,
$secondary_email)";
$result = mysql_query($sql) or die (mysql_error());
in php
but i am getting error like
You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near '://loc.com,Melburn,Melburn,Australia,56007,123 park
avenue,+6190567890,+89685552' at line 2
i am completely new in php mysql please tell me what i am doing wrong
You are missing single quotes around the text values:
insert into demo (org_name, abn_acn_no) values ('$org_name', abn_acn_no);
// assumes that abn_acn_no is numeric.
You also cannot pass an empty variable into the query. If you don't have it, you will need to insert it as , null, rather than as a variable with no value - which would result in , , which SQL won't accept - even if the column accepts null values.
If you will be using MYSQL, you need to escape the values mysql_escape_string($string)
There is a problem with the url provided in the query, try escaping it and running it again.
Otherwise, MYSQL is becoming depreciated, use MYSQLi or PDO
http://php.net/manual/en/book.mysqli.php
http://php.net/manual/en/book.pdo.php
your code is vulverable with your sql injection. I'll recomend MYSQLi or PDO. But anyway, your values that are string format should be wrap with single quotes.
$sql = "INSERT INTO demo_organization (org_name, abn_acn_no, org_url,city,
state, country, pin, street, primary_mobile,
secondary_mobile, primary_landline,
secondary_landline, primary_email, secondary_email)
VALUES ('$org_name', 'abn_acn_no, '$org_url', '$city', ...,
'$secondary_email')";
I can't get this to work, keep getting an error message.
Error
You have an error in your SQL syntax; check the manual that corresponds to your
MySQL server version for the right syntax to use near '-mail, password,
birth_date, age, sex, profile_text, zip_code, zip_code_state, c' at line 1
Code
mysql_query("INSERT INTO users (username, e-mail, password, birth_date, age, sex,
profile_text, zip_code, zip_code_state, coins, rank, profile_visits,
profile_likes, profile_image, profile_points, activated, deleted, reg_time,
last_active_time, reg_ip)
VALUES ('$randomName', 'awduhawd#hotmail.com', 'awd', '21/05/1990','0','2',
'0','4306','Sandnes','0','user','0','0','$image','0','0','0','$time',
'$time','0')")
or die(mysql_error());
Surround e-mail with backticks...
`e-mail`,
You can't drop a - there otherwise.
the - sign is a reserved symbol in SQL, need to wrap e-mail in backticks i.e. `e-mail``
Rule of thumb: column names in backticks and concatenate the string variables for readability, the MySQL date format is Y-m-d (1990-05-21)
mysql_query("INSERT INTO users (`username`, `e-mail`, `password`, `birth_date`, `age`,`sex`,
`profile_text`, `zip_code`, `zip_code_state`, `coins`, `rank`, `profile_visits`,
`profile_likes`, `profile_image`, `profile_points`, `activated`, `deleted`, `reg_time`,
`last_active_time`, `reg_ip`)
VALUES ('".$randomName."', 'awduhawd#hotmail.com', 'awd', '1990-05-21','0','2',
'0','4306','Sandnes','0','user','0','0','".$image."','0','0','0','".$time."',
'".$time."','0')")
or die(mysql_error());
If you are using php for this dont use single quotes arround variables, they wont be parsed.
'$randomName' = wrong
either use "$randomName"
or use "'.$randomName.'"