I have a problem with PDO prepare query. When I try to insert a simple string with double quotes like this 'example string " to be inserted in mysql', the query result is truncated when the double quotes start and the result in MySQL is 'example string'.
Does anyone had this problem with pdo?
This is my query:
$sql = "UPDATE sales
SET note = :note
WHERE id_sale= :id";
$stmt = $db->prepare($sql);
$stmt->bindParam(':note', $this->note, PDO::PARAM_STR, 80);
$stmt->bindParam(':id', $this->id, PDO::PARAM_INT);
$stmt->execute();
Thanks in advance!
You have to escape the quotes properly depending on the underlying database.
PDO can do this for you, check out PDO::quote.
$string = 'Example string';
print "Quoted string: " . $conn->quote($string);
Output will be
Quoted string: 'Example string'
Related
Which one is correct?
Having trouble with single quotes vs double quotes in PHP and using Oracle 11g db...
<?php
$query1 = oci_parse($conn, 'SELECT * FROM SCHEMA.TABLE_A WHERE B_ID=' . $id);
$query1 = oci_parse($conn, "SELECT * FROM SCHEMA.TABLE_A WHERE B_ID='" . $id . "'");
?>
If id is numeric, you should not quote the value. If it's a character string, you should.
Regardless, using string manipulation to create an SQL statement is usually a bad practice that leaves your application vulnerable to SQL injection attacks.
Instead, you should use a prepared statement:
$query1 = oci_parse($conn, 'SELECT * FROM SCHEMA.TABLE_A WHERE B_ID=:id');
oci_bind_by_name($query1, ":id", $id);
oci_execute($query1);
I'm using SQL2000.
How can i escape single quote&double quote into query without get SQLi?
PHP:
$Username = "s'ql'fp".'"ffo"t';
SQL:
$Query = "INSERT INTO Users (Username, Password) VALUES (".$Username.", '432432')";
mssql_query($Query);
Sorry for my bad english :S
You must enclose string constants in single quotes and double all single quotes within them in SQL:
PHP:
$Username = "s'ql'fp".'"ffo"t'";
SQL:
$Query = "INSERT INTO Users (Username, Password) VALUES ('"
. str_replace("'", "''", $Username),
. "', '432432')";
mssql_query($Query);
str_replace("'", "''", $Username) will be "s''ql''fp".''"ffo"t''", i. e. all single quotes doubled. This does not change your $Username variable, but just the string used as SQL statement.
Probably, you would do that for the password as well (if it is not a string you know does not contain quotes, as is the case for the literal password you use here).
mysqli_real_escape_string() on the inserted data should do the trick.
You should also put your varchar()s in brackets, escaping won't help if you insert VALUES (SOME STRING) this works mainly with integers.
i'am beginner in php and i have problem in insertion query
if(isset($id)){
$qry = "insert into user_to_birds(user_id,tax_id)values( 1 ,'.$id .') ";
$result = mysql_query($qry);
}
I'am connected to the database but the query didn't work.
Why it is not working? how can i correct it?
Don't create queries this way. It is very vulnerable to SQL injection.
Use a prepared statement instead. A prepared statement is precompiled, hence will not be subject to SQL injection.
$id = 99;
$tax = 8;
$stmt = $mysqli->prepare("insert into user_to_birds(user_id,tax_id)values(?,?)"));
$stmt->bind_param("ii", $user, $tax);
$stmt->execute();
.. work on it ..
$stmt->close();
ii stands for two integers. After that first part of the binding, telling which type of variables you use in which order, can you add the values of those variables to the statement. The values will be escaped automatically using this method.
if(isset($id)){
$qry = "insert into user_to_birds(user_id, tax_id)values('1','$id') ";
$result = mysql_query($qry);
}
Work like a charm.
I think your single quotes should be double quotes:
$qry = "insert into user_to_birds(user_id,tax_id )values( 1 ,".$id .") ";
You are confusing strings in PHP with strings in SQL (which is, admittedly, easy to do).
For how to insert into there's a nice article here
http://www.w3schools.com/php/php_mysql_insert.asp
INSERT INTO table_name (column1, column2, column3,...)
VALUES (value1, value2, value3,...)
//not sure if this will make a difference buy i would try a space between tax_id) and values(
also, im not sure if the way youve done it is wrong but i would have written like this
if(isset($id))
{
$qry = "insert into user_to_birds (user_id, tax_id)
values( '1' ,'".$id ."') ";
$result = mysql_query($qry);
}
look at string concatination aswell either have
" ' ' ".$variable." ' ' ";
in that fashion
As others have said, it looks like you're not using string concatenation correctly in your query. Try changing your query to something like:
$qry = "INSERT INTO user_to_birds (user_id,tax_id) VALUES ( 1 ,'$id') ";
Another possibility is that your $id variable isn't set. Try printing out the variale before doing the isset() check and that will tell you if you need to look at an earlier point in your code.
Finally, I'd recommend you look at mysqli functions rather than mysql.
http://php.net/manual/en/book.mysqli.php
You have some confusion in quotes: your string in " ", your sql value in ' ', but when you concatenate you need to close your string and write dot and variable, after this you need write dot, open string quotes again and write text if it needed. Your mistake - you didn't close string (") before concatenation and this leads to misinterpretation of the code. In this case your code will look like:
$qry = "insert into user_to_birds(user_id,tax_id)values( 1 ,'" .$id ."') ";
But you can not use concatenation,you can do it simply: PHP allows write your variable $id in string, without use concatenation:
$qry = "insert into user_to_birds(user_id,tax_id)values( 1 ,'$id') ";
I am trying to use a variable to insert into multiple tables. When I hard code the specific table name it runs properly, when I use a variable I get a QUERY FAILEDSQLSTATE[42000]: Syntax error or access violation: 1064 error. dbname is the variable. I am using a for loop to change the name of the table. For example table 1 is budget1000, then budget 2000 etc. Here is my code
$sql='INSERT INTO ".$dbName." VALUES(:id,:category,:subCategory,
:amount, :today,:description, :year)';
try{
$st= $conn->prepare($sql);
$st->bindValue(":id", $id, PDO::PARAM_INT);
$st->bindValue(":category", $category, PDO::PARAM_INT);
$st->bindValue(":subCategory", $subCategory, PDO::PARAM_INT);
$st->bindValue(":amount", $amount, PDO::PARAM_INT);
$st->bindValue(":today", $today, PDO::PARAM_STR);
$st->bindValue(":description", $description, PDO::PARAM_STR);
$st->bindValue(":year", $year, PDO::PARAM_INT);
$st->execute();
}catch(PDOException $e ){
echo "QUERY FAILED" . $e->getMessage();
}
It looks like there's a quote mismatch, you start off with single quotes but then switch to double quotes when you concatenate the DB name into your string. Try replacing the single quotes at the beginning and end of your $sql string with double quotes and remove the periods around $dbname, or use single quotes all the way through.
Try this instead:
$sql='INSERT INTO '.$dbName.' VALUES(:id,:category,:subCategory,:amount, :today,:description, :year)';
I'm trying to allow a user to comment on a profile on my website. I have the following php -- updated:
<?php
// Insert Comments into Database that user provides
$comm = mysql_real_escape_string($_POST['addComment']);
$pID4 = filter_input(INPUT_GET, 'pID', FILTER_SANITIZE_NUMBER_INT);
$cID = mysql_real_escape_string($_POST['courseInfoDD']);
$username = "###";
$password = "####";
$pdo4 = new PDO('mysql:host=localhost;dbname=###', $username, $password);
$pdo4->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );
$sth3 = $pdo3->prepare('
INSERT INTO Comment (info, pID, cID)
VALUES(:info, :pID, :cID)
');
$sth3->execute(array(
':info' => $comm, ':pID' => $pID3, ':cID' => $cID
));
?>
DB Table "Comment"
http://postimage.org/image/16sbr0jd0/ (Moderator please convert this to show image, please)
HTML:
<input type='text' id='addComment' name='addComment' tabindex='3' value='Enter comment' />
Error Given:
No pID specified . When I try to insert a comment.
You are using single-quotes in your insert statement :
$sth3 = $pdo3->prepare('
INSERT INTO Comment (info, pID, cID)
VALUES($comm, $pID3, $cID)
');
With those simple quotes, $comm will not be evaluated -- and the literal $comm string will be sent to the database -- resulting in something you probably don't quite expect.
If you want variables to be interpolated, you should use double-quotes around your string.
But, as you are trying to use prepared statements, that's not what you should do, actually.
Instead, you should use placeholders in the statement -- and, then, bind those to your data, when executing the statement.
Your prepare would look a bit like this, I suppose :
$sth3 = $pdo3->prepare('
INSERT INTO Comment (info, pID, cID)
VALUES(:comm, :pID3, :cID)
');
Note the :comm, :pID3, and :cID placeholders.
And, then, when executing the statement, you'll actually pass some real data, to correspond to the placeholders :
$sth3->execute(array(
':comm' => $comm,
':pID3' => $pID3,
':cID' => $cID,
));
Additional note : as you are using prepared statements, you don't have to use mysql_real_escape_string() (which is not a PDO-related function, BTW, and should only be used when working with mysql_* functions) : the escaping is dealt by the prepared statement mecanism itself.
The parameters to the PDO prepared statement should be used like this:
$sth3 = $pdo3->prepare('
INSERT INTO Comment (info, pID, cID)
VALUES(:info, :pID, :cID)
');
$sth3->execute(array(
':info' => $comm, ':pID' => $pID3, ':cID' => $cID
));
First set up the "slots" for the values, then supply them when you run the query.
$variables in single quote strings are not being processed. Use double quotes instead and add quotes for the SQL statement itself:
$sth3 = $pdo3->prepare("
INSERT INTO Comment (info, pID, cID)
VALUES('$comm', '$pID3', '$cID')
");
our problem has nothing to do not with mysql not with comments.
It's basic PHP strings syntax.
Use double quotes if you want variables to be interpreted in a string.
However, you shouldn't add variables into query directly, but rather bins them