Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 8 years ago.
Improve this question
include 'connect.php';
if ($stmt = $mysqli->prepare("INSERT users (user_name, user_pass) VALUES (mysql_real_escape_string ($_POST['user_name'], sha1($_POST['user_pass']"))
{
$stmt->bind_param("ss", $user_name, $user_pass);
$stmt->execute();
$stmt->close();
}
I get this error on the line of code above, I've been staring at it for ages but can't figure out what's wrong. I'm new to PHP, MySQL and HTML. Please help me.
Parse error: syntax error, unexpected '' (T_ENCAPSED_AND_WHITESPACE), expecting identifier (T_STRING) or variable (T_VARIABLE) or number (T_NUM_STRING) in C:\xampp\htdocs\signup.php on line 77
The good thing is you are trying to prepare, the bad news is you doing it wrong:
$username = $_POST['user_name'];
$password = $_POST['user_pass'];
$query = "INSERT users (user_name, user_pass) VALUES (?, sha1(?)) ";
/* create a prepared statement */
if ($stmt = $mysqli->prepare($query)) {
/* bind parameters for markers */
$stmt->bind_param("ss", $username, $password);
/* execute query */
$stmt->execute();
/* close statement */
$stmt->close();
}
/* close connection */
$mysqli->close();
issues:
mysql_real_escape_string is deprecated
mysqli_real_escape_string would be useless
Your string concatenation is wrong
Related
Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 5 years ago.
Improve this question
I Want to ask about input data to database.
<?php
include "koneksi.php";
if(isset($_POST['daftar'])){
$daftar = mysqli_query($conn, "INSERT INTO tb_daftar VALUES
('".$_POST['id']."',
'".$_POST['nama']."',
'".$_POST['asal_sekolah']."',
'".$_POST['jenis_kelamin']."',
'".$_POST['nama_ayah']."',
'".$_POST['nama_ibu']."',
'".$_POST['alamat']."',
'".$_POST['no_hp']."',
'')");
if($daftar){
$pesan1 = "Berhasil daftar";
echo "<script type='text/javascript'>alert('$pesan1');</script>";
}else{
$pesan2 = "Gagal daftar";
echo "<script type='text/javascript'>alert('$pesan2');</script>";
}
}
?>
That result always show " Gagal daftar "..
How to fix it? Thanks!
You have an extra comma after the last value. You should also use a prepared statement to prevent SQL injection.
if ($dafter = mysqli_prepare($conn, "INSERT INTO tb_dafter VALUES (?, ?, ?, ?, ?, ?, ?, ?)")) {
mysqli_stmt_bind_param($dafter, "ssssssss", $_POST['id'], $_POST['nama'], $_POST['asal_sekolah'], $_POST['jenis_kelamin'], $_POST['nama_ayah'], $_POST['nama_ibu'], $_POST['alamat'], $_POST['no_hp']);
mysqli_stmt_execute($dafter);
$pesan1 = "Berhasil daftar";
echo "<script type='text/javascript'>alert('$pesan1');</script>";
} else {
$pesan2 = htmlentities(mysqli_error($conn));
echo "<script type='text/javascript'>alert('$pesan2');</script>";
}
Your code is not in good condition, You need to think in many aspect like,
Integer value like id will not be in quotes.
Sequence matter if you not provided column names with table name, Highly risky without column name.
You query is easy to Inject, SQL Injection
You have not check $_POST variable value, with isset, Check my other answer about this
To cover your risk use mysqli or pdo
But I suggest to insert use mysqli or pdo. Here are some link to learn about mysqli:
mysqli_prepare
mysqli_stmt_bind_param
Prepared Statements in MySQLi
View errors from mysql query using mysqli_error
else{
$pesan2 = mysqli_error($conn);
echo "<script type='text/javascript'>alert('Error: '+$pesan2);</script>";
}
$daftar = mysqli_query($conn, "INSERT INTO tb_daftar((database columns))
VALUES
('".$_POST['id']."',
'".$_POST['nama']."',
'".$_POST['asal_sekolah']."',
'".$_POST['jenis_kelamin']."',
'".$_POST['nama_ayah']."',
'".$_POST['nama_ibu']."',
'".$_POST['alamat']."',
'".$_POST['no_hp']."',
'')");
Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 6 years ago.
Improve this question
I'm a beginner in web design and I have this problem. I'm trying to create a login page but when I try to create the login it throws a error as follows:
SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ':username and passwordhash=:passwordhashed)' at line 1
With php code of
Try {
// $SQL = 'INSERT INTO Passwords (username, password, passwordhashed) VALUES (:username,:password,:passwordhashed);';
$username = $_REQUEST['username'];
$password = $_REQUEST['password'];
$PasswordHashed = sha1($password);
echo "Username: ". $username ."<br> Password: ". $password . "<br> PasswordHashed: " . $PasswordHashed;
$SQL = null;
$SQL = "SELECT * FROM BlaBla WHERE (username=:username and passwordhash=:passwordhashed);";
$Statement = $MySQL->prepare($SQL);
$Statement->bindValue(':username', $username);
$Statement->bindValue(':passwordhashed', $PasswordHashed);
$Statement->execute();
$Statement = $MySQL->query($SQL);
if ($Statement->rowCount() < 1 ) {
echo 'NOPE';
} else {
echo 'welcome back '. $username;
}
} catch(PDOException $e) {
$ErrorTitle = 'Error';
$Error = "error writing to database";
$ErrorInfo = '<p>Please contact administrator at stephan.littel#stecasso.nl</p> <br> <p>'. $e->getMessage() . '</p>';
include './HTML/Error.php';
exit();
}
I don't know what the error is. Could anyone help me?
Here:
$Statement = $MySQL->prepare($SQL);
^---your prepared statement
$Statement->bindValue(':username', $username);
$Statement->bindValue(':passwordhashed', $PasswordHashed);
$Statement->execute();
$Statement = $MySQL->query($SQL);
^----raw queries have no placeholders
You prepare a statement, and execute it. But then you do a RAW query with the same SQL, replacing the result of the prepared version. You cannot use placeholders in a raw query like that. Hence your error.
That final ->query() call is useless and redundant.
Found the problem. Problem was I used query and execute. My fault of slopy bug tracking.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Closed 7 years ago.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Improve this question
I am trying to make an update statement with PDO and i found out it doesn´t work.
I have testet the SQL statement in phpMyadmin and it works if i put '' arround the passkey, but why wont it work with this ?
INFO:
The passkey is a md5 string
<?php
include('../mysql/pdoconn.php');
$passkey = $_GET['passkey'];
$stmt = $conn->prepare("UPDATE user SET com_code='' WHERE com_code = :passkey");
$stmt->bindParam(':passkey', $passkey , PDO::PARAM_STR);
$stmt->execute;
$error = "Jon Snow";
$stmt1 = $conn->prepare("SELECT com_code from user where com_code =''");
$stmt1->execute;
$result = $stmt1->fetchColumn();
if($result === "")
{
$error = 'Your account is now active. You may now Log in';
$conn = null;
} else
{
$error = $passkey;
$conn = null;
}
?>
i have tested that it gets the passkey, and it does, but it dont update the table...
I have tried anything, but i cant get it to work
$stmt = $conn->prepare("UPDATE user SET com_code='' WHERE com_code = :passkey");
$stmt->bindParam(':passkey', $passkey , PDO::PARAM_STR);
$stmt->execute();
execute() is a function
You don't need to quote bound parameters
Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 8 years ago.
Improve this question
<?php
require('database.php');
$user = $_POST["username"];
$password = $_POST["password"];
$location = $_POST["location"];
$stmt = $mysqli->prepare("insert into Userinfo (username, password, location) values (?, ?, ?)");
if(!$stmt) {
//printf("Query prep failed: %s\n", mysqli->error);
echo "query prep failed".$mysqli->error;
exit;
}
$stmt->bind_param('sss', $username, $password, $location);
$stmt->execute();
$stmt->close();
error_log("username ".$user, 3, "/tmp/php_error.log");
}
?>
Database.php
<?php
$mysqli = new mysqli('localhost', 'php', 'passtheword', 'Android');
if($mysqli->connect_errno) {
printf("Connection Failed: %s\n", $mysqli->connect_error);
exit;
}
?>
This query is not modifying my database for some reason. I know 'database.php' is valid, and I don't get an error from the if(!$stmt) section. Nothing breaks, it just doesn't modify the table, Userinfo. Can anyone tell me why?
Change $user to $username. You are binding and inserting $username but you only $_POST to and define $user
Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 8 years ago.
Improve this question
I'm doing registration in PHP and I am stuck on an unexpected catch, can you help me please?
if (isset($_POST['nick']) && isset($_POST['heslo']) &&
isset($_POST['email']) && isset($_POST['datnar']))
{
try
{
$email = ($_POST['email']);
$datnar = ($_POST['datnar']);
$nick = ($_POST['nick']);
$heslo = md5($_POST['heslo']);
$db->query("INSERT INTO tblosoba(`nick`, `heslo`, `email`, `datnar`) VALUES ($nick, '$heslo', $email, $datnar)");
echo "Registrace dokončena.";
catch( PDOException $Exception ) {
echo "Uživatel existuje";
}
}
You need to close the try block.
{
try
{
$email = ($_POST['email']);
$datnar = ($_POST['datnar']);
$nick = ($_POST['nick']);
$heslo = md5($_POST['heslo']);
$db->query("INSERT INTO tblosoba(`nick`, `heslo`, `email`, `datnar`) VALUES ($nick, '$heslo', $email, $datnar)");
echo "Registrace dokončena.";
} //<-------------------------------------------- Here
catch(PDOException $Exception ) {
echo "Uživatel existuje";
}
}
Warning : Your code is vulnerable to SQL Injection. You need to filter the $_POST values before passing it to your query.
Use Prepared Statements (Parametrized Queries) to ward off SQL Injection attacks as you are already using PDO.
Add a closing curly bracket (}) before the catch
Here is how to fix your code
if (isset($_POST['nick']) && isset($_POST['heslo']) &&
isset($_POST['email']) && isset($_POST['datnar']))
{
$sql = "INSERT INTO tblosoba(`nick`, `heslo`, `email`, `datnar`) VALUES (?,?,?,?)";
$data = [$_POST['nick'],$_POST['heslo'],$_POST['email'],$_POST['datnar']];
$db->prepare($sql)->execute($data);
echo "Registrace dokončena.";
}
Note that you should not use try-catch here but should use prepared statement instead