When I proceed to run the following query:
$sql3 = mysqli_query($con, 'INSERT INTO berichten (from, naar, file) VALUES ('.$id.', '.$to.', "'.$url.'")') or die(mysqli_error($con));
I'll received this error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'from, naar, file) VALUES (2, 2, "b9173a1b9ade8767280009f9638bd987.caf")' at line 1
id = an id number,
to = an id number and
url = the filename (e.g. sound.caf)
Why do I get this error and what to do to fix it?
Thanks!
from is a special SQL keyword. You have to escape it by putting it into backticks:
$sql3 = mysqli_query($con, 'INSERT INTO berichten (`from`, naar, file) VALUES ('.$id.', '.$to.', "'.$url.'")') or die(mysqli_error($con));
Besides that you might need to quote ID and file as you did for $url.
Btw. You should really consider to use prepared statements in order to prevent SQL injections.
Related
The error message I'm getting:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'INSERT INTO accounts(balance, interest)
VALUES(0, 1.5)' at line 4 in INSERT INTO accounts(id_user, interest)
VALUES(73, 'Savings');
INSERT INTO balance(balance, interest)
VALUES(0, 1.5)
My PHP code is:
$query = "INSERT INTO accounts(`id_user`, `type`)
VALUES($userid, '$type');
INSERT INTO balance(`balance`, `interest`)
VALUES(0, $interest)";
My first guess that something was wrong with my query, so I tried to run the exact same query in phpMyAdmin and it worked perfectly.
Any suggestions on what might be wrong ?
Gordon Linoff is correct.
From the great manual in the sky.
"mysql_query() sends a unique query (multiple queries are not supported) to the currently active database on the server that's associated with the specified link_identifier. "
http://php.net/manual/en/function.mysql-query.php
change
$query = "INSERT INTO accounts(`id_user`, `type`)
VALUES($userid, '$type');
INSERT INTO balance(`balance`, `interest`)
VALUES(0, $interest)";
to
$query = "INSERT INTO accounts(`id_user`, `type`)
VALUES($userid, '$type');";
result = mysql_query($query);
$query="INSERT INTO balance(`balance`, `interest`)
VALUES(0, $interest)";
result = mysql_query($query);
Are you using mysqli to run this ? I suspect you are running two queries in a single statement, you need to use mysqli_multi_query function to execute multiple queries at the same time.
Mysqli Manual page on multi_query
I am trying to insert information into a table, using the following query;
$sql2 = "INSERT into `djs` (`name`,`pic`,`about`) VALUES (".$row['dj_name'].",".$row['dj_picture'].",".$row['dj_intro'].")";
Whenever I have tried doing this, the following error has occurred, "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use"
What is causing this error and how may it be resolved?
Use mysql_real_escape_string(); to escape your values and put them into single quotes:
$sql2 = "INSERT into `djs` (`name`,`pic`,`about`) VALUES ('".mysql_real_escape_string($row['dj_name'])."', '".mysql_real_escape_string($row['dj_picture'])."', '".mysql_real_escape_string($row['dj_intro'])."')";
You are not putting quotes around the strings you are inserting:
$sql2 = "INSERT into `djs` (`name`,`pic`,`about`) VALUES
('".$row['dj_name']."','".$row['dj_picture']."','".$row['dj_intro']."')";
The values all need quoting (assuming they are all strings):
$sql2 = "INSERT into `djs` (`name`,`pic`,`about`) VALUES ('".$row['dj_name']."','".$row['dj_picture']."','".$row['dj_intro']."')";
Also even if your data is coming from existing data in the database, you should still consider the possibility of Second Order SQL Injection. The most appropriate safeguard is to use a Prepared Statement instead of concatenating values into the query.
You need quotes around the values you are inserting. But you should also consider a better method of inserting records.
$sql2 = "INSERT into `djs` (`name`,`pic`,`about`) VALUES ('".$row['dj_name']."','".$row['dj_picture']."','".$row['dj_intro']."')";
I'm trying to insert some values into the database using information posted on a form through php
following is the code that i'm using for insertion
$query=mysql_query("select * from poll_question where question = '$question'") or die(mysql_error());
$numrows=mysql_num_rows($query);
if($numrows)
{
while($row=mysql_fetch_assoc($query))
{
$dbid=$row['id'];
}
}
$sql1 = "INSERT INTO poll_option(option , poll_id ,click)
VALUES('$_POST[optionone]',
'$dbid' , 0)";
$result1 = mysql_query($sql1);
echo "1 record added";
echo mysql_error();
$sql2 = "INSERT INTO poll_option(option , poll_id , click)
VALUES('$_POST[optiontwo])',
'$dbid', 0)";
$result2 = mysql_query($sql2);
echo mysql_error();
$sql3 = "INSERT INTO poll_option(option , poll_id, click)
VALUES('$_POST[optionthree])',
'$dbid ', 0)";
$result3 = mysql_query($sql3);
echo mysql_error();
now i'm getting the following output
You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version for the right syntax to use near 'option , poll_id ,click) VALUES('sj', '24' , 0)' at line 1
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'option , poll_id , click) VALUES('dsdg', '24', 0)' at line 1
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'option , poll_id, click) VALUES('xzf', '24 ', 0)' at line 1
The part under the "values" syntax is the one that i'm trying to insert. that information is correct.that is VALUES('xzf', '24 ', 0) is Correct and i want to insert this only , but their is some problem with the syntax.Any suggestions?
What echo_me said.
Additionally, in $sql2 and $sql3 you are closing the VALUES (...) parenthesis too soon:
VALUES('$_POST[optiontwo])',
^ remove this
Your $sql1 is correct.
OPTION is reserved keyword for mysql
try use backticks around it in all your queries
like that:
`option`
look reserved keywords here
In addition to what echo_me stated in removing the parentheses incorrectly added to $sql2 and $sql3, you really should migrate over to mysqli (since mysql is deprecated) and at least use the real escape string option on your post variable before automatically inserting whatever is posted to the script into your database. A good example for your code is:
$post_option1 = mysql_real_escape_string($_POST['optionone']);
$post_option2 = mysql_real_escape_string($_POST['optiontwo']);
$sql1 = "INSERT INTO poll_option (`option`, `poll_id`, `click`) VALUES('$post_option1', '$dbid', 0)";
$sql2 = "INSERT INTO poll_option (`option`, `poll_id`, `click`) VALUES('$post_option2', '$dbid', 0)";
My opinion is it would make things simpler for you as well. The info on the real escape string can be found here:
http://php.net/manual/en/function.mysql-real-escape-string.php
It's against best practice to insert a POST or GET directly into your database without any form of mitigation against SQL injection.
Try to avoid using mysql functions, but rather learn to use PDO functions. They have a number of advantages over mysql functions, although im really sorry, i dont remember them right now, and i dont want to say anything that's not true.
Also, i dont think that the mysql functions can prevent SQL injection, which can let any user alter your Database however they want.
Most importantly though, is that they're deprecated in PHP 5.5
Sorry if i didn't solve your question, just thought to let you know. Good luck, maybe you can get it to work with the new functions.
Update: Sorry, didn't see the comments and posts about switching to mysqli and such.
I don't know what's wrong with my syntax, but I'm missing something:
$createrequest = mysql_query("INSERT INTO products_updates_queue (id, kid,
product_version_id, key, ip) VALUES ('$request_id', '$uid', '$version_id',
'$request_key', '$request_ip')");
I receive this error:
"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'key, ip) VALUES ('j4ctveyd0x62', '1', 'z451ah3', 'hqbyu7bhg8za', '64.134.163.2' at line 2"
Can anyone see what I am missing?
I think key is a reserved word, and you should avoid using it as a column name. Try using backticks around it:
$createrequest = mysql_query("INSERT INTO products_updates_queue (id, uid, product_version_id, `key`, ip) VALUES ('$request_id', '$uid', '$version_id', '$request_key', '$request_ip')");
key is a reserved word in MySQL. Avoid it, or wrap it in backticks.
Edit: And I hope you escaped the variables you're putting into that query.
I have a following code:
<?php
include("config.php");
$key = 'blahblah';
$sql = "INSERT INTO softversions SET key='$key'";
$result = mysql_query($sql) or die ($mysql_error());
echo "dude";
?>
This gives me an error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'key='svksskjfvns'' at line 1
The thing is that I've used this script about a hundred times on other pages and it worked.
Table and field names are 100% correct.
I don't understand what is going on.
Do you see the syntax error there?
KEY is a reserved word in MySQL and you need to escape it using backticks to use it as a column name and also you should not use SET when inserting.
$sql = "INSERT INTO softversions (`key`) VALUES ('$key')";
key is a reserved word in MySQL. To use it as a column, you need to escape it every time you call it.
$sql = "INSERT INTO softversions SET `key`='$key'";
$sql = "INSERT INTO softversions(keyName) values('{$key}')";