Stuck with unknown column in field MySQL - php

I keep getting this error
Unknown column 'Hello' in 'field list'
when I execute this code
$sql = "INSERT INTO installs (date,addedBy,customer,reg,vehMake,vehModel,colour,mileage,location,tracker,serial,sim,extr as,satnav,input1,input2,output,comments) VALUES (" . $date . ", " . $addedBy . ", " . $customer . ", " . $reg . ", " . $vehMake . ", " . $vehModel . ", " . $colour . ", " . $mileage . ", " . $location . ", " . $tracker . ", " . $serial . ", " . $sim . ", " . $extras . ", " . $satnav . ", " . $input1 . ", " . $input2 . ", " . $output . ", " . $comments . ")";
$result = $connect->query($sql) or die($connect->error);


replace this
(' . "Hello" . ', ' . 2 . ', ' . 3 . ', ' . 4 . ', ' . 4 . ', ' . 5 . ', ' . 6 . ', ' . 7 . ', ' . 8 . ', ' . 9 . ', ' . 10 . ', ' . 11 . ', ' . 12 . ', ' . 13 . ', ' . 14 . ', ' . 15 . ', ' . 16 . ', ' . 17 . ')';
by
("Hello", 2 ,3, 4,4,5,6,7,8,9,10,11,12, 13,14,15,16,17)';
EDIT:
replace this
(" . $date . ", " . $addedBy . ",..........
by
('$date', '$addedBy',...........
or this
('" . $date . "', '" . $addedBy . "',..........


Hello needs to be enclosed in single quotes. Escape the quotes like this:
$sql = 'INSERT INTO installs
(date,addedBy,customer,reg,vehMake,vehModel,colour,
mileage,location,tracker,serial,sim,extras,satnav,
input1,input2,output,comments)
VALUES
(\'' . "Hello" . '\', ' . 2 . ', ' . 3 . ', ' . 4 . ', ' . 4 . ',
' . 5 . ', ' . 6 . ', ' . 7 . ', ' . 8 . ', ' . 9 . ',
' . 10 . ', ' . 11 . ', ' . 12 . ', ' . 13 . ', ' . 14 . ', ' . 15 . ',
' . 16 . ', ' . 17 . ')';


One likely explanation for this behavior is that sql_mode inclues (or enables) ANSI_QUOTES.
SELECT ##SESSION.sql_mode
If ANSI_QUOTES is enabled, then double quotes can't be used around string literals; whatever is between the double quotes will be interpreted as an identifier (e.g. column name). If ANSI_QUOTES is enabled, then string literals should be enclosed in single quotes.
For the love of all that is good and beautiful in this world, just use prepared statements with placeholders, to avoid issues with quotes and to thwart SQL injection vulnerabilities.
e.g.
$sql = "INSERT INTO installs (date,addedBy,customer, ...)
VALUES ( :date, :addedBy, :customer, ...)";
$sth = $connect->prepare($sql);
$sth->execute(array(':date' => $date, ':addedBy' => $addedBy, ':customer' => $customer, ... ));

Related

Database error: Invalid SQL: WHERE id IN (91220,91222,91232,91233,91244,91263,

The SQL below when echoed in the PHP script displays only WHERE id IN (91220,91222,91232,91233,91244,91263,91264,91277)
Please help me find what is wrong with the SQL.
$sql = "UPDATE customers SET customers.name=AES_ENCRYPT('" . self::PII_OBFUSCATE_NAME . "','" . AES_CRYPT_KEY . "')"
. ", address1=AES_ENCRYPT('" . self::PII_OBFUSCATE_ADDRESS1 . "','" . AES_CRYPT_KEY . "')"
. ", day_phone=AES_ENCRYPT('" . self::PII_OBFUSCATE_PHONE . "','" . AES_CRYPT_KEY . "')"
. ", nite_phone=AES_ENCRYPT('" . self::PII_OBFUSCATE_PHONE . "','" . AES_CRYPT_KEY . "')"
. (is_array($customers_to_obfuscate))
? " WHERE id IN (" . implode(",", $customers_to_obfuscate) . ")"
: " WHERE id = '$customers_to_obfuscate'";

You need to check your braces in the ternary operator. It must look like follows:
((is_array($orders_to_obfuscate)) ? " WHERE id IN (" . implode(",", $orders_to_obfuscate) . ")" : " WHERE id = '$orders_to_obfuscate'");

Mysql and Php (Could not enter data)

I need assistance to what might be causing this error, I get this error everytime I have single inverted commas in the data I am trying to post to the database. (field name: abtext)
Error message:
Could not enter data: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'dsf'ds'f'ds'fds'f'ds'f'dsfds','fdsfdd'fd''fds'f'dsf'ds fd 'fds'f'df'ds ds''fd'sf' at line 3
Data entered to the db:
field name: (abtext) of type text
data entered on the field=
fdsfdd'fd''fds'f'dsf'ds fd 'fds'f'df'ds ds''fd'sf'ds'f'dsfds'sdf
My insert code:
$sql = "INSERT INTO poster
(titlepaper,abtext,authorTitle1,authorName1,authorIntials1,authorSurname1,authorJt1,authorcompany1,authoremail1,authornumber1,presenting1,additional,authorTitle2,authorName2,authorIntials2,authorSurname2,authorJt2,authorcompany2,authoremail2,authornumber2,presenting2,correspondence,authorTitle3,authorName3,authorIntials3,authorSurname3,authorJt3,authorcompany3,authoremail3,authornumber3,presenting3)
VALUES ('$titlepaper','$abtext','$authorTitle1','$authorName1','$authorIntials1','$authorSurname1','$authorJt1','$authorcompany1','$authoremail1','$authornumber1','$presenting1','$additional','$authorTitle2','$authorName2','$authorIntials2','$authorSurname2','$authorJt2','$authorcompany2','$authoremail2','$authornumber2','$presenting2','$correspondence','$authorTitle3','$authorName3','$authorIntials3','$authorSurname3','$authorJt3','$authorcompany3','$authoremail3','$authornumber3','$presenting3')";
mysql_select_db('database');
$retval = mysql_query( $sql, $conn );
if(! $retval ) {
die('Could not enter data: ' . mysql_error());
}
Your help will be much appreciated.

Try this,
$sql = " INSERT INTO poster(titlepaper,abtext,authorTitle1,authorName1,authorIntials1,authorSurname1,authorJt1,authorcompany1,authoremail1,authornumber1,presenting1,additional,authorTitle2,authorName2,authorIntials2,authorSurname2,authorJt2,authorcompany2,authoremail2,authornumber2,presenting2,correspondence,authorTitle3,authorName3,authorIntials3,authorSurname3,authorJt3,authorcompany3,authoremail3,authornumber3,presenting3)
VALUES (" . mysql_escape_string($titlepaper) . "," . mysql_escape_string($abtext) . "," . mysql_escape_string($authorTitle1) . "," . mysql_escape_string($authorName1) . "," . mysql_escape_string($authorIntials1) . "," . mysql_escape_string($authorSurname1) . "," . mysql_escape_string($authorJt1) . "," . mysql_escape_string($authorcompany1) . "," . mysql_escape_string($authoremail1) . "," . mysql_escape_string($authornumber1) . "," . mysql_escape_string($presenting1) . "," . mysql_escape_string($additional) . "," . mysql_escape_string($authorTitle2) . "," . mysql_escape_string($authorName2) . "," . mysql_escape_string($authorIntials2) . "," . mysql_escape_string($authorSurname2) . "," . mysql_escape_string($authorJt2) . "," . mysql_escape_string($authorcompany2) . "," . mysql_escape_string($authoremail2) . "," . mysql_escape_string($authornumber2) . "," . mysql_escape_string($presenting2) . "," . mysql_escape_string($correspondence) . "," . mysql_escape_string($authorTitle3) . "," . mysql_escape_string($authorName3) . "," . mysql_escape_string($authorIntials3) . "," . mysql_escape_string($authorSurname3) . "," . mysql_escape_string($authorJt3) . "," . mysql_escape_string($authorcompany3) . "," . mysql_escape_string($authoremail3) . "," . mysql_escape_string($authornumber3) . "," . mysql_escape_string($presenting3) . ")";
mysql_select_db('database');
$retval = mysql_query($sql, $conn);
if (!$retval) {
die('Could not enter data: ' . mysql_error());
}
i have changed insert area of insert command. Used mysql_escape_string for escaping unwanted char in insertion variables.

$sql = "INSERT INTO individual
(titlepaper,abtext,authorTitle1,authorName1,authorIntials1,authorSurname1,authorJt1,authorcompany1,authoremail1,authornumber1,presenting1,additional)
VALUES ('". mysql_escape_string($titlepaper) . "','" . mysql_escape_string($abtext) . "','" . mysql_escape_string($authorTitle1) . "','" . mysql_escape_string($authorName1) . "','" . mysql_escape_string($authorIntials1) . "','" . mysql_escape_string($authorSurname1) . "','" . mysql_escape_string($authorJt1) . "','" . mysql_escape_string($authorcompany1) ."','" . mysql_escape_string($authoremail1) . "','" . mysql_escape_string($authornumber1) . "','" . mysql_escape_string($presenting1) . "','" . mysql_escape_string($additional) . "')";
This worked! THANKS ALOT GUYS MUCH APPRECIATED!

Please try by using : htmlspecialchars($abtext)
so your sql query would be like,
$sql = "INSERT INTO poster
(titlepaper,abtext,authorTitle1,authorName1,authorIntials1,authorSurname1,
authorJt1,authorcompany1,authoremail1,authornumber1,presenting1,additional,
authorTitle2,authorName2,authorIntials2,authorSurname2,authorJt2,authorcompany2,
authoremail2,authornumber2,presenting2,correspondence,authorTitle3,authorName3,
authorIntials3,authorSurname3,authorJt3,authorcompany3,authoremail3,
authornumber3,presenting3)
VALUES
('$titlepaper','htmlspecialchars($abtext)','$authorTitle1','$authorName1',
'$authorIntials1','$authorSurname1','$authorJt1','$authorcompany1',
'$authoremail1','$authornumber1','$presenting1','$additional',
'$authorTitle2','$authorName2','$authorIntials2','$authorSurname2',
'$authorJt2','$authorcompany2','$authoremail2','$authornumber2',
'$presenting2','$correspondence','$authorTitle3','$authorName3',
'$authorIntials3','$authorSurname3','$authorJt3','$authorcompany3',
'$authoremail3','$authornumber3','$presenting3')";

PHP trim not working

I m trying to get rid of the trailing comma my sql statemen using trim but it doesnt seem to work
if(isset($_POST['report'])){
//====
$sql = 'INSERT INTO weekly_repo ( hospnme, disease, week, under5, above5, dat) VALUES ';
$week = intval($_POST['current_week']);
$diseases = $_POST['diseases'];
foreach($diseases as $disease){
$sql .= ' ( "' . filterString($_POST['hospital']). '", "' . filterString($disease['disease']) . '", ' . $week . ', ' . intval($disease['under_5']) . ', ' . intval($disease['over_5']) . ', NOW()), ';
}
$sql = trim($sql, '\,');
// ended up doing this
//$sql = substr($sql, 0, strrpos($sql, ',')) . ';';
$stmt = $conn->query($sql);
}

You don't need to escape \ the comma. A better approach might be to construct an array and then implode():
foreach($diseases as $disease){
$sql[] = ' ( "' . filterString($_POST['hospital']). '", "' . filterString($disease['disease']) . '", ' . $week . ', ' . intval($disease['under_5']) . ', ' . intval($disease['over_5']) . ', NOW()), ';
}
$sql = implode(',', $sql);

My own SQL syntax error [closed]

This question is unlikely to help any future visitors; it is only relevant to a small geographic area, a specific moment in time, or an extraordinarily narrow situation that is not generally applicable to the worldwide audience of the internet. For help making this question more broadly applicable, visit the help center.
Closed 9 years ago.
My code is.
$newModel = "INSERT INTO models (id," .
" firstname," .
" lastname," .
" email," .
" password," .
" group," .
" phone," .
" timeofday," .
" dayofweek," .
" address," .
" city," .
" state," .
" zip," .
" gender," .
" hair," .
" eye," .
" birthday," .
" birthmonth," .
" birthyear," .
" bustshirt," .
" cup," .
" waist," .
" hips," .
" waist," .
" hips," .
" weight," .
" inches," .
" dressjacket," .
" workxp," .
" twitter," .
" facebook," .
" joindate," .
" instagram," .
" imdb," .
" parentid," .
" error) VALUES (".
PrepSQL($modelid) . ", " .
PrepSQL($firstname) . ", " .
PrepSQL($lastname) . ", " .
PrepSQL($email) . ", " .
PrepSQL($password) . ", " .
PrepSQL($group) . ", " .
PrepSQL($phone) . ", " .
PrepSQL($timeofday) . ", " .
PrepSQL($dayofweek) . ", " .
PrepSQL($address) . ", " .
PrepSQL($city) . ", " .
PrepSQL($state) . ", " .
PrepSQL($zip) . ", " .
PrepSQL($gender) . ", " .
PrepSQL($hair) . ", " .
PrepSQL($eyes) . ", " .
PrepSQL($bday) . ", " .
PrepSQL($bmonth) . ", " .
PrepSQL($byear) . ", " .
PrepSQL($bust) . ", " .
PrepSQL($cup) . ", " .
PrepSQL($waist) . ", " .
PrepSQL($hips) . ", " .
PrepSQL($weight) . ", " .
PrepSQL($height) . ", " .
PrepSQL($dressjacket) . ", " .
PrepSQL($workxp) . ", " .
PrepSQL($twitter) . ", " .
PrepSQL($facebook) . ", " .
PrepSQL($joindate) . ", " .
PrepSQL($instagram) . ", " .
PrepSQL($imdb) . ", " .
PrepSQL($parentid) . ", " .
PrepSQL($error) . ")";
mysql_query($newModel) or die(mysql_error());
Its Shooting out an error:
You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near 'group, phone, timeofday, dayofweek, address, city, state, zip,
gender, hair, eye' at line 1

group is a reserved word in MySQL. You must wrap it in backticks:
`group`,
phone
etc.

GROUP is a reserved keyword and happens to be the name of your column. To avoid syntax error, you need to escape it using backtick. eg,
`group`
MySQL Reserved Keywords List
If you have the privilege to alter the table, change the column name to which is not a reserved keyword to avoid problem from occurring again.
As a sidenote, the query is vulnerable with SQL Injection if the value(s) of the variables came from the outside. Please take a look at the article below to learn how to prevent from it. By using PreparedStatements you can get rid of using single quotes around values.
How to prevent SQL injection in PHP?

How do I insert data into a field of bit data type?

I have a problem when trying to insert a new record into a database. The problem I think is with the bit field. When I assign the value True i get this error:
Failed: Array ( [0] => Array ( [0] => 22018 [SQLSTATE] => 22018 [1]
=> 245 [code] => 245 [2] => [Microsoft][SQL Server Native Client 10.0]
[SQL Server]Conversion failed when converting the varchar value ' 1 '
to data type bit. [message] => [Microsoft][SQL Server Native Client 10.0]
[SQL Server]Conversion failed when converting the varchar value ' 1 ' to
data type bit. ) )
but if i change it to false it works. I will show some of my code. I have cut out most of it as i have narrowed it down to this variable:
$active = True;
here is my insert query.
$sqlInsert = "INSERT INTO customers(
customerID,
registeredDate,
givenName,
familyName,
email,
password,
phone,
mobile,
property,
street,
locality,
town,
area,
postalCode,
active
)
VALUES(" .
$newUser . "," .
$date . ", ' " .
$given . " ', ' " .
$family . " ', ' " .
$email . " ', ' " .
$pwd . " ', ' " .
$phone . " ', ' " .
$mob . " ', ' " .
$property . " ', ' " .
$street . " ', ' " .
$locality . " ' , ' " .
$town . " ', ' " .
$area . " ', ' " .
$postalcode . " ', ' " .
$active . " ')";
$stmtInsert = sqlsrv_query($conn, $sqlInsert);

I assume that the active field is of bit data type.
You don't use any quotation marks around the value being passed for the active field like what you do for customerid field.
Also, I think you have to convert the value true / false to 1 / 0.
Modified code: Noticed that the single quotes surrounding " . $active . " have been removed.
$sqlInsert = "INSERT INTO customers(customerID, registeredDate, givenName,
familyName, email, password,
phone, mobile, property,
street, locality, town,
area, postalCode, active)
VALUES(" . $newUser . "," . $date . ", ' " . $given . " ',
' " . $family . " ', ' " . $email . " ', ' " . $pwd . " ',
' " . $phone . " ', ' " . $mob . " ', ' " . $property . " ',
' " . $street . " ', ' " . $locality . " ' , ' " . $town . " ',
' " . $area . " ', ' " . $postalcode . " ', " . $active . ")";
$stmtInsert = sqlsrv_query($conn, $sqlInsert);
I am not sure why it worked with False value. I would suggest you to find out how the INSERT statement evaluates to after setting all the values. Instead of executing the statement, print the INSERT statement to screen/page and run it manually in the SQL Server Management Studio against the database.

Categories