Query breaks when data contains single quote [closed] - php

Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 8 years ago.
Improve this question
Hello guys i need your help with this php code,
and trying to create survey name using text box..but what happens is that $survey_name = $_POST['txtSurveyName']; does not save any input with e.g. Department's but it saves Departments.
I noticed that the problem is with the single quotes, how can write this code to accept the single quotes?
here is the full code:
**$survey_name = $_POST['txtSurveyName'];**
$survey_status = $_POST['status'];
// Save question
$sql = "INSERT INTO survey(survey_name, status) VALUES('{$survey_name}','{$survey_status}')";
$result = mysql_query($sql);
// Redirect to landing page


As much as I hate this answer I will still tell you that you need to escape your strings:
$survey_name = mysql_real_escape_string($_POST['txtSurveyName']);
But I would suggest using PDO or MySQLi prepared statements. Better for your security.
So easy with PDO:
//prepare query
$stmt = $pdoInstance->prepare('INSERT INTO survey(survey_name, status) VALUES(:name, :status)');
//bind params
$stmt->bindParam(':name', $name, PDO::PARAM_STR);
$stmt->bindParam(':status', $status, PDO::PARAM_STR);
if ($stmt->execute()) {
//success
}
This way your code is more secure and I feel better that I did not suggest something horrible.


From: http://us2.php.net/mysql_real_escape_string
$survey_name = $_POST['txtSurveyName'];
$survey_status = $_POST['status'];
$sql = sprintf("INSERT INTO survey(survey_name, status) VALUES('%s','%s')'",
mysql_real_escape_string($survey_name),
mysql_real_escape_string($survey_status));
$result = mysql_query($sql);


Change your query to escape specials chars :
$sql = "INSERT INTO survey(survey_name, status) VALUES(\"{$survey_name}\",\"{$survey_status}\")";
or
$sql = "INSERT INTO survey(survey_name, status) VALUES('".addslashes($survey_name)."','".addslashes($survey_status)."')";

Related

I can't insert data from php to mysql [closed]

Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 2 years ago.
Improve this question
In my Mysql I have this table. And I want to send data
Id is autoincrement
Id
insertId
invoceTaxApplayId
sumOfDist
if (isset($_POST['basic'])) {
$user_string = $_POST['basic'];
$basic = json_decode($user_string);
foreach ($basic as $key => $value){
$sql2 = "INSERT INTO `insert_tax_applay_map`( `insertId`, `invoceTaxApplayId`, `sumOfDist`) VALUES ('$value','', 5)";
echo $sql2; //printed
echo $key;
}
exit();
}
I can see echos, but data isn't sent to mysql.

You can fix the issue of not executing and your serious SQL injection bug with one simple trick: Prepared statements with placeholder values!
if (isset($_POST['basic'])) {
$user_string = $_POST['basic'];
$basic = json_decode($user_string);
// Prepare your database query with placeholder values
$stmt = $db->prepare("INSERT INTO insert_tax_applay_map (insertId, invoceTaxApplayId, sumOfDist) VALUES (:insertId, :invoiceTaxApplayId, :sumOfDist)");
// For each entry...
foreach ($basic as $key => $value) {
// ...execute the statement with that particular set of values.
$stmt-execute([
'insertId' => $value,
'invoiceTaxApplayId' => '',
'sumOfDist' => 5
]);
}
exit();
}
This example uses PDO but can easily be adapted to mysqli or whatever you're using.
Tip: For general guidance on PHP, see PHP the Right Way for more resources.

Converting query to parametrised query [closed]

Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 6 years ago.
Improve this question
I have a query on my site and have recently been hacked because of it.
I have spent a good 2 hours looking how to convert this query so it is secure and have not got anywhere.
If anyone don't mind, could you please convert this one for me just so I can see what to do on the rest?
$camera_id = $_GET['camera_id'];
$cameras = mysqli_query($conn, "SELECT * FROM cameras WHERE id = $camera_id");
$camera = mysqli_fetch_array($cameras);

Try something like this.
$camera_id = $_GET['camera_id'];
$cameras = mysqli_prepare($conn, "SELECT * FROM cameras WHERE id = ?");
mysqli_stmt_bind_param($cameras, $camera_id);
$cameras->execute();
While you are making the switch, switch straight away to PDO. It's far better than mysqli
$db = new PDO('mysql:host=localhost;dbname=mydb', 'username', 'password');
$stmt = $db->prepare("SELECT * FROM cameras WHERE id = :camera_id");
$stmt->execute(array(":camera_id"=>$camera_id));
$result = $stmt->fetchAll();
or instead of fetchAll()
while($row = $stmt->fetch(PDO::FETCH_ASSOC)) {
echo $row['field1'].' '.$row['field2']; //etc...
}
As you can see this is more readable. And if you later decide eto switch to postgresql the change is real easy.

This is using PDO and assumes that the camera id is a number (if it can contain non-numerical values swap the PARAM_INT for a PARAM_STR. The basic premise is that you separate the query from the variables and you bind the value of the desired item to a variable. Also note that you would need to alter the variables in the new PDO declaration to suit your own database. Note also that fetchAll() provides an associative array of the returned results - there are a number of other fetch() methods possible to give different outcomes - look for the official documentation.
$camera_id = $_GET['camera_id'];
$conn = new PDO('mysql:host=localhost;dbname=db', 'username', 'password');
$sql = "SELECT * from cameras where id = :cameraId";
$q = $conn->prepare($sql);
$q -> bindValue(":cameraId" , $camera_id, PDO::PARAM_INT);
$q->execute();
$cameraRows = $q->fetchAll();
foreach($cameraRows as $cameraRow){
$CID= $cameraRow["camera_id"];
//.... rest of the code
}

I get a mysql error when using mysql_query() [closed]

Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 6 years ago.
Improve this question
I am having the following error:
"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Not, Fotograf, Tarih) values ('','','','','','','','TC','','','','Ev' at line 1"
(I am using wamp6.4 that keeps asking "mysqli")
What can be wrong?
My PHP code:
$ekle = mysql_query("INSERT INTO kayitliste (AdayNo, KimlikNo, Ad, Soyad, MezunLise, DiplomaDerece, TelefonNo, Uyruk, VeliAdSoyad, VeliTelefon, Adres, Ulasim, Bolge, Yurt, Bolum, TercihSirasi, Burs, Dekont, Kimlik, Diploma, Odenen, Sinif, Not, Fotograf, Tarih)
VALUES ('$AdayNo','$KimlikNo','$Ad','$Soyad','$MezunLise','$DiplomaDerece','$TelefonNo','$Uyruk','$VeliAdSoyad','$VeliTelefon','$Adres','$Ulasim','$Bolge','$Yurt','$Bolum','$TercihSirasi','$Burs','$Dekont','$Kimlik','$Diploma','$Odenen','$Sinif','$Not','$Fotograf','$Tarih') ");

mysql is deprecated. You should be using either mysqli or PDO with a parameterized query as shown below:
Mysqli:
$link = mysqli_connect("localhost", "root", "");
mysqli_select_db("Your database");
if ($stmt = mysqli_prepare($link, "INSERT INTO `kayitliste` VALUES (?, ?, ?, ?, ?)")) {
/* bind parameters for markers */
mysqli_stmt_bind_param($stmt, $type, $AdayNo, $KimlikNo, $Ad, $Soyad, $MezunLise);
/* Execute query */
mysqli_stmt_execute($stmt);
/* Bind result variables */
mysqli_stmt_bind_result($stmt, $AdayNo, $KimlikNo, $Ad, $Soyad, $MezunLise);
/* Close statement */
mysqli_stmt_close($stmt);
}
$type can be "s" for string, "i" for integer, "d" for double and "b" for blob.
The question marks ? have to be as many as the values you want to insert to your database.
In your case of many values, you should know what type each value is and write $type = "iisss", with as many letters as your values. Since your variables are in a language I do not know I assummed that these ending in No are integers and the other three strings.
PDO:
$sql = 'INSERT INTO `kayitliste` (`AdayNo`, `KimlikNo`, `Ad`, `Soyad`, `MezunListe`)
VALUES (:AdayNo, :KimlikNo, :Ad, :Soyad, :MezunListe)';
$sth = $dbh->prepare($sql);
$sth->bindParam(':AdayNo', $AdayNo, PDO::PARAM_INT);
/* Do that for every parameter */
/* PDO::PARAM_INT is the equivalent of "i" of mysqli in PDO. */
$sth->execute()

In cases such as this, it's helpful to see the generated query for yourself. Do this:
echo "insert into kayitliste (AdayNo, KimlikNo, Ad, Soyad, MezunLise, DiplomaDerece, TelefonNo, Uyruk, VeliAdSoyad, VeliTelefon, Adres, Ulasim, Bolge, Yurt, Bolum, TercihSirasi, Burs, Dekont, Kimlik, Diploma, Odenen, Sinif, Not, Fotograf, Tarih)
values
('$AdayNo','$KimlikNo','$Ad','$Soyad','$MezunLise','$DiplomaDerece','$TelefonNo','$Uyruk','$VeliAdSoyad','$VeliTelefon','$Adres','$Ulasim','$Bolge','$Yurt','$Bolum','$TercihSirasi','$Burs','$Dekont','$Kimlik','$Diploma','$Odenen','$Sinif','$Not','$Fotograf','$Tarih') ";
And then check the query that is generated. I bet you'll find your error if you look carefully.

Why can't i insert this statement in to SQL [closed]

Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 7 years ago.
Improve this question
I have this PHP code:
$uniqueSessionID = 'd41740fd9dc75cb8a3eeee27165d2323';
$returnUrl = 'http://qapache.us.oracle.com:15671/OA_HTML/OA.jsp?OAFunc=ICX_\nCAT_PUNCHOUT_CALLBACK&OAHP=ICX_POR_HOMEPAGE_MENU&OASF=ICX_CAT_PUNCHOUT_\nCALLBACK&transactionid=1577779317'
$timestamp = $conn->real_escape_string('2016-02-10 07:57:21');
$cxmlVersion = $conn->real_escape_string('1.1.007');
$payloadID = $conn->real_escape_string('20040316032452.913060910.144270#ap6172rt.us.oracle.com');
$sql2 = "INSERT INTO return_cart_url (`sessionid`, `timestamp`, `version`, `return_url`, `payloadID`)
VALUES ('{$uniqueSessionID}','{$timestamp}', '{$cxmlVersion}' '$returnUrl', '{$payloadID}')";
if ($conn->query($sql2) === TRUE) {
echo "New record created successfully";
} else {
echo "Error: " . $sql2 . "<br>" . $conn->error;
}
And i get this error:
Column count doesn't match value count at row 1
All my columns are varchar. In the beginning i only had the columns uniqueSessionID and returnURL, and with these 2 it worked. It happened when I added the timestamp, cxmlVersion and payloadID.
Anyone who can explain me why this happens?

You forgot 1 comma :
'{$cxmlVersion}','$returnUrl'

you forget one , after cxmlVersion
$sql2 = "INSERT INTO return_cart_url (`sessionid`, `timestamp`, `version`, `return_url`, `payloadID`)
VALUES ('{$uniqueSessionID}','{$timestamp}', '{$cxmlVersion}', '$returnUrl', '{$payloadID}')";

I am guessing it is because you are missing the brackets in the values definition of the return Url, and there is a missing colon after cxmlVersion.
VALUES ('{$uniqueSessionID}','{$timestamp}', '{$cxmlVersion}' '$returnUrl', '{$payloadID}')";
Becomes:
VALUES ('{$uniqueSessionID}','{$timestamp}', '{$cxmlVersion}', '{$returnUrl}', '{$payloadID}')";

how to use php variables make query for sqlite3 [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Questions asking for code must demonstrate a minimal understanding of the problem being solved. Include attempted solutions, why they didn't work, and the expected results. See also: Stack Overflow question checklist
Closed 9 years ago.
Improve this question
<?php
/**
* Simple example of extending the SQLite3 class and changing the __construct
* parameters, then using the open method to initialize the DB.
*/
class MyDB extends SQLite3
{
function __construct()
{
$this->open('wifin.db');
}
}
$db = new MyDB();
$mac = 'test';
$ssid = $_POST['ssid'];
$lat = $_POST['lat'];
$lon = $_POST['lon'];
$db->exec("INSERT INTO wifinTb (mac,ssid,lat,lon) VALUES ($mac,$ssid,$lat,$lon)");
$result = $db->query('SELECT * FROM wifinTb WHERE mac=$mac');
var_dump($result->fetchArray());
?>
i'm not sure how to use variables in php5, $mac should be a string, when i directly use mac=$mac, it return me bool(false), which means can't find, but when i use mac='test', it gives me result.

Never ever use string concatenation or replacement to put values into SQL statements; this will give you formatting problems (as you've seen) and allow SQL injection attacks.
Instead, use parameters:
$stmt = $db->prepare('INSERT INTO wifinTb(mac,ssid,lat,lon) VALUES (?,?,?,?)');
$stmt->bindValue(1, 'test');
$stmt->bindValue(2, $_POST['ssid']);
$stmt->bindValue(3, $_POST['lat']);
$stmt->bindValue(4, $_POST['lon']);
$stmt->execute();
$stmt = $db->prepare('SELECT * FROM wifinTb WHERE mac = :mac');
$stmt->bindValue(':mac', $mac);
$result = $stmt->execute();

What you initialize $mac with 'test', is what you are doing is assigning a string (PHP recognizes anything inside '' or "" as a string) to $mac. The value of this string is test. So you still need to surround the value in the query with '':
$db->exec("INSERT INTO wifinTb (mac,ssid,lat,lon) VALUES ('$mac','$ssid','$lat','$lon')");

$result = $db->query('SELECT * FROM wifinTb WHERE mac=$mac');
Is currently being seen as one long string. You could get around this quickly by changing it to:
$result = $db->query("SELECT * FROM wifinTb WHERE mac='" . $mac . "'");
However, you'd be better reading up on PDO or mysqli bind functions rather than injecting like that.
Hope that helps?

Categories