Date field outputs during update 0000-00-00 [closed]

Date field outputs during update 0000-00-00 [closed] - php

Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 8 years ago.
Improve this question
I have problem with update data to database - I'm getting 0000-00-00. To the input field I'm writing data as "2010-08-10". For insert it works correctly, only for update not.
In inserting it works properly also for dates like that, for update this dates also don't work.
Above codes the both queries:
$rec_query = mysql_query ("INSERT INTO `" . $tb_best_ps . "` (id, name, date, author, www, image) VALUES ('','" . mysql_escape_string ($_POST ["name"]) . "','" . $_POST ["date"] . "','" . mysql_escape_string ($_POST ["author"]) . "','" . mysql_escape_string ($_POST ["www"]) . "','" . mysql_escape_string ($_POST ["image"]) . "')");
$query1 = mysql_query ("UPDATE `" . $tb_best_ps . "`
SET `name` = '" . mysql_escape_string ($_POST ["name"]) . "',
`date` = " . $_POST ["date"] . ",
`author` = '" . mysql_escape_string ($_POST ["author"]) . "',
`www` = '" . mysql_escape_string ($_POST ["www"]) . "',
`image` = '" . mysql_escape_string ($_POST ["image"]) . "'
WHERE `id` = '" . $_POST ["edit"] . "'");
Output when I'm using echo on update query:
UPDATE `swt_best_ps` SET `name` = 'Best Paper Award at ADAPTIVE 2014 for Paper XYZ', `date` = 2010-08-10, `author` = 'David Bowie', `www` = 'http://thinkmind.org/', `image` = 'http://randomweb.com/iaria2014.png' WHERE `id` = '1'

You didn't quote your dates, so if you're getting something like 2014-04-08 in your $_POST value, you're actually doing
... date = 2014-04-08 ...
which will be seen as a math operation: two subtractions, and you end up doing
... date = 2002 ...
Since you haven't quoted your dates, nor escaped them, you're both inserting bad data, and vulnerable to SQL injection attacks. ANY external data going into a query string MUST be properly escaped and quoted.
The query building line should be
"`date` = '" . mysql_real_escape_string($_POST['date']) . "'"
^---note the added quote ^---note the added quote

Related

Trouble specifying my tablename inside query because of dot notation

I'm having trouble specifying my tablename inside the following query.
$sql = "INSERT INTO db269193_crud.posts (post_title,description)
VALUES ('" . $title . "','" . $description . "')";
The tablename is: db269193_crud.posts. I can't specify the table name as 'posts' because of my hostingprovider. They only allow me to specify it in conjunction with my databasename (which is db269193).
So the table name becomes: db269193(dot)posts. This dot however keeps lighting up in my editor as an incorrect syntax.
I need someone's help to tell me if I specified the table name correctly or if I have to use a variable to hide the dot notation like:
$tablename = 'db269193.crud';
$sql = "INSERT INTO $tablename (post_title,description)
VALUES ('" . $title . "','" . $description . "')";

You can put the entire name in backticks to escape it:
INSERT INTO `db269193_crud.posts` (post_title, description)
VALUES ('" . $title . "', '" . $description . "')
As for the rest of your statement, I would encourage you to use parameters instead of munging the query string. By putting random strings in the query, you are just inviting syntax errors and SQL injection attacks.

I can't specify the table name as 'posts' because of my hostingprovider. They only allow me to specify it in conjunction with my databasename (which is db269193).
I pretty much doubt that as it would require DB changes which simply make no sense. I assume that it's your fault as you did not select DB to use in the first place. Check how you connect and ensure you provide DB name as well or at least you mysqli_select_db() or equivalent.
$tablename = 'db269193.crud';
You can use backticks when name of table or column conflicts or is reserved word:
$tablename = '`db269193.crud`';
or
$tablename = '`db269193`.`crud`';
$sql = "INSERT INTO $tablename (post_title,description)
VALUES ('" . $title . "','" . $description . "')";
You are complicating simple strings with unnecessary concatentation. This will work and is less error prone:
$sql = "INSERT INTO $tablename (post_title,description)
VALUES ('{$title}','{$description}')";
however you are still seem to be vulnerable to sql injection here. I'd recommend switching to PDO.

Having issue with htmlspecialchars mysql query

What is wrong with this code...?? If i retrived data from mysql with the following code,it gives error.
$sql="select id,
'" . htmlspecialchars(question, ENT_QUOTES) . "',
'" . htmlspecialchars(option1, ENT_QUOTES) . "',
'" . htmlspecialchars(option2, ENT_QUOTES) . "',
'" . htmlspecialchars(option3, ENT_QUOTES) . "',
'" . htmlspecialchars(option4, ENT_QUOTES) . "',
'" . htmlspecialchars(correctAnswer, ENT_QUOTES) . "',
'" . htmlspecialchars(category, ENT_QUOTES) . "',
'" . htmlspecialchars(section, ENT_QUOTES) . "',
'" . htmlspecialchars(chapter, ENT_QUOTES) . "'
from $user order by id";

There are some issues here...
My Wallet Problem: Some $$$ missing (sorry, bad pun, I know):
$sql="select id,
'" . htmlspecialchars($question, ENT_QUOTES) . "',
'" . htmlspecialchars($option1, ENT_QUOTES) . "',
'" . htmlspecialchars($option2, ENT_QUOTES) . "',
'" . htmlspecialchars($option3, ENT_QUOTES) . "',
'" . htmlspecialchars($option4, ENT_QUOTES) . "',
'" . htmlspecialchars($correctAnswer, ENT_QUOTES) . "',
'" . htmlspecialchars($category, ENT_QUOTES) . "',
'" . htmlspecialchars($section, ENT_QUOTES) . "',
'" . htmlspecialchars($chapter, ENT_QUOTES) . "'
from $user order by id";
Quoting issue
Look at the answer of #bhawin, and give a +1 for spotting that!
Single quote ' is for enclosing strings, while the backtick `` ` is for enclosing names of SQL objects: columns, tables, etc...
Using PHP basic mysql functions
Newer PHP deprecated it. Don't do it... Use PDO for fun and profit!
Using string concatenation to assemble query
SQL Injection... Not funny to get attacked that way. Even if using PDO, you have to know how to use prepared statements properly...
htmlspecialchars in query -- why?
This escapes the string to be safely displayed in HTML pages. Not for building queries... That is what mysql_real_escape_string is for - but again, use PDO instead of the whole ordeal.
Relying on default encoding
Use UTF-8 (or the encoding you chose for the task) explicitly and consistently wherever deailng with strings. Like:
htmlspecialchars($correctAnswer, ENT_QUOTES, 'UTF-8')
And finally
Why on Earth are you specifying the column names this way? It doesn't make sense.
If your intent was to sanitize the results from the query, you should do that after retrieving the results... And suddenly, htmlspecialchars starts to make sense!

You are trying to escape the column name ? you escape values inserted to database , not column names or values already in database.
htmlspecialchars to select from table in mysql? htmlspecialchars is fot html not sql. you escape value when you insert them to database not when you selecting them . they already in database so why escape them ?
try this
$sql="select id,
question,
option1,
option2,
option3,
option4,
correctAnswer,
category,
section,
chapter
from $user order by id";

$sql="select `id`,
`" . htmlspecialchars(question, ENT_QUOTES) . "`,
`" . htmlspecialchars(option1, ENT_QUOTES) . "`,
`" . htmlspecialchars(option2, ENT_QUOTES) . "`,
`" . htmlspecialchars(option3, ENT_QUOTES) . "`,
`" . htmlspecialchars(option4, ENT_QUOTES) . "`,
`" . htmlspecialchars(correctAnswer, ENT_QUOTES) . "`,
`" . htmlspecialchars(category, ENT_QUOTES) . "`,
`" . htmlspecialchars(section, ENT_QUOTES) . "`,
`" . htmlspecialchars(chapter, ENT_QUOTES) . "`
from $user order by id";
i just changed ' to ` in query

I think I understand what you're trying to do, but you're going about it completely the wrong way. When you build an SQL query to send to the database, that SQL query is just a string, and contains no functionality. You can build it however you like, but the database will only see the resulting string.
In your code, you have a whole set of lines like this: htmlspecialchars(question, ENT_QUOTES) which are being interpretted by PHP to build up the query. PHP has a somewhat dubious feature that an unquoted name like question could be a constant, but if it's not will be assumed to be the string 'question'; the string 'question' has no instances of <, >, &, ", or ' in it, so htmlspecialchars will leave it untouched regardless of the options you pass in. In short, writing htmlspecialchars(question, ENT_QUOTES) is the same as writing 'question'.
You're then concatenating (.) that fixed string with another fixed string containing some single-quotes: ".... '" . htmlspecialchars(question, ENT_QUOTES) . "' ...."
So your query actually ends up like this:
$sql="select id,
'question',
'option1',
'option2',
'option3',
'option4',
'correctAnswer',
'category',
'section',
'chapter'
from $user order by id";
The next odd thing you have is that the table you are selecting from is designated with a variable. Table names don't generally change, so there isn't generally a need for a variable, although it can be useful occasionally to configure them. If that's what you're doing, I would advise a more explicit variable name, like $db_table_name_user.
Looking at the column names, though, they don't look like columns of a user, so I wonder if what your actually trying to do is retrieve from a table of questions based on some particular user. For that, you will need a WHERE clause, or possibly to JOIN onto another table. Read up on SQL if you don't know how those work.
Assuming that $user contains the name of the database table, though, the above will actually run as a successful SQL query - just not a particularly useful one, since it will select out the id of each user, along with the literal strings 'question', 'option1', etc. You need to either remove those, or replace them with back-ticks, which are what MySQL uses to quote column and table names to avoid them being interpreted as something else.
This will retrieve the details of everything in the user table, assuming that's what it is:
$db_table_name_user = 'user';
$sql="select id,
question,
option1,
option2,
option3,
option4,
correctAnswer,
category,
section,
chapter
from $user order by id";
Now we come to what you were actually trying to achieve with htmlspecialchars: handling escaping in the content you get back from the database. This has nothing to do with how you write the query, only to do with what you do afterwards. Your database table should store the exact text entered: when you insert it to the DB, you will use mysqli_real_escape_string (or a parameterised prepared query) to make sure the database doesn't interpret it as part of the query, but that is just about how you send it, not how it is stored.
Then, when you are actually displaying the text on an HTML page, after you've retrieved it from the database, you will escape it so that the browser doesn't interpret it as part of the markup. Escaping should generally happen as late as possible, so that you don't have to make assumptions about whether some string has already been escaped or not.
For instance, for a numbered list of questions, the code would be something like this:
$all_questions = get_all_questions_from_db();
echo '<ol>';
foreach ( $all_questions as $question )
{
echo '<li>' . htmlspecialchars($question['question']) . '</li>';
}
echo '</ol>';

SQL Syntax Error Integers [closed]

This question is unlikely to help any future visitors; it is only relevant to a small geographic area, a specific moment in time, or an extraordinarily narrow situation that is not generally applicable to the worldwide audience of the internet. For help making this question more broadly applicable, visit the help center.
Closed 9 years ago.
I`m trying to have a form that writes to a mysql database using php and html. After submitting the form I get the error
MySQL error: You have an error in your SQL syntax; check the manual
that corresponds to your MySQL server version for the right syntax to
use near '', '1', '1362154007', '127.0.0.1'' at line 2
The code to the submission php file is
<?php
require 'connection.php';
$ip = $_SERVER['REMOTE_ADDR'];
$sql="INSERT INTO entries (summoner, role, level, time, ip)
VALUES ('" . mysql_real_escape_string($_POST['summoner']) . "', " . mysql_real_escape_string($_POST['role']) . "', '" . intval($_POST['level']) . "', '" . time() . "', '" . $ip . "'";
if (!mysql_query($sql)) die("MySQL error: " . mysql_error());
echo "1 record added";
?>
and the code to line two is
<?php
$con = mysql_connect("localhost", "ratchet132", "password", "lookingforq") or die(mysql_error());
mysql_select_db("lookingforq", $con) or die(mysql_error());
header("Content-Type: text/html; charset=utf-8");
mysql_set_charset("utf8");
mb_internal_encoding("UTF-8");
?>
The error only occurs with integers that are not submitted by the html form (although the level is submitted by it, but it seems to due to the same reason as the others, not the forms). I'm thinking this is probably an error with how I have my MYSQL table set up but I can't figure out what I've done wrong. Any help would be awesome.

there is an extra single quote in your integer value,
VALUES ('" . mysql_real_escape_string($_POST['summoner']) . "', " . mysql_real_escape_string($_POST['role']) . "', '" . intval($_POST['level']) . "', '" . time() . "', '" . $ip . "'";
^ HERE
My suggestion is to store the values in variable first so it is easy to debug the code, eg
$summoner = mysql_real_escape_string($_POST['summoner']);
$role = mysql_real_escape_string($_POST['role']);
$intV = intval($_POST['level']);
$sTime = time();
$ip = $_SERVER['REMOTE_ADDR'];
$sql="INSERT INTO entries (summoner, role, level, time, ip)
VALUES ('$summoner', $role, $intV, $sTime,'$ip' )')";
Use PDO or MySQLi extension so you can paramaterized the query. The link below talks about SQL Injection but it also shows there the usage of PDO and MySQLi Extension.
How to prevent SQL injection in PHP?

Why you wrap int value in quotes?
'" . intval($_POST['level']) . "'

You're missing a '. Try:
$sql="INSERT INTO entries (summoner, role, level, time, ip)
VALUES ('" . mysql_real_escape_string($_POST['summoner']) . "', '" . mysql_real_escape_string($_POST['role']) . "', '" . intval($_POST['level']) . "', " . time() . ", '" . $ip . "'";

Error while inserting into db in php

I am trying to inserts some values to the database in my php program but I am getting the error
Parse error: parse error, expecting `T_STRING' or `T_VARIABLE' or `T_NUM_STRING' in C:\wamp\www\php\books.php on line 9
mysql_query..
mysql_query("insert into books values('$_GET["title"]','$_GET["author"]','$_GET["edition"]','$_GET["publish"]','$_GET["isbn"]',)") or die(mysql_error());

get your values in variables like
$title = $_GET["title"];
$author = $_GET["author"];
then use query like this
mysql_query("insert into books values('$title','$author','$edition','$publish','$isbn',)") or die(mysql_error());

you are using nested double quotes
mysql_query("insert into books values('{$_GET["title"]}','{$_GET["author"]}','{$_GET["edition"]}','{$_GET["publish"]}','{$_GET["isbn"]}',)") or die(mysql_error());
or
mysql_query("insert into books values('$_GET[title]','$_GET[author]','$_GET[edition]','$_GET[publish]','$_GET[isbn]',)") or die(mysql_error());

The good query is :
mysql_query("insert into books values('" . $_GET["title"] . "','" . $_GET["author"] . "','" . $_GET["edition"] . "','" . $_GET["publish"] . "','" . $_GET["isbn"] . "')") or die(mysql_error());
There are non escaped quotes but also a comma which has nothing to do here, at the end of the query.
Maybe you should learn PHP and its syntax first.

Escaping a string being inserted into Mysql

I have tried all combinations of single quotes, double quotes etc but the following code keeps erroring with sql syntax error. The en and cy are paragraphs of text. I think I must be missing something obvious but I cant see it. Any suggestions?
$insert_dana = mysql_query("UPDATE Contributor (Summary_en,Summary_cy) VALUES ('" . mysql_real_escape_string($insert[en][0]) . "','" . mysql_real_escape_string($insert[cy][0]) . "') WHERE id='$insert[id]'");

You mixed insert and update statement syntax. Use this one
$insert_dana = mysql_query("UPDATE Contributor set Summary_en = '" . mysql_real_escape_string($insert[en][0]) . "', Summary_cy = '" . mysql_real_escape_string($insert[cy][0]) . "' WHERE id='$insert[id]'");

you're confusing the UPDATE- and the INSERT-syntax. for UPDATE, it's like:
UPDATE
table
SET
field = 'value'
WHERE
...
while an INSERT looks like:
INSERT INTO
table
(field)
VALUES
('value')
you can't write an UPDATE with (field) VALUES ('value')-syntax.

We Keep Coding

PHP, A popular general-purpose scripting language that is especially suited to web development.