The SQL statement is as follows:
$sql = "
INSERT INTO usertable
(
userid,,
name,
username,
password,
typeofuser,
dateofaddition,
createdby,
status
)
VALUES (
$userid,
'$empname',
'$username',
'$password',
'$usertype',
'$doa',
'$createdby',
'$radiobt'
)
";
Remove the comma from after userid and correctly include your variables
$sql = "INSERT INTO usertable
(
userid,
name,
username,
password,
typeofuser,
dateofaddition,
createdby,
status
)
VALUES
(
".$userid.",
".$empname.",
".$username.",
".$password.",
".$usertype.",
".$doa.",
".$createdby.",
".$radiobt."
)";
Make sure you prepare this statement before getting it into the DB! (more info: Prepared statement (Wikipedia))
There is a double ,, after userid.
$sql = "INSERT INTO usertable(userid,name,username,password,typeofuser,dateofaddition,createdby,status) VALUES ($userid,'$empname','$username','$password','$usertype','$doa','$createdby','$radiobt')"
Let us take things step by step:
Field names in the query match the field name in the table (they should exactly be the same even the case should match).
What and from where are the values for the varaibles getting generated?
Do the values correspond to the datatype of the fields in the table?
For eg. If there is a variable which expects to receive integer as values and it is made to store strings or characters, mysql is bound to give an error message.
Check for these and let me know.
Related
hey guys i have this problem..
basicly the first query is jsut for inserting and the 2nd query is for copying data from another table via foreign key. have any idea? im newbie.. :D
else if($payment_description == 'Monthly Subscription'){
$payment_amount = '750';
$sql = "INSERT INTO `paymentlog` ( payment_amount,payment_description,date_payment)
VALUES ( '$payment_amount', '$payment_description','$date_payment')";
$query_run = mysqli_query($conn, $sql);
$sql1 = "INSERT INTO paymentlog (member_id, first_name, last_name)
SELECT member_id, first_name, last_name
FROM member
WHERE member_id = $id";
$query_run1 = mysqli_query($conn, $sql1);
echo ("<script LANGUAGE='JavaScript'>
window.alert('Monthly Payment is been added.');
window.location.href='/PROJECT/MEMBERS/members.php';
</script>");}
I don't think your current code does what you want. You are (attempting to) insert two rows, while, as I understand your question, you want to create a single row in payment_log, with the amount, description and date given as input, and member information that needs to be retrieved from another table using another input paramter.
You can use the insert ... select syntax:
INSERT INTO `paymentlog` (
member_id,
first_name,
last_name,
payment_amount,
payment_description,
date_payment
)
SELECT
member_id,
first_name,
last_name,
:payment_amount,
:payment_description,
:date_payment
FROM member
WHERE member_id = :id
Important notes:
Use prepared statements! Do not concatenate variables in the query string, this is both inefficient and unsafe. Recommended reading: How can I prevent SQL injection in PHP
From a database design standpoint, you should not be duplicating information from table members in table payment_log; storing a reference to the primary key of member is sufficient
I am trying to pass variable values to a MySQL database table. I am using a PDO to get access to the database, and am able to echo the variable values that I want to insert to my browser. The only thing I can think of is that my syntax is wrong. I am clearly a novice at using PHP/MySQL.
I am not getting any errors. The info isn't going into my table. What am I doing wrong?
$sql = "INSERT INTO testquiz (version, points, passing_percent, gained_score, username, email, quiz_title, date)
VALUES ('$version', $points, $passing_percent, $gained_score, '$username', '$email', '$quiz_title', CURDATE() )";
Query to create table:
MySQL CREATE TABLE Query:
CREATE TABLE testquiz (
id INT NOT NULL AUTO_INCREMENT PRIMARY KEY,
version TEXT,
points INT,
passing_percent DOUBLE,
gained_score DOUBLE,
username TEXT,
email TEXT,
quiz_title TEXT,
date DATE NOT NULL
) DEFAULTCHARACTER SET utf8 ENGINE=InnoDB
When using PDO, the generally accepted practice is to use prepared statements for SQL, which essentially are a method used to sanitize your string input.
If your database connection object is $dbo then it would usually go like this.
Create a prepared statement by calling the prepare method on your database connection object:
$sql = $dbo->prepare("INSERT INTO testquiz (version, points, passing_percent, gained_score, username, email, quiz_title, date)
VALUES (:version, :points, :passing_percent, :gained_score, :username, :email, :quiz_title, CURDATE())");
As you can see, instead of passing in the variables I want for the values directly, I've created placeholders. Then, call the execute method on the $sql obect and pass the values in for the placeholders as key-value pairs in an array.
$sql->execute(array(":version" => $version, ":points" => $points, ":passing_percent" => $passing_percent, ":gained_score" => $gained_score, ":username" => $username, ":email" => $email, ":quiz_title" => $quiz_title));
This code passes in the values you define instead of the placeholders, and it properly escapes and sanitizes the variables you pass in for security, while executing your INSERT statement.
http://us1.php.net/pdo.prepared-statements
Change the insert statement to the below format and try.
$sql = "INSERT INTO testquiz (version, points, passing_percent, gained_score, username, email, quiz_title, date)
VALUES ('".$version."', '".$points."', '".$passing_percent."', '".$gained_score."', '".$username."', '".$email."', '".$quiz_title."', CURDATE())";
Isn't this query correct?
$insert = INSERT INTO geninfo (S.N, Name, Address, DOB) VALUES ('Suresh','Ratnanagar','1989/04/10');
I got following error, please help I am a beginner.
Parse error: syntax error, unexpected 'INTO' (T_STRING) in
C:\xampp\htdocs\google.php on line 9
$insert = "INSERT INTO `geninfo` (`S.N`, `Name`, `Address`, `DOB`) VALUES ('Suresh','Ratnanagar','Missing address here','1989/04/10');";
Note that I have also corrected your MySQL query. S.N refers to the column named N on the table named S, which I'm pretty certain is not what you wanted.
Also I just realised you have four columns, but only three values. Fixed that too.
You have no quotes, it should be like this:
$insert = "INSERT INTO geninfo (S.N, Name, Address, DOB) VALUES ('Suresh','Ratnanagar','1989/04/10')";
upd
It seems you are storing date of birth as a string, not as a timestamp (or similar) which is not a good idea
You need to give a (NULL or '') for the S.N field and quotes should be given before and after each and every value.
$insert = "INSERT INTO geninfo (S.N, Name, Address, DOB) VALUES
('', 'Suresh','Ratnanagar','1989/04/10')";
Moreover the field name S.N could create problems. Let me know if this works.
$insert = "INSERT INTO geninfo (S.N, Name, Address, DOB) VALUES ('Suresh','Ratnanagar','1989/04/10')";
<html>
<head>
HTML CODE
<?
$username="xxxxxx";
$password="xxxxxx";
$database="xxxxxx";
mysql_connect(localhost,$username,$password);
$escape = "INSERT INTO monster VALUES ('',$_POST["name"],$_POST["soort"])";
$escape2 = "DELETE monster FROM monster LEFT OUTER JOIN (
SELECT MIN( ID ) AS ID, NAME, PREF
FROM monster
GROUP BY NAME, PREF
) AS KeepRows ON monster.ID = KeepRows.ID
WHERE KeepRows.ID IS NULL";
$query=mysql_real_escape_string($escape);
$query2=mysql_real_escape_string($escape2);
#mysql_select_db($database) or die("MySQL error: Kan inte ansluta till databasen.");
mysql_close();
?>
</body>
</html>
Every time i run this(from another file, containing the name and soort post's) I get an 500 internal server error. First I figured that the queries may be the problem, but they don't even get executed. However, i tried to escape the queries. But still error.
What is wrong with this code? (note: $escape2 is some code i found that removes duplicates in the database. But i don't really know how to format it so that it can be used through php.)
Use something like below...
$query = "INSERT INTO monster VALUES ('', '".$_POST["name"]."', '".$_POST["soort"]."')";
Please do not insert values without escaping.
problem in insert into statement
it should be
$escape = "INSERT INTO monster VALUES ('',".$_POST['name'].",".$_POST['soort'].")";
it is preferable to write colums name while writing insert queries
if column contains string values like VARCHAR or TEXT then use quoted_printable_decode
pass null if column is autoincrement
insert statment
$escape = "INSERT INTO monster (col1, col2, col3) VALUES (NULL,'".$_POST['name']."',".$_POST['soort'].")";
or
$escape = "INSERT INTO monster (col2, col3) VALUES ('".$_POST['name']."',".$_POST['soort'].")";
It looks like you need something like this:
$query = "INSERT INTO monster VALUES ('', '".$_POST["name"]."', '".$_POST["soort"]."')";
Also I would suggest to use prepared statements because it is bad experience to build queries.
First of all I have cool proposition for you. What do you say about some advanced PHP? One step further into great world of safe PHP + MySQL apps?
Introducting to you a PDO. (I know this is not answer to your question but you can consider it). Example of use on your queries:
$db = new PDO('mysql:host=localhost;dbname='.$database, $username, $password);
$insertQuery = $db->prepare('INSERT INTO monster VALUES ("", :name, :soort)');
$deleteQuery = $db->prepare('DELETE monster FROM monster LEFT OUTER JOIN (
SELECT MIN( ID ) AS ID, NAME, PREF
FROM monster
GROUP BY NAME, PREF
) AS KeepRows ON monster.ID = KeepRows.ID
WHERE KeepRows.ID IS NULL');
//to execute query:
$deleteQuery->execute();
//or with params:
$insertQuery->execute(array(
':name' => $_POST['name'],
':soort' => $_POST['soort'],
));
Cool, huh? There is more... Now according to your problem it could be everything (as we don't have error log) but my guess is:
Try to use <?php instead of <?
$escape = "INSERT INTO monster VALUES ('',{$_POST["name"]},{$_POST["soort"]})";
EDIT:
As you provided error log - now I'm sure that problem is in $escape query. It's because you used $escape = " <- and then $_POST["name"] so there was a collision of " (if I can say so).
Try this:
Whenever you insert string type of values in the database using query it has to pass in the quote format. So you just need to change your insert query here.
$query = "INSERT INTO monster VALUES ('', '".$_POST["name"]."', '".$_POST["soort"]."')";
write query like this.
-
Thanks
Max(sequence) + 1 (based on my knowledge) should be returning the highest sequence with $_GET['business_id'] in the database + 1 - existing values in the database are 0, 1, and 3 - so max(sequence)+1 should be 4 - so something must be wrong with the line of code. Any ideas?
$insertQuery = "
INSERT INTO owner_business_media
(business_id, sequence, type, filename, title, secret)
VALUES (
'".$_GET[businessid]."',
'(SELECT MAX(sequence)+1 FROM owner_business_media WHERE business_id=".$_GET['businessid'].")',
'$type',
'$fullfile',
'$filename',
'1')
";
Remove single quotes that surround the inner SELECT and instead of the regular INSERT go with INSERT ... SELECT:
$insertQuery = "
INSERT INTO owner_business_media
(business_id, sequence, type, filename, title, secret)
SELECT
'".intval($_GET['businessid'])."',
(SELECT MAX(obm.sequence)+1 FROM owner_business_media obm WHERE obm.business_id=".intval($_GET['businessid']).") AS next,
'$type',
'$fullfile',
'$filename',
'1'
";
Also, never embed a GET variable directly without validating or sanitizing it's contents (see intval($_GET['businessid'])). Otherwise the code gets exposed to SQL injection.
Almost the same as the other answer, yet not completely the same:
$insertQuery = "
INSERT INTO owner_business_media
(business_id, sequence, type, filename, title, secret)
SELECT
'".intval($_GET['businessid'])."',
MAX(sequence)+1 AS next,
'$type',
'$fullfile',
'$filename',
'1'
FROM owner_business_media
WHERE business_id=".intval($_GET['businessid']);
Maybe it would be safer to use IFNULL with sequence (in case the table is empty), like this:
MAX(IFNULL(sequence, 0))+1 AS next