I have a PHP file that recieves an associative array of name, email and password.
When I try to insert the data using PHP MySQL query in this PHP file, it flashes following error
"You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near '#gmail.com, qweqwe)' at line 1"
My PHP code is as follows:
$data = array
(
'name' => $name,
'email' => $email,
'password' => $password,
);
mysql_query("INSERT INTO `other_doktrs` (`dnme` ,`emyl` ,`paswrd`) VALUES ($name, $email, $password)");
I tried to change the order of column names but it was of no help.
thanks in advance
You still need to put quotes around strings if you want to use the old direct (and SQL Injection prone) methods:
mysql_query("INSERT INTO `other_doktrs` (`dnme` ,`emyl` ,`paswrd`) VALUES ('$name', '$email', '$password')");
You really should look at PDO though and prepared statements. Much much safer - and as a bonus when you pass params, you don't need the quotes. Irony huh? :)
Try this :
mysql_query("INSERT INTO `other_doktrs` (`dnme` ,`emyl` ,`paswrd`) VALUES ('$name', '$email', '$password')");
Try this,
mysql_query("INSERT INTO `other_doktrs` (`dnme` ,`emyl` ,`paswrd`) VALUES ("'.$name.'"," '.$email.'", "'.$password.'")");
passing query with quotes.
Hope this helps you.
Related
I have an error with my insert into line, it's about this bad boy
mysql_query("INSERT INTO accounts('username', 'password', 'firstname', 'lastname', 'email')
VALUES($username, $password, $firstname, $lastname, $email)")
or die("Could not create account! <br/>" . mysql_error());
the error I am supplied with is the following:
Could not create account!
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''username', 'password', 'firstname', 'lastname', 'email') VALUES(test, test,' at line 1
I suspect it has something to do with the variables not being called correctly?
There are a variety of problems, so I'll summarize them:
INSERT INTO t1 ('col' -- note that 'col' is wrapped in quotes. This means that it attempts to insert into the string literal "col1" rather than the column name. Remove the quotes and replace them with backticks (or nothing)
The values themselves are not wrapped in quotes. You have VALUES(test -- this semantically means insert the value of column "test," which makes no sense. You actually need to wrap this one in quotes.
I'd venture to guess that none of the input parameters are properly escaped. You should use properly parameterized queries with PDO or mysqli.
My friend the fields in the querys shouldn't be quoted. Try this:
mysql_query("INSERT INTO accounts (username, password, firstname, lastname, email) VALUES($username, $password, $firstname, $lastname, $email)") or die("Could not create account!" . mysql_error());
Good luck
you don't have to use quotes ' in the query but backtick `
mysql_query("INSERT INTO `accounts` (`username`, `password`, `firstname`, `lastname`, `email`) VALUES('".$username."', '".$password."','". $firstname."', '".$lastname."', '".$email."')") or die("Could not create account! " . mysql_error())
insert into documentation
I would like to also to remember you that mysql_ functions are deprecated so i would advise you to switch to mysqli or PDO for new projects.
mysql_query is not recommended, soon to be deprecated. Probably best to use PDO or mysqli instead.
http://php.net/manual/en/function.mysql-query.php
But to answer your question, I believe it's because your column names are in single quotes(rather than backticks).
It's your values that need to be within single-quotes. You'll probably want to run mysql_real_escape_string on those variables too, to prevent SQL injection. Or just use PDO prepared statements instead.
http://php.net/manual/en/pdo.prepared-statements.php
I am using following insert command to insert value in my db table called demo_organization
$sql = "INSERT INTO demo_organization (org_name, abn_acn_no, org_url,city,
state, country, pin, street, primary_mobile,
secondary_mobile, primary_landline,
secondary_landline, primary_email, secondary_email)
VALUES ($org_name, $abn_acn_no, $org_url, $city, $state, $country,
$pin, $street, $primary_mobile, $secondary_mobile,
$primary_landline, $secondary_landline, $primary_email,
$secondary_email)";
$result = mysql_query($sql) or die (mysql_error());
in php
but i am getting error like
You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near '://loc.com,Melburn,Melburn,Australia,56007,123 park
avenue,+6190567890,+89685552' at line 2
i am completely new in php mysql please tell me what i am doing wrong
You are missing single quotes around the text values:
insert into demo (org_name, abn_acn_no) values ('$org_name', abn_acn_no);
// assumes that abn_acn_no is numeric.
You also cannot pass an empty variable into the query. If you don't have it, you will need to insert it as , null, rather than as a variable with no value - which would result in , , which SQL won't accept - even if the column accepts null values.
If you will be using MYSQL, you need to escape the values mysql_escape_string($string)
There is a problem with the url provided in the query, try escaping it and running it again.
Otherwise, MYSQL is becoming depreciated, use MYSQLi or PDO
http://php.net/manual/en/book.mysqli.php
http://php.net/manual/en/book.pdo.php
your code is vulverable with your sql injection. I'll recomend MYSQLi or PDO. But anyway, your values that are string format should be wrap with single quotes.
$sql = "INSERT INTO demo_organization (org_name, abn_acn_no, org_url,city,
state, country, pin, street, primary_mobile,
secondary_mobile, primary_landline,
secondary_landline, primary_email, secondary_email)
VALUES ('$org_name', 'abn_acn_no, '$org_url', '$city', ...,
'$secondary_email')";
I don't know what's wrong with my syntax, but I'm missing something:
$createrequest = mysql_query("INSERT INTO products_updates_queue (id, kid,
product_version_id, key, ip) VALUES ('$request_id', '$uid', '$version_id',
'$request_key', '$request_ip')");
I receive this error:
"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'key, ip) VALUES ('j4ctveyd0x62', '1', 'z451ah3', 'hqbyu7bhg8za', '64.134.163.2' at line 2"
Can anyone see what I am missing?
I think key is a reserved word, and you should avoid using it as a column name. Try using backticks around it:
$createrequest = mysql_query("INSERT INTO products_updates_queue (id, uid, product_version_id, `key`, ip) VALUES ('$request_id', '$uid', '$version_id', '$request_key', '$request_ip')");
key is a reserved word in MySQL. Avoid it, or wrap it in backticks.
Edit: And I hope you escaped the variables you're putting into that query.
So this is probably a dumb beginner question, but I've been looking at it and can't figure it out. A bit of background: just practicing making a web app, a form on page 1 takes in some values from the user, posts them to the next page which contains the code to connect to the DB and populate the relevant tables.
I establish the DB connection successfully, here's the code that contains the query:
$conn->query("SET NAMES 'utf9'");
$query_str = "INSERT INTO 'qa'.'users' ('id', 'user_name','password' ,'email' ,'dob' ,'sx') VALUES (NULL, $username, $password, $email, $dob, $sx);";
$result = #$conn->query($query_str);
Here's the error that is returned:Insert query failed: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''qa'.'users' ('id', 'user_name' ,'password' ,'email' ,'dob' ,'s' at line 1
Thanks in advance!
Unless it's changed since I did MySQL in PHP, escape your db/column/table names with backticks (`), not apostrophes (').
A good general trouble-shooting technique is to make the query work via another interface to the database. For example, phpMyAdmin. If it works there, you have some confidence going forward. or you may find how to fix your SQL. (phpMyAdmin is handy because it will convert your SQL into a ready-made string for PHP.)
You need to escape your column names with a backtick (`) instead of (')
You also need to properly escape the actual values you are inserting as well (use a single quote)
OMG not a single right answer
$query_str = "
INSERT INTO `qa`.`users` (`id`, `user_name`,`password` ,`email` ,`dob` ,`sx`)
VALUES (NULL, '$username', '$password', '$email', '$dob', '$sx')";
identifiers being quoted with backticks, while strings being quoted with apostrophes!
and I hope you have passed all your variables through mysql_real_escape string BEFORE putting it into query, i.e.:
$username = mysql_real_escape string($username);
and so on
I'm by no means experienced in mysql and keep getting an error in this lines of code:
$sql= "INSERT INTO songs (unique_show_id, artist, date, year, city, state, venue, taper, transfered_by, source, mic_loc, lineage, uploaded_by, uploaded_on, show_notes, show_xml)
VALUES('$showId', '$artist', '$showDate', '$year, '$city', '$state', '$venue', '$taper', '$transferer', '$source', '$mic_loc', '$lineage', '$uploader', NOW(), '$show_notes', '$show_xml')";
//check to see if the query went through
if (!mysql_query($sql,$con)){
echo "query fail";
die('Error: ' . mysql_error());
}
I'm sure it's something simplistic, but I can't see where the error is. The error message I get is:
query failError: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'ipuhgbi', 'CA', '', '', '', '', '', '', 'danwoods', NOW(), '', '<show id=\'gm198' at line 2
Some of the values I'm inserting are NULL, but from what I've read I don't think that should be a problem. Any ideas?
Missing quote after $year.
When MySQL issues such an error (near bla di bla), the error is usually immediately before the string it mentions. In this case 'ipuhgbi' maps to $city, so you know it's right before '$city', and what do we see there? Voila, a missing quote.
You need to use mysql_real_escape_string() in each and every single one of your $variables.
Also, read this StackOverflow question carefully regarding SQL Injections.
It looks like the last single quote on the error line is not escaped.
you need to remember to sanitize all of the strings going into the query.
There are quite few things you need to be sure about:
You don't insert primary keys through queries (eg unique_show_id in your code)
For numbers you don't use single quotes.
It is better to use the set variant of inserting records which avoids count problems eg:
Use intval for numbers and mysql_real_escaps_string for strings to avoid injections issues as well as single quotes query erros.
insert into table set field='field_value', field2='field_value' // and so on