I've been using wampserver for a php project, but DML queries are not working for me. Here is some test code I've been using
$query='insert into register(first_name) values("swagmaster")';
echo($query);
$query = mysqli_real_escape_string($connection,$query);
echo"<br>$query";
if(mysqli_real_query($connection,"'".$query."'")===TRUE)
{
echo"woohoo!";
}
else
{
echo"query failed";
}
echo(mysqli_error($connection));
I get the following output when i run this:
insert into register(first_name) values("swagmaster")
insert into register(first_name) values(\"swagmaster\") query failed
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''insert into register(first_name) values(\"swagmaster\")'' at line 1
However, a select statement works fine. I suspect the issue is in mysql settings. Any suggestions?
UPDATE:
Using a combination of your tips, the query is now working. Thank you all!
Please try this query
$query = "INSERT INTO `register` SET `fieldname`='{$vaue}',`field2`='{$value2}'";
Change the query from
$query='insert into register(first_name) values("swagmaster")';
to
$query="insert into register(first_name) values('swagmaster')";
Also as Fred-ii said you dont need to add ' here
if(mysqli_real_query($connection,"'".$query."'")===TRUE)
change to
if(mysqli_real_query($connection,$query)===TRUE)
You used
$query = mysqli_real_escape_string($connection,$query);
But this escaped all quotes in query. This is incorrect. For protected fro SQL injection you should use escape function only to value instead query.
For your example you not need this string.
But if you use variables then you should use it
$value = "swagmaster";
$value = mysqli_real_escape_string($value);
$query='insert into register(first_name) values("' . $value . '")';
In $query is already correct query. And add quotes is incorrect. Just use
if(mysqli_real_query($connection, $query)===TRUE)
Related
I have moved to IIS 8 in PHP 5.4. I am trying to collect data from a table and insert them to a different one, i know my code is correct, but seems to be not working, probably because of the php version, can anyone help me?
here's my code
$query = odbc_exec($conn, "SELECT * FROM member");
while($rows = odbc_fetch_array($query)) {
$querystring = "INSERT INTO oldusers (username, password, regdate) VALUES ('$rows['userid']', '$rows['passwd']', '$rows['registdate']')";
$query2 = odbc_exec($conn, $querystring);
odbc_free_result($query2);
//echo $rows['userid']." ".$rows['passwd']." ".$rows['registdate']."<br>";
}
thanks in advance.
instead trying to insert one by one record, better to insert like below:
INSERT INTO oldusers (username, password, regdate) SELECT userid,passwd,registdate FROM member
for more information :http://dev.mysql.com/doc/refman/5.5/en/insert-select.html
You're placing $rows['passwd'] inside of a double-quoted string. Instead you should do:
$str = "some sql $rows[passwd] rest of sql"; // notice the absence of single quotes
or:
$str = "some sql {$rows['passwd']} rest of sql";
or (I think this way is most readable):
$str = 'some sql' . $rows[passwd] . ' rest of sql';
If your column contains text you'll need to add surrounding single quotes where necessary.
Having said all that, you should instead use parameterized queries (if your database supports it) as it's safer (from SQL injection). If that's unavailable you will at the very least need to escape the data before concatenating it to the string.
I want to insert a record with an apostrophe into a MySQL database using PHP. Following is my code:
$importer_name =mysql_escape_string ($objWorksheet->getCellByColumnAndRow(1,3)->getValue());
$exporter_name = $objWorksheet->getCellByColumnAndRow(1, 3)->getValue();
$prod_quantity_unit = $objWorksheet->getCellByColumnAndRow(1,6)->getValue();
$prod_fob_value = $objWorksheet->getCellByColumnAndRow(5,6)->getValue();
$prod_quantity = $objWorksheet->getCellByColumnAndRow(1,8)->getValue();
$prod_fob_unit= $objWorksheet->getCellByColumnAndRow(5,8)->getValue();
$prod_gross_waight= $objWorksheet->getCellByColumnAndRow(1,10)->getValue();
$prod_cif_value= $objWorksheet->getCellByColumnAndRow(5,10)->getValue();
$prod_net_weight= $objWorksheet->getCellByColumnAndRow(1,12)->getValue();
$prod_cif_unit_price= $objWorksheet->getCellByColumnAndRow(5,12)->getValue();
$prod_brand= $objWorksheet->getCellByColumnAndRow(5,14)->getValue();
$hs_code = $objWorksheet->getCellByColumnAndRow(1,17)->getValue();
$shipping_date = $objWorksheet->getCellByColumnAndRow(5,17)->getValue();
$customs = $objWorksheet->getCellByColumnAndRow(1,19)->getValue();
$transport_company = $objWorksheet->getCellByColumnAndRow(5,19)->getValue();
$country_of_origin = $objWorksheet->getCellByColumnAndRow(1,21)->getValue();
$transport_mode = $objWorksheet->getCellByColumnAndRow(5,21)->getValue();
$country_of_trade = $objWorksheet->getCellByColumnAndRow(1,23)->getValue();
$hs_code_description = $objWorksheet->getCellByColumnAndRow(1,26)->getValue();
$product_description = $objWorksheet->getCellByColumnAndRow(1,28)->getValue();
$insertquery="INSERT INTO tb_peru_data
(importer_name,exporter_name,product_quantity_unit,
product_fob_unit,product_quantity,product_fob_value,
product_gross_weight,product_cif_value,
product_net_weight,product_cif_unit_price,
product_brand,shipping_hs_code,shipping_date,
shipping_customs,shipping_transport_company,
shipping_country_of_origin,shipping_transport_mode,
shipping_country_of_trade,hs_code_description,
product_description)
VALUES
('$importer_name','$exporter_name','$prod_quantity_unit',
'$prod_fob_unit','$prod_quantity','$prod_fob_value',
'$prod_gross_waight','$prod_cif_value','$prod_net_weight',
'$prod_cif_unit_price','$prod_brand','$hs_code','$shipping_date',
'$customs','$transport_company','$country_of_origin',
'$transport_mode','$country_of_trade',
'$hs_code_description','$product_description')";
mysql_query($insertquery)or die('ErrorrPERU: '.mysql_error());
/*$del="DELETE * FROM tb_excel_file";
mysql_query($del);*/
?>
This does not work, and gives the following error:
you have an error in your SQL syntax; check the manual that corresponds
to your MySQL server version for the right syntax to use near
's','12U','6','9','54',
'34.83','55.5','31.83','6.17','','7323931000','2008/04/1' at line 3
Use mysqli_real_escape_string instead of deprecated mysql_real_escape_string
This function will force you to input mysql table / database.
This way your collation will be considered while escaping
You can use real_escape_string() in PHP. You need to escape the apostrophe (that is, tell SQL that the apostrophe is to be taken literally and not as the beginning or end of a string). To add more, I'd say that you can also use PDO, but consider using addslashes($string) and stripslashes($string).
I have this update statement:
mysql_query ("UPDATE loan SET loan_reff_id='$_POST[loan_reff_id]',
commit_date='$_POST[commit_date]',app_loan_type='Tertiary Loan',
app_ln_amnt='$_POST[app_ln_amnt]', institution_name='$_POST[institution_name]',
app_course='$_POST[app_course]',course_length='$_POST[course_length]',
course_cost='$_POST[course_cost]', app_trm_pymnt='$_POST[app_trm_pymnt]',
app_intrst_rate=3
WHERE app_file_id='$_POST[app_file_id]'");
However wen I run the query it says query empty, what do you think might be the problem
Im using mysql and php
This one is not empty.
You are getting such an error from some other query.
According this one, to make it sane at the very least,
foreach($_POST as $key => $value) {
$_POST[$key] = mysql_real_escape_string($value);
}
$sql = "UPDATE loan SET loan_reff_id='$_POST[loan_reff_id]',
commit_date='$_POST[commit_date]',app_loan_type='Tertiary Loan',
app_ln_amnt='$_POST[app_ln_amnt]', institution_name='$_POST[institution_name]',
app_course='$_POST[app_course]',course_length='$_POST[course_length]',
course_cost='$_POST[course_cost]', app_trm_pymnt='$_POST[app_trm_pymnt]',
app_intrst_rate=3
WHERE app_file_id='$_POST[app_file_id]'";
mysql_query($sql) or trigger_error(mysql_error()." in ".$sql);
You should not use directly $_POST values in your queries, you risk SQL injections, try using PDO.
Regarding the empty query, you must have a problem with simple/double quotes and concatenation.
Finally, are you sure you do not violate any constraint in your table ? NOT NULL, etc...
<?php
ob_start();
$id=$_REQUEST['req-id'];
// #header("location:feed.php?tumblr_id=$id");
echo "aaaa";
include_once('../config/config.php');
echo $name=$_REQUEST['req-name'];
echo $id=$_REQUEST['req-id'];
echo $mobile=$_REQUEST['req-mobile'];
echo $Email=$_REQUEST['req-email'];
echo $select=$_REQUEST['image'];
echo $img=$_REQUEST['img'];
echo $audio=$_REQUEST['audio'];
echo $ado=$_REQUEST['ado'];
echo $regular=$_REQUEST['regular'];
echo $reg=$_REQUEST['reg'];
echo $video=$_REQUEST['video'];
echo $vdo=$_REQUEST['vdo'];
echo $link=$_REQUEST['link'];
echo $lnk=$_REQUEST['lnk'];
echo $quote=$_REQUEST['quote'];
echo $qte=$_REQUEST['qte'];
echo $fbPid=$_REQUEST['fbPid'];
$sql="update tumblr set (tumblr_name,tumblr_id,mobile_no,Email,img_post,link_post,ado_post,vdo_post,reg_post,qte_post) values('$name','$id','$mobile','$Email','$img','$lnk','$ado','$vdo','$reg','$qte')";
$res=mysql_query($sql) or die(mysql_error());
?>
I am getting error: - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '(tumblr_name,tumblr_id,mobile_no,Email,img_post,link_post,ado_post,vdo_post,reg_' at line 1
UPDATE tumblr
SET tumblr_name = '$name',
tumblr_id = '$id',
mobile_no = '$mobile',
Email = '$Email',
img_post = '$img',
link_post = '$lnk',
ado_post = '$ado',
vdo_post = '$vdo',
reg_post = '$reg',
qte_post = '$qte'
You are trying to execute an update query based on an insert's format. Check the update query format.
In addition, your code is HIGHLY insecure. At least use mysql_real_escape_string(), e.g. $name=mysql_real_escape_string($_REQUEST['req-name']); to protect against SQL injection.
You are confusing the insert syntax with the update syntax. The update syntax is detailed here: http://dev.mysql.com/doc/refman/5.0/en/update.html
Example:
UPDATE table
SET
col1 = value1,
col2 = value2
WHERE
...
You are using INSERT syntax in an UPDATE statement.
Update looks like this:
UPDATE tableone SET fieldone='one' WHERE id=2;
For example.
UPDATE syntax is
UPDATE `tablename` SET `column`=value, `column`=value, ... WHERE conditions
u use INSERT syntax.
And what have you done to diagnose the problem?
Showing us all those echo statements doesn't really help - it might have done if you'd told us what the values were. You're not escaping any of the values you are putting in your SQL statement. You seem to be quoting values which may be numeric. You've included an ob_start() statement which is also entirely irrelevant but there's no mysql_connect here.
But the reason your code is failing is because there is no 'UPDATE....VALUES...' statement in SQL. Use 'INSERT INTO...VALUES....ON DUPLICATE KEY UPDATE'.
$db = mysql_connect("localhost","root","123");
mysql_select_db("website_categorization") or die("\n error selecting database" );
$keyword_array = preg_split('/[\s,]+/', $tag);
foreach($keyword_array as $tag1)
{
mysql_query("INSERT INTO category_keyword(ID_Category, Keyword) VALUES(2,$tag1)");
}
echo "\nAffected rows are ".mysql_affected_rows()."\n";
mysql_close($db);
Can u tell me what is the problem with this code??...I intend to insert rows into the category_keyword table from an array $keyword_array. I get errors "Affected rows are -1" and insertion does not work
You should quote and escape string values.
You should also handle errors, to be notified of them.
You should also write distinct statements, to be able to read your code later (as well as let others to read it).
$tag1 = mysql_real_escape_string($tag1);
$sql = "INSERT INTO category_keyword(ID_Category, Keyword) VALUES(2,'$tag1')";
mysql_query($sql) or trigger_error(mysql_error()." in ".$sql);
insert multiple rows via a php array into mysql
You need to encapsulte the string $tag in a query, otherwise mysql will think its a column name
mysql_query("INSERT INTO category_keyword(ID_Category, Keyword) VALUES(2,'".mysql_real_escape_string($tag1)."')");
You should quote and escape your string columns
$tag1 =
mysql_real_escape_string($tag1);
mysql_query("INSERT INTO
category_keyword(ID_Category, Keyword)
VALUES(2,'$tag1')");
You should also handle the mysql query errors to know why the query get failed. With the current code you never know why it is failing.It is better to handle mysql errors.
mysql_query('Your query') or trigger_error(mysql_error());
You can use this:
mysql_query("INSERT INTO category_keyword SET ID_Category=2, Keyword=".$tag1.");
Better syntax to understand :)