Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Questions asking for code must demonstrate a minimal understanding of the problem being solved. Include attempted solutions, why they didn't work, and the expected results. See also: Stack Overflow question checklist
Closed 9 years ago.
Improve this question
Been sitting here all morning trying to improve safety when users create a new user in my system. And finally when everything is fixed and everything works, and at the end of the code where i send informations to the database, im getting a SQL syntax error sigh!!
Here's the error i get:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'by) VALUES('tester', 'blabla', 'xx', 'bla#bla.dk', '1387708599', './gfx/profilbi' at line 1
And heres my code..
mysql_query("INSERT INTO brugere (brugernavn, kodeord, salt_encrypt, email, timestamp, img, ip, status, by) VALUES('$_POST[brugernavn]', '$_POST[kode]', 'vissevasse', '$_POST[email]', '$time', '$uploadfile', '$ip_adresse', '0', '$_POST[by]') ") or die(mysql_error());
hope you guys can spot this one, because i can't!
BY is a mysql reserved keyword you need to wrap it with back-ticks
INSERT INTO brugere (`brugernavn`, `kodeord`, `salt_encrypt`, `email`, `timestamp`, `img`, `ip`, `status`, `by`) ....
Reserved Words in MySQL
by
is a reserved mysql keyword
even when you code no longer will throw an error it is HIGHLY advisable that you do NOT use something like
'$_POST[brugernavn]'
directly in a query. Google for sql injection and maybe also consider what xkcd has to say about this
Your code is vulnerable to SQL Injection.
fetch post parameter using
$something = mysqli_real_eacape_string($_POST['<something>']);
and then use that variable in your insert query.
Also since mysql is deprecated use mysqli/PDO
For reserved mysql keyword try to use back tick character (`)
eg:
INSERT INTO users (by) VALUES ('Jibran')
Related
Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 8 years ago.
Improve this question
I have been trying to insert data from form in two tables but I didn't get lucky, and the last I have tried got the first table inserted but the second table is empty and nothing inserted to it, below is my query code:
$query1=mysql_query("INSERT INTO $Tname (tnumber2, results, idate, iaddress, tstatus, saddress, scountry, ddate, daddress) VALUES('$tnumber2','$results','$idate','$iaddress','$tstatus','$saddress','$scountry','$ddate','$daddress')");
$id = mysql_insert_id();
$query2=mysql_query("INSERT INTO $UPname (tnumber2, pdate, act, paddress, up) VALUES('$tnumber2','$pdate','$act','$paddress','$up')");
I am getting this error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'update (tnumber2, pdate, act, paddress, up) VALUES('59644039299744','59644039299' at line 1
From the error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'update (...
it looks like your table is called update
That's a reserved word in SQL, so it's generating an error.
If possible, you should rename the table, as using reserved words as table or column names is confusing; but if that's not feasible, you can escape the name with backticks; try this as your second SQL call:
INSERT INTO `$UPname` (tnumber2, pdate, act, paddress, up) VALUES('$tnumber2','$pdate','$act','$paddress','$up')");
I'll also add the compulsory warning that mysql_ functions are deprecated, and you should switch to mysqli_ or PDO - they both help you write safer code. Also, if you're going to be using variables for table names, you need to be make sure that you're validating them very, very well.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Questions asking for code must demonstrate a minimal understanding of the problem being solved. Include attempted solutions, why they didn't work, and the expected results. See also: Stack Overflow question checklist
Closed 9 years ago.
Improve this question
I'm using the below query to insert data into a MySQL database. But this not working.
I'm also using this type query in my other page and that's working fine.
This is the SQL query:
$query="INSERT INTO `add7ras_work`.`movies` (`url`, `title`, 'description')
VALUES ('$url','$title', '$desc');";
$result=mysql_query($query);
You used single quotes around description instead of backticks:
$query="INSERT INTO `add7ras_work`.`movies` (`url`, `title`, `description`) VALUES ('$url','$title', '$desc');";
Standard disclaimer: Read up on PDO and MySQLi as mysql_x functions are deprecated.
Bad quoting:
$query="INSERT INTO `add7ras_work`.`movies` (`url`, `title`, 'description')
^-- ^---
' quotes in SQL turn the quoted data into a string. This means you're using a string in a fieldname context, which does not work.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Questions asking for code must demonstrate a minimal understanding of the problem being solved. Include attempted solutions, why they didn't work, and the expected results. See also: Stack Overflow question checklist
Closed 9 years ago.
Improve this question
I have problem with query, anybody see something bad?
INSERT INTO messages (subject, from, recipient, text, time)
VALUES
('Welcome in King of the States!','The Game','$username','Hello $username, THIS MESSAGE IS DISPLAYED IN ENGLISH AUTOMATICLY SORRY FOR THAT! this game is in baby stadium so if you will see any bugs, please report them to our help desc system','$time')
Error from sql:
#1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'from, recipient, text, time) VALUES ('Welcome in King of the States!','The Gam' at line 1
from is a mysql reserved word. try placing from in backtick
Like below:
`from`
try to do:
INSERT INTO messages (`subject`, `from`, `recipient`, `text`, `time`)
VALUES
('Welcome in King of the States!','The Game','$username','Hello $username, THIS MESSAGE IS DISPLAYED IN ENGLISH AUTOMATICLY SORRY FOR THAT! this game is in baby stadium so if you will see any bugs, please report them to our help desc system','$time')
From is the reserve keyword in the mysql so use the below query:
INSERT INTO `messages` (`subject`, `from`, `recipient`, `text`, `time`)
VALUES
('Welcome in King of the States!',
'The Game','$username',
'Hello $username,
THIS MESSAGE IS DISPLAYED IN ENGLISH AUTOMATICLY SORRY FOR THAT! this game is in baby stadium so if you will see any bugs, please report them to our help desc system','$time')
"INSERT INTO messages SET subject='Welcome in King of the States!',from='The Game',recipient='".$username."',text='Hello.$username', time=''";
Instruction:
from is a keyword in mysql. So you can not use directly in query like this.
You need to parse it every time and for that use backtick
use it like from
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Closed 8 years ago.
This question appears to be off-topic because it lacks sufficient information to diagnose the problem. Describe your problem in more detail or include a minimal example in the question itself.
Questions concerning problems with code you've written must describe the specific problem — and include valid code to reproduce it — in the question itself. See SSCCE.org for guidance.
Improve this question
mysql_query("
INSERT INTO `LMS`.`Presentation`
('Pre_Name' ,'Path' ,'PLec_ID' ,'pdatein' ,'pdesc','PSems_ID')
values
('$fname','$newname','$com',NOW(),'$filedesc','$semes')"
) or die("failed");
Dear All,
I have a table named presentation and I am going to enter value to it, it is mentionable that $com and $sems are comboboxs value, but the query show failed, anyone could help please,
thanks in advance
You're using quotes when you should be using backticks:
mysql_query("INSERT INTO `LMS`.`Presentation` (`Pre_Name`, `Path`, ...
Or simply don't use any special character. The backtick is only necessary if you do something silly like use a reserved word as a column name and I would hope people would choose their column names to be more readable.
In other words, date and in and select are silly names for columns, you should be using expiry_date, isInLocation and selectionStatus.
change or die("failed") into or die(mysql_error()) and you'll know why.
btw, consider changing from mysql functions to mysqli functions. And use parameterized queries. Otherwise you will be open to SQL injection.
mysql_query("
INSERT INTO table
(column1, column2, column3, column4 .... columnX)
VALUES(column1Data,column2Data, column3Data, column4Data ... columnXdata)
") or die(mysql_error());
> rove on this example and if there isnt a alias for a table then could not use a alias.
everything hiddends on details..
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question appears to be off-topic because it lacks sufficient information to diagnose the problem. Describe your problem in more detail or include a minimal example in the question itself.
Closed 8 years ago.
Improve this question
With a the code,
mysql_query("INSERT INTO Messages (Message, toUser, From, Date) VALUES ('$mes','$to','$from','$date')")
I'm getting an SQL syntax error. What is the reason for this? I see nothing wrong with the syntax.
DATE is a reserved word in SQL, so I gather that it's triggering a syntax error when you use it as a column name because MySQL tries to parse it as something other than a column name.
Either escape your identifiers with backticks:
mysql_query("INSERT INTO `Messages` (`Message`, `toUser`, `From`, `Date`) VALUES ('$mes','$to','$from','$date')")
Or better, see if you can rename the column to something else that doesn't need escaping.
My guess is someone put a ' in one of the variables, thus making a query like
INSERT INTO Messages (Message, toUser, From, Date) VALUES ('Test','Joe O'Neil','Jack Smith','2011-12-20')
This is a syntax error because of the ' in "O'Neil". You need to escape your variables before using them in SQL.
$mes = mysql_real_escape_string($mes);
$to = mysql_real_escape_string($to);
$from = mysql_real_escape_string($from);
$date = mysql_real_escape_string($date);
mysql_query("INSERT INTO Messages (Message, toUser, From, Date) VALUES ('$mes','$to','$from','$date')");
Make your query, like:
//use mysql_real_escape_string for variables
mysql_query("INSERT INTO Messages (`Message`, `toUser`, `From`, `Date`) VALUES ('$mes','$to','$from','$date')")
There's probably a character in your variables that requires escaping. Use mysql_real_escape_string as described here: http://php.net/manual/en/function.mysql-real-escape-string.php