I'm new to SQL so i'm probably missing something. Apparently I have a syntax error on this line:
$mysql = 'INSERT INTO Orders (Name, Recipient, Destination, Room, Message, Anonymous, OffCampus, OffCampusAddress) VALUES (?, ?, ?, ?, ?, ?, ?, ?)';
Could anyone help me identify what I am doing wrong? Thanks in advance
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?, ?, ?, ?, ?, ?, ?, ?)' at line 1
Here is my parameter binding:
mysqli_stmt_bind_param($stmt, 'ssssssss', $name, $recipient, $destination, $room, $message, $anonymous, $offcampus, $offcampusaddress);
It should look like this:
$link = mysqli_connect('localhost', 'my_user', 'my_password', 'world');
$mysql = "INSERT INTO Orders\n" +
"(Name, Recipient, Destination, Room, Message, Anonymous, OffCampus, OffCampusAddress)\n" +
"VALUES\n" +
"(?, ?, ?, ?, ?, ?, ?, ?)";
$stmt = mysqli_prepare($link, $mysql);
mysqli_stmt_bind_param($stmt, 'ssssssss', $name, $recipient, $destination, $room, $message, $anonymous, $offcampus, $offcampusaddress);
mysqli_stmt_execute($stmt);
Try to add ` for column names and ' for values. it may work
Related
I am trying to use prepared statements as a best practice but I keep getting these errors.
1) You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ') VALUES (?, ?, ?, ?, ?,?, ?, ?, ?, ?)'
2) Undefined index: finalExamGrade in C:\wamp64 (this goes for all the superglobal variables)
3) Fatal error: Call to a member function bind_param() on boolean in C:\wamp64\
Any fixes? Ideas?
PHP/MySQL
require_once("DBCONNECT.php");
$id = $_REQUEST['studentID'];
$last = $_REQUEST['lastName'];
$first = $_REQUEST['firstName'];
$grade1 = $_REQUEST['test1Grade'];
$grade2 = $_REQUEST['test2Grade'];
$grade3 = $_REQUEST['test3Grade'];
$grade4 = $_REQUEST['test4Grade'];
$final = $_REQUEST['finalExamGrade'];
$stmt = $connect->prepare("SELECT * FROM students) VALUES (?, ?, ?, ?, ?,?, ?)");
$stmt->bind_param("issiiiii", $id, $last, $first, $grade1, $grade2, $grade3, $grade4, $final);
$stmt->execute();
var_dump($id, $last, $first, $grade1, $grade2, $grade3, $grade4, $final);
$stmt->close();
$connect->close();
$stmt = $connect->prepare("SELECT * FROM students) VALUES (?, ?, ?, ?, ?,?, ?)");
The above code is the root of all of your problem.
You use SELECT to insert data. It should be INSERT.
There is an extra bracket after students table.
The total parameters doesn't match with the bind_param one. There are 7 ?
in your code when you want to store 8 variables.
Change into this code
$stmt = $connect->prepare("INSERT INTO students(col1, col2, col3, col4, col5, col6, col7, col8) VALUES (?, ?, ?, ?, ?, ?, ?, ?)");
$stmt->bind_param("issiiiii", $id, $last, $first, $grade1, $grade2, $grade3, $grade4, $final);
I don't explain this code any further because it has been discussed on comments.
I'm trying out using prepared statements for the first time and running into the following issue with the below code
Error :
Warning: mysqli_stmt_bind_param() expects parameter 1 to be
mysqli_stmt, boolean given
Code :
$stmt = mysqli_prepare($db, "INSERT INTO fragrances(name, description, essentialoils, topnotes, middlenotes, basenotes, reference, year, type, price, fragrancehouse, triangle, extractname, extractreference, extractprice, extractfragrancehouse, disccolour, collarcolour, actuatorcolour)
VALUES(?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)");
mysqli_stmt_bind_param($stmt, 'sssssssssssssssssss', $name, $description, $essentialoils, $topnotes, $middlenotes, $basenotes, $reference, $year, $type, $price, $fragrancehouse, $triangle, $extractname, $extractreference, $extractprice, $extractfragrancehouse, $disccolour, $collarcolour, $actuatorcolour);
mysqli_stmt_execute($stmt);
I've looked at many different questions on here and none of their solutions seem to apply for my problem, does anyone know what the issue is?
$stmt becomes a boolean only when mysqli_prepare returns false.
When this happens it means it failed to prepare the query therefore you need to check for errors:
$stmt = mysqli_stmt_init($db);
if (mysqli_stmt_prepare($stmt, 'INSERT INTO fragrances VALUES...')) {
//it's all good bind and execute here
}else{
//we have a problem
printf("Errormessage: %s\n", mysqli_error($db));
}
The error message means your mysqli_prepare returned a boolean (and for your case, it returned false).
You need to replace all your field name by the character ? to make your prepared statement. This is how it works.
See example in the official documentation
EDIT See also mysqli_error , which will detail your error. In fact, you should always check a variable before using it:
$stmt = mysqli_prepare($db, "....");
if(!$stmt)
echo mysqli_error($db); // display error only for debug. Avoid this in production
It means your SQL was invalid because the prepare is returning false;
Your SQL should be;
$stmt = mysqli_prepare($db, "INSERT INTO fragrances VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ? )");
Each ? is to show where each parameter needs to be bound respectively.
Your INSERT statement is invalid: VALUES clause must be with ? in parantheses (and after field names in parentheses). Also good practice is to check $stmt after assigning:
$stmt = mysqli_prepare($db,
"INSERT INTO fragrances (name, description, essentialoils, topnotes, middlenotes, basenotes, reference, year, type, price, fragrancehouse, triangle, extractname, extractreference, extractprice, extractfragrancehouse, disccolour, collarcolour, actuatorcolour)
VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)");
if ($stmt) {
mysqli_stmt_bind_param($stmt, 'sssssssssssssssssss', $name, $description, $essentialoils, $topnotes, $middlenotes, $basenotes, $reference, $year, $type, $price, $fragrancehouse, $triangle, $extractname, $extractreference, $extractprice, $extractfragrancehouse, $disccolour, $collarcolour, $actuatorcolour);
mysqli_stmt_execute($stmt);
// ...
} else
printf("Error: %s\n", mysqli_error($db));
Having learnt the basics of PHP and MySQL, I am now learning how to protect against SQL injection attacks by using prepared statements. I have the following code:
for ($i = 0; $i < $delegateno ;$i++){
$q = "INSERT INTO delegates (delegate_id,booker_name, booker_email, booker_tel, booker_company, delegate_name, delegate_email, delegate_tel) VALUES (NULL, ?, ?, ?, ?, ?, ?, ? )";//Insert delegate information into delegate tables
$stmt = mysqli_query($dbc, $q);
mysqli_stmt_bind_param($stmt,'sssssss', $fullname, $email, $tel, $company,$delegatename[$i],$delegateemail[$i],$delegatetel[$i]);
mysqli_stmt_execute($stmt);
}
However, this throws:
Notice: Query: INSERT INTO delegates (delegate_id,booker_name, booker_email, booker_tel, booker_company, delegate_name, delegate_email, delegate_tel) VALUES (NULL, ?, ?, ?, ?, ?, ?, ? )
MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?, ?, ?, ?, ?, ?, ? )'
What am I doing wrong?
Because you're executing the raw query containing the placeholders. You need to prepare() the query first.
This is how it goes (usually): prepare -> bind_param -> execute -> fetch.
Change:
$stmt = mysqli_query($dbc, $q);
to:
$stmt = mysqli_prepare($dbc, $q);
I'm doing SQL queries in prepared statements(MySQLi)
This is the query
$register = $friend_zone->prepare("INSERT INTO users (name, username, password, email, security_answer, date, user_level, security_question) VALUES(?, ?, ?, ?, ?, ?, ?, ?)");
$register->bind_param($name, $username, $password, $email, $security_answer, $date, $user_level, $security_question);
$register->execute();
Im getting a warning
Warning: mysqli_stmt::bind_param(): Number of elements in type definition string doesn't match number of bind variables in /var/www/includes/functions.php on line 152 Notice: Undefined variable: result in /var/www/includes/functions.php on line 159
Can someone help?
You are using the bind_param() function wrong. The first parameter is a string containing the data types. For example:
$register->bind_param('ssssssis', $name, $username, $password, $email, $security_answer, $date, $user_level, $security_question);
Each letter corresponds to it's respective variable. s is for strings and i is for integers. There are some other ones available too.
Try:
$register = $friend_zone->prepare("INSERT INTO users (name, username, password, email, security_answer, date, user_level, security_question) VALUES(?, ?, ?, ?, ?, ?, ?, ?)");
$register->execute( array($name, $username, $password, $email, $security_answer, $date, $user_level, $security_question) );
So I am working on a site for work that I "inherited" when I started here, and I am having to swim through a lot of code that i am unfamiliar with, namely soap services. The website has a feature that lets you write some things to the db using this createURL service:
$res = $db->Exec('INSERT INTO private_urls (UID, psswrd, profile_id, show_profile, show_portfolio, show_resume, show_message, show_email, show_phone, show_eportfolioaddress, show_major, show_minor, show_academic_interests, show_research_interests, show_career_interests, show_job_interests, created, modified, urlName) VALUES ( ? , ? , ? , ? , ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, NOW(), NOW(), ?)', 'sssssssssssssssss', $uid, $password, $profile_id, $profile, $portfolio, $resume, $messages, $email, $phone, $eportAddress, $major, $minor, $academicInterests, $careerInterests, $researchInterests, $jobInterests, $urlName);
Now, my job is to make it so that I can edit that db entry, and not have a duplicate entry (which is the problem I am experiencing). I made new forms, and associated php files that link to an editURL service I made similar to the create one.
MY QUESTION: Regards the syntax of editing this sql statement so that it updates the db with all of these values it is being passed WHERE private_urls.uid=?. I can't figure out how the syntax is supposed to go with the WHERE clause. This is what I have:
$res = $db->Exec('UPDATE private_urls (UID, psswrd, profile_id, show_profile, show_portfolio, show_resume, show_message, show_email, show_phone, show_eportfolioaddress, show_major, show_minor, show_academic_interests, show_research_interests, show_career_interests, show_job_interests, created, modified, urlName) WHERE private_urls.UID = ? VALUES ( ? , ? , ? , ? , ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, NOW(), NOW(), ?)', 'ssssssssssssssssss', $uid, $uid, $password, $profile_id, $profile, $portfolio, $resume, $messages, $email, $phone, $eportAddress, $major, $minor, $academicInterests, $careerInterests, $researchInterests, $jobInterests, $urlName);
It obviously isn't working correctly, and I am wondering if my ? following the WHERE clause isn't correctly being associated with the first of the duplicated $uid variables...
Any thoughts?
Your UPDATE syntax isn't right, you want something like this (simplifed for brevity)
$res = $db->Exec('UPDATE private_urls '.
'SET psswrd=?, profile_id=?,modified=NOW() '.
'WHERE UID=?',
$password, $profile_id, $uid);