Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 9 years ago.
Improve this question
$SQL="SELECT first_name FROM people WHERE fname = '$fname' INSERT INTO (first_name) VALUES (fname)";
Anything wrong with this? Trying to insert a value from a user defined variable into a mysql table
Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in D:\wamp\www\Pxxxx\process.php on line 44
This is the error
$fname is a user defined variable
first_name is the column I'm trying to insert it into and it's in a table called people
You have the order inverted. It seems like you are looking for INSERT .. SELECT syntax (see MySQL documentation here: http://dev.mysql.com/doc/refman/5.6/en/insert-select.html)
INSERT INTO target_table (first_name)
SELECT fname
FROM people
WHERE fname = ?
It was unclear from your example what the name of the table you were trying to insert data into is, so I just listed it as target_table here.
Your SQL statement has to be reordered like this:
"INSERT INTO people (fname) SELECT '$fname' FROM dual;"
This will select the value of $fname from the pseudo table "dual" and insert the value into "people".
Maybe this is more suitable:
"INSERT INTO people (fname) VALUES ('$fname');"
This snippet show you a simple insert statement.
Note: Please have a look for SQL Injection at Wikipedia. The code you are writing is open for these kinds of attacks. If you are writing PHP code, have a look for Prepared Statements and mysqli to prevent these attacks.
Related
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 2 years ago.
Improve this question
I am able to navigation between a php page using ID but not using project name. Can you only use an number and not characters?
Works
$sql = "SELECT id, assigned, project, start, end, status
FROM projects
WHERE id=$id";
'.$row['project'].'
page url: https://example.com/project.php?id=1
Doesn't work
$sql = "SELECT id, assigned, project, start, end, status
FROM projects
WHERE project=$project";
'.$row['project'].'
page url: https://example.com/project.php?project=Test
Thanks for the help!
MySQL uses single or double quotes for strings. Your second query puts string to a query, resulting in invalid query.
This is not a valid SQL query:
SELECT `name` FROM `cats` WHERE `breed` = ordinary cat
But this is:
SELECT `name` FROM `cats` WHERE `breed` = 'ordinary cat'
Of note, be careful with using any input (including query string) in your query like you did. You should use prepared statement instead to safely escape that string for your query.
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
http://www.pwntester.com/blog/2014/01/15/hackyou2014-web100-write-up/
At this link, They have injected by hex code like
0x39393939393939393939393920756e696f6e20616c6c202873656c656374202748656c6c6f21212729
meaning:
999999999999 union all (select 'Hello!!')
In mysql,we cannot type a query like
Mysql> 0x0abcd... (assume that 0x0abc.. mean select * from...).
So, Can you explain for me why can they inject as in my link?
p/s: Sorry about my poor English.
The SQL injection does not happen in the INSERT statement but in the second SELECT statement:
"SELECT title FROM picture WHERE id = ".$r['id']
Here $r['id'] is the recently inserted ID, i. e., the user supplied $_POST['id'] value.
Now the reason for why this SQL injection works is MySQL’s support for hexadecimal literals and the fact that the id column of the vote table is of a string type as in that case the following applies:
In string contexts, they act like binary strings, where each pair of hex digits is converted to a character:
mysql> SELECT X'4D7953514C';
-> 'MySQL'
mysql> SELECT 0x0a+0;
-> 10
mysql> SELECT 0x5061756c;
-> 'Paul'
For PHP 0x… is numeric (i. e., is_numeric) and for MySQL 0x… is interpreted and stored as string, which later gets inserted into the above mentioned SELECT statement.
This wouldn’t be possible if either
id would have been a numeric data type, or
the SELECT would have been a prepared statement.
This is already answered in the comments on that blog post. The hex string must be run through PHP, or some other system which incorrectly passes the value to MySQL as a string (instead of a number), in order for this "hack" to work.
Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 8 years ago.
Improve this question
I've inserted into databases before but never used the 'where' feature. For some reason, it is not inserting, but dieing instead.
<?php
$member=$_SESSION['member'];
$SQL = "INSERT into members where name='$member'(money) VALUES ('100')";
mysql_query($SQL) or die("Could not insert money");
print "Money successfully inserted";
?>
This is not valid SQL:
INSERT into members where name='$member'(money) VALUES ('100')
I would assume something like this:
update `members` set `money`=100 where `name`='$member';
Rationale: (money) is a field and 100 is the value for money (since those 2 make the most sense from a INSERT INTO members (field) VALUES (value) syntax point of view).
Never die() with a fixed error message, especially when you can output the actual reason: ... or die(mysql_error()).
But yes, your problem is a syntax error. INSERT queries do NOT have a WHERE clause - where is used to filter records already in the database table. This makes no sense for a new record, because it's not IN the table to filtered in the first place.
You query should basically be just
INSERT into members (name, money) VALUES ('$member', '100')
And note that you are vulnerable to SQL injection attacks, and are using a deprecated/obsolete database interface.
If you want to change existing data, use the update command instead of insert.
You can't use WHERE clause with INSERT command
http://dev.mysql.com/doc/refman/5.0/en/insert.html
You have to do an update
<?php
$member=$_SESSION['member'];
$SQL = "UPDATE `members` SET `money`='100' WHERE `name`='$member'; ";
mysql_query($SQL) or die("Could not insert money");
print "Money successfully inserted";
?>
For inserting :
$SQL = "INSERT INTO members(money) VALUES ('100')";
MySQL INSERT Syntax does not support the WHERE clause. MySQL.com Insert Info
Are you actually trying to insert a new row, or update an existing 'member'? If update, then try:
UPDATE members SET money = 100, WHERE name='$member';
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Closed 8 years ago.
This question appears to be off-topic because it lacks sufficient information to diagnose the problem. Describe your problem in more detail or include a minimal example in the question itself.
Questions concerning problems with code you've written must describe the specific problem — and include valid code to reproduce it — in the question itself. See SSCCE.org for guidance.
Improve this question
mysql_query("
INSERT INTO `LMS`.`Presentation`
('Pre_Name' ,'Path' ,'PLec_ID' ,'pdatein' ,'pdesc','PSems_ID')
values
('$fname','$newname','$com',NOW(),'$filedesc','$semes')"
) or die("failed");
Dear All,
I have a table named presentation and I am going to enter value to it, it is mentionable that $com and $sems are comboboxs value, but the query show failed, anyone could help please,
thanks in advance
You're using quotes when you should be using backticks:
mysql_query("INSERT INTO `LMS`.`Presentation` (`Pre_Name`, `Path`, ...
Or simply don't use any special character. The backtick is only necessary if you do something silly like use a reserved word as a column name and I would hope people would choose their column names to be more readable.
In other words, date and in and select are silly names for columns, you should be using expiry_date, isInLocation and selectionStatus.
change or die("failed") into or die(mysql_error()) and you'll know why.
btw, consider changing from mysql functions to mysqli functions. And use parameterized queries. Otherwise you will be open to SQL injection.
mysql_query("
INSERT INTO table
(column1, column2, column3, column4 .... columnX)
VALUES(column1Data,column2Data, column3Data, column4Data ... columnXdata)
") or die(mysql_error());
> rove on this example and if there isnt a alias for a table then could not use a alias.
everything hiddends on details..
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
I am new to PHP and mysql and i am trying to make API's for my iphone app.
So far i have been able to connect and retrive data from my sql database now m trying to make entries to it using API's and parameters.
Can anyone help me out here please.
Thanks alot!!
If by to make entries you mean adding data to the database.
You do this in the same way that you select data.
Instead of issuing a select statement like:
SELECT x,y,z FROM table1
You do:
INSERT INTO table1 (x,y,z) VALUES ('a', 1, 'test')
Or:
UPDATE table1 SET x = 'b' WHERE x = 'a'
How you pass parameters depends on the API you use.
It is best (safest) to use PDO to pass parameters.
How to get parameters out of a url
In order to get the parameters out of the url (e.g.: example.com/test.php?username=xyz&password=!##$%) do:
$username = mysql_real_escape_string($_GET['username']);
$password = mysql_real_escape_string($_GET['password']);
$query = "SELECT * FROM users WHERE username = '$username'
AND passhash = sha2(CONCAT(salt,'$password'),512)";
Note that it's vital to put single quotes around the injected variable names when using mysql_real_escape_string() or the escaping will be useless. Used like this the code is 100% secure from SQL-injection.
If you're using PDO, you can drop the mysql_real_escape_string() if not you need it to prevent SQL-injection.
Links
http://dev.mysql.com/doc/refman/5.5/en/update.html
http://dev.mysql.com/doc/refman/5.5/en/insert.html
http://php.net/manual/en/ref.pdo-mysql.php
https://stackoverflow.com/search?q=%5Bphp%5D+%5Bmysql%5D+pdo
http://php.net/manual/en/reserved.variables.get.php
http://php.net/manual/en/function.mysql-real-escape-string.php