My sql query is :
"INSERT INTO
order customer_id = $customer_id
, firstname = '".$firstname."'
, lastname = '".$lastname."'
, email = '".$email."'
, telephone = '".$telephone."'
, fax = '".$fax."'
, ip = '".$ip."'
, date_added = NOW()
, date_modified = NOW()
";
I get the error
Notice: Error: You have an error in your SQL syntax; check the manual
that corresponds to your MySQL server version for the right syntax to
use near 'order customer_id =1,firstname ='kuldeep',lastname
='pathak',email ='kuldeep.pat' at line 1 Error No: 1064
You didnt understand how to write SQLs as it seems.
$sql = 'INSERT INTO `order` (customer_id, firstname, blablabla) VALUES ('.$custormer_id.','.$firstname.','.$blablabla.')';
Please look at some basic tutorials about SQL.
"INSERT INTO
`order` SET customer_id = " . $customer_id . "
, firstname = '".$firstname."'
, lastname = '".$lastname."'
, email = '".$email."'
, telephone = '".$telephone."'
, fax = '".$fax."'
, ip = '".$ip."'
, date_added = NOW()
, date_modified = NOW()
";
Should be alright. DonĀ“t forget to escape your data though.
Try
"INSERT INTO `Order` (customer_id, firstname, lastname, email, telephone, fax, ip, date_added, date_modified)
VALUES ($customer_id, '$firstname', '$lastname', '$email', '$telephone', '$fax', '$ip', NOW(), NOW())"
The right syntax is : INSERT INTO tablename (columns) VALUES (values);
If you're likely to have user submitted fields in the dataset or appostrophes or anything else that could cause problems for any reason you'd want something more like
$query = sprintf("INSERT INTO `table` (`Name`, `Email`, `AnotherField`) VALUES ('%s', '%s', '%s'",
mysql_real_escape_string( $_POST['Name'] ),
mysql_real_escape_string( $_POST['Email'] ),
mysql_real_escape_string( $_POST['AnotherField'] )
);
This will sanitise your inputs as well
Use prepared statement to avoiding sql injection.
$custormer_id = "2000";
$firstname = "first name";
$etc = "some other values";
$mysqli = new mysqli('localhost', 'user', 'password', 'database');
$stmt = $mysqli->prepare("INSERT INTO order(customer_id, firstname, etc) VALUES (?, ?, ?)");
$stmt->bind_param('iss', $custormer_id, $firstname, $etc);
// first parameter is corresponding variable type of inserting values,eg i=interger, s=string
$stmt->execute();
$stmt->close();
http://php.net/manual/en/mysqli-stmt.bind-param.php
Related
I have tried to parsing data from url and this is part of xml data
-
<players category="Attackers">
<player id="206651">
<name>Thapelo Tale</name>
<firstname>Thapelo</firstname>
<lastname>Tale</lastname>
<team></team>
<teamid></teamid>
<nationality>Lesotho</nationality>
<birthdate>22/04/1988</birthdate>
<age>25</age>
<birthcountry>Lesotho</birthcountry>
<birthplace>Maseru</birthplace>
<position>Attacker</position>
<height>169 cm</height>
<weight></weight>
<image>
and using this code
<?php
$xmlLinq_player=simplexml_load_file("note.xml");
foreach($xmlLinq_player->player as $player) {
$player_id = $player->attributes()->id;
if($player_id){
$team_name=mysql_real_escape_string($player->team);
$team_id=mysql_real_escape_string($player->teamid);
if($team_id =='' || !$team_id){
$team_id=0;
}
$nationality=mysql_real_escape_string($player->nationality);
$fullname=mysql_real_escape_string($player->name);
$firstname=mysql_real_escape_string($player->firstname);
$lastname=mysql_real_escape_string($player->lastname);
$birthdate=$player->birthdate;
$birthdate=date('Y-m-d', strtotime(str_replace('-', '/', $birthdate)));
$birthcountry=mysql_real_escape_string($player->birthcountry);
$birthplace=mysql_real_escape_string($player->birthplace);
$logo=$player->image;
$position=mysql_real_escape_string($player->position);
$height=$player->height;
$weight=$player->weight;
$query = sprintf("INSERT INTO players (PlayerId,TeamId, FullName, FirstName, LastName, Nationality, BirthDate, BirthCountry, BirthPlace, PositionFull, Height,Weight,Photo)
VALUES($player_id, $team_id, '$fullname', '$firstname', '$lastname', '$nationality', '$birthdate', '$birthcountry','$birthplace','$position','$height','$weight','$logo')
ON DUPLICATE KEY UPDATE FullName = VALUES(FullName),FirstName = VALUES(FirstName), LastName = VALUES(LastName), Nationality = VALUES(Nationality), BirthDate = VALUES(BirthDate), BirthCountry = VALUES(BirthCountry),
BirthPlace = VALUES(BirthPlace),PositionFull = VALUES(PositionFull),Height = VALUES(Height),Weight = VALUES(Weight),Photo = VALUES(Photo)");
$result = mysql_query($query);
if (!$result){
$message = mysql_error() ;
//$message = 'Whole Query: ' .$query;
die($message);
}
}
}
}
}
?>
then it give this problem
( You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '\n , 'Thapelo Tale', 'Thapelo', 'Tale', 'Lesotho', '1970-01-01', 'Lesotho','M' at line 2 ) please help .. how to solve this problem thanks
Check on duplicate key update syntax
INSERT INTO players (PlayerId,TeamId, FullName, FirstName, LastName, Nationality, BirthDate, BirthCountry, BirthPlace, PositionFull, Height,Weight,Photo)
VALUES($player_id, $team_id, '$fullname', '$firstname', '$lastname', '$nationality', '$birthdate', '$birthcountry','$birthplace','$position','$height','$weight','$logo')
ON DUPLICATE KEY UPDATE FullName = '$FullName',FirstName ='$FirstName', LastName = '$LastName',
Nationality = '$Nationality', BirthDate = '$BirthDate', BirthCountry = '$BirthCountry',BirthPlace = '$BirthPlace',PositionFull = '$PositionFull',
Height = '$Height',Weight = '$Weight',Photo = '$Photo'");
<?
include("../../panel/inc/config.php");
$ip = $_SERVER['REMOTE_ADDR'];
// Insert the log
$insert = "INSERT INTO logs (log, ip, date) VALUES ('{$log}', '{$ip}', '{$date}')";
mysql_query($insert) or die("MySQL Error - Could not insert reviews");
$date = date("d/m/y - h:ia");
$insertLog = "INSERT INTO `logs` ( `log` , `ip`, `date` ) VALUES ('viewed test page', '$date')";
mysql_query($insertLog) or die('MySQL Error - Could not insert a log.');
?>
basically when someone views this page, I want it to insert into the database, but it's not inserting. I get the Error for inserting log.
Any ideas?
My database is
$insertLog = "INSERT INTO `logs` ( `log` , `ip`, `date` ) VALUES ('viewed test page', '$date')";
missing one column value here. You have three columns but two values in above query. It seems that you have missed ip value in above query.
you should try like this:
$ip = $_SERVER['REMOTE_ADDR'];
if(isset($ip)){
// Insert the log
$insert = "INSERT INTO logs (log, ip, date) VALUES ('{$log}', '{$ip}', '{$date}')";
mysql_query($insert) or die('MySQL Error - ' . mysql_error() );
$date = date("d/m/y - h:ia");
$insertLog = "INSERT INTO `logs` ( `log` , `ip`, `date` ) VALUES ('viewed test page','$ip' '$date')";
mysql_query($insertLog) or die('MySQL Error - ' . mysql_error() );
}
notice: all mysql_* functions are deprecated. You should move to PDO or mysqli.
What's wrong in this SQL query ?!
if(isset($_POST['submit'])){
$name = $_POST['name'];
$author = $_POST['author'];
$pub = $_POST['pub'];
$sibn = $_POST['sibn'];
$year = $_POST['year'];
$version = $_POST['version'];
$desc = $_POST['desc'];
$selected_db = mysql_select_db("bookstore",$con);
$query = "INSERT INTO introducebook (name, author, pub, sibn, year, version, desc) VALUES ('{$name}', '{$author}', '{$pub}', '{$sibn}', {$year}, {$version}, '{$desc}');" ;
$result = mysql_query($query,$con);
if(!$result){die('could not perform query'.mysql_error());}
echo mysql_affected_rows();
}
?>
the error is (I pass all inputs test):
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'desc) VALUES ('test', 'test', 'test', 'test', test, test, 'test')' at line 1
You need to escape reserved words in MySQL like desc with backticks
INSERT INTO introducebook (name, ..., `desc`) VALUES ...
to pass plain text you need brackets, this will be correct
INSERT INTO introducebook (`name`, `author`, `pub`, `sibn`, `year`, `version`, `desc`) VALUES ('{$name}', '{$author}', '{$pub}', '{$sibn}', '{$year}', '{$version}', '{$desc}')
and yes, you also need backticks.
how can i insert data from query results and other variables in one insert query?
sample:
$id = $_POST['id'];
$address = $_POST['address'];
$email = $_POST['email'];
$query = "INSERT INTO info_table(fname, lname, address, email) VALUES (SELECT fname, lname, FROM info WHERE id = '$id')";
$result = db->prepare($query);
$result->execute();
how can i insert $address and $email together with the select results variables?
This should do the trick for the query:
INSERT INTO info_table (
fname,
lname,
address,
email
)
SELECT
fname,
lname,
':address',
':email'
FROM
info
WHERE
id = ':id'
You aren't using the prepare right here. You really should bind to the paramters :address, :email, and :id
$result = db->prepare($query);
$result->bindParam(':id', $id, PDO::PARAM_STR);
$result->bindParam(':email', $email, PDO::PARAM_STR);
$result->bindParam(':address', $address, PDO::PARAM_STR);
$result->execute();
Answering precisely to your question:
$query = "INSERT INTO MyInsecureTable (fname, lname, address, email) SELECT fname, lname, '$address', '$email' FROM info WHERE id = '$id'";
But it is scares the . out of me.
Ok, when trying to insert into the database I'm getting this error
"You have an error in your SQL syntax;
check the manual that corresponds to
your MySQL server version for the
right syntax to use near '#email.com,
UT, 84505, NOW(), 69.169.186.192)' at
line 1"
I can't figure out the problem. Here is the code for my insert statement.
$insert_query = sprintf("INSERT INTO contacts (first_name, last_name, email, state, zip, date, ip) VALUES (%s, %s, %s, %s, %s, NOW(), %s)",
$fname,
$lname,
$email,
$state,
$zip,
$ip);
$result = mysql_query($insert_query, $connection) or die(mysql_error());
My table has the following structure:
id int(11)
first_name varchar(100)
last_name varchar(100)
email varchar(100)
state varchar(3)
zip int(10)
date datetime
ip varchar(255)
You need to quote all the string-type columns in the insert statement. Replace %s with '%s' in the sprintf format.
Please read about SQL Injection if you haven't done so already.
This may help you..
$insert_query = "INSERT INTO contacts set first_name = '$fname', last_name = '$lname', email = '$email', state = '$state', zip = '$zip', date = ". time() .", ip = '$ip')";
$result = mysql_query($insert_query, $connection) or die(mysql_error());
if you want to check query
echo $insert_query;
It would help if you could echo out the $insert_query, but it looks like you're not putting quotes around the parameters that are varchars.
$insert_query = sprintf("INSERT INTO contacts (first_name, last_name, email, state, zip, date, ip) VALUES ('%s', '%s', '%s', '%s', '%s', NOW(), '%s')",
$fname,
$lname,
$email,
$state,
$zip,
$ip);
By the way, you have an extra column in your insert - NOW doesn't appear related to a column.
I'm assuming ZIP is a varchar column, not a number, by the way.