I'm getting a mysql error saying "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near..."
Here's the basics of my code:
First I'm populating the select menu options with rows from the categories table. This is working fine:
<select id="dropdown-select" name="Name">
<option value="" id="dropdown-option">Please select a category.</option>
<?php
$query_categories = "SELECT * FROM categories";
$result_categories = mysql_query($query_categories) or die(mysql_error());
while($categories_row = mysql_fetch_array($result_categories)) {
echo '<option id="dropdown-option" value="' . $categories_row['cat_name'] . '">' . $categories_row['cat_name'] . '</option>';
}
?>
</select>
Later, when I go submit the form to the transactions table (the above table I pulled data from was the categories table, could this be a problem?) is when I get the error. I think its related to the above code bc if I remove this element from my form submission, it writes the rest of the values to the database without any errors.
if(!isset($_POST['Name'])) {
die('You must select an income or expense from the drop down menu.');
} else {
$Name = $_POST['Name'];
}
//create query
$query = "INSERT INTO transaction (month, trans_name, budgeted, actual) VALUES ('$Month', '$Name', $Budgeted', '$Actual')";
$result = mysql_query($query) or die("Error in query: $query. " . mysql_error());
Thanks for any help you can provide.
You are missing a single quote in your insert statement before $Budgeted
INSERT INTO transaction (month, trans_name, budgeted, actual) VALUES ('$Month', '$Name', '$Budgeted', '$Actual')"
If you have some fields which are defined in Database as VARCHAR, CHAR.
Also, if you are inserting a string value in Database from a PHP script, you need to add an enclosing single quote (') around it.
In your case, you are inserting a string without semicolons, so, it showing error in MySQL.
Your statement should be corrected by adding a single quote around $budget as:
$query = "INSERT INTO transaction (month, trans_name, budgeted, actual) VALUES ('$Month',
'$Name', '$Budgeted', '$Actual')";
------^
The error "You have an error in your SQL syntax" is exactly correct!
$query = "INSERT INTO transaction (month, trans_name, budgeted, actual)
VALUES ('$Month', '$Name', $Budgeted', '$Actual')";
Look here, you missed something ----^
There is a ' missing from your statement causing the syntax error. Put the single quote in and you should be good to go!
Related
I am trying to insert rows of data in an array into a table in mysql database. I am a beginner in php, mysql and have very little knowledge about it. I just want to learn more. If you can give this a try It would be great.
The code which i want to insert is below:
for($x=0; $x<2; $x++)
{
$data[$x]['title'] = $titleQuery->item($x)->nodeValue;
$data[$x]['titleHrefQuery'] = $titleHrefQuery->item($x)->nodeValue;
$data[$x]['food'] = $foodQuery->item($x)->nodeValue;
$data[$x]['locality'] = $localityQuery->item($x)->nodeValue;
$data[$x]['rating'] = $ratingQuery->item($x)->nodeValue;
$data[$x]['cost'] = $costQuery->item($x)->nodeValue;
}
I am tring to insert using the code given below:
$query = "INSERT INTO table (`title`, `link`, `food`, `locality`, `rating`, `cost`) VALUES
('" . $titleQuery->item($x)->nodeValue . "',
'".$titleHrefQuery->item($x)->nodeValue."',
'".$foodQuery->item($x)->nodeValue."',
'".$localityQuery->item($x)->nodeValue."',
'".$ratingQuery->item($x)->nodeValue."',
'".$costQuery->item($x)->nodeValue."')";
$result = mysql_query($query);
if($result)
{
echo ("Success");
}
else
{
echo ("Not added");
}
But every time it shows not added. please help!!
Change
INSERT INTO table
to
INSERT INTO `table`
Because table is a reserved keyword.And if you are using reserved keywords as table name or column name then you must enclose them in back-ticks (`).And its better not to use any reserve keyword.So if you can change the name then it will be the best choice.You can check for more in these questions
How do I escape reserved words used as column names? MySQL/Create Table
Can we have the table name as "option" in MySQL?
H2 database column name "GROUP" is a reserved word
"INSERT INTO table...." should be "INSERT INTO `table`..."
Try to avoid mysql key names as table name or field name it would help you in writing better sql queries.
Use following line to see mysql error so can you easily track the reason why you are getting error -
if($result)
{
echo ("Success");
}
else
{
echo ("Not added");
echo mysql_errno($link) . ": " . mysql_error($link). "\n";
}
I've been searching around for a solution, but each one I've found seems to not be helpful, I'm not actually sure whats causing the issue.
If I run the below mysql, this inserts a record into the database.
INSERT INTO cust_v_lists (Customer_name, Customer_ref) VALUES ('wouldja', 133)
What my program is currently doing is creating the above statement using parameters from page 1, then posting the mysql to page 2. On page 2 my code is simple.
$mysqli = $_POST['sqli'];
echo $mysqli; #this echo's out the above SQL insert line.
$result = mysqli_query($conn, $mysqli);
$updated = mysqli_affected_rows($conn);
$message = "You have inserted $updated row to the 'cust_v_lists' table.";
echo $message;
if (!mysqli_query($conn, $mysqli))
{
echo("Error description: " . mysqli_error($conn));
}
If I hard code the below:
$sqli = ;INSERT INTO cust_v_lists (Customer_name, Customer_ref) VALUES ('wouldja', 133)';
This works fine, but when I post it I get the error
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '
INSERT INTO cust_v_lists (Customer_name, Customer_ref) VALUES ('w' at line 1
I first thought this was a post limit or something to 40 chars, but when I echo out the mysqli posted it seems ok, I changed the limits in php.ini just in case but this didn't help. I then updated this to a string using $mysqli = (string)$mysqli but this also didn't help. Has anyone seen this before? I don't want to hard code this, I need the query to be completely dynamic and readable from $_POST.
$sqli = ;INSERT INTO cust_v_lists (Customer_name, Customer_ref) VALUES ('wouldja', 133)';
needs to be
$sqli = "INSERT INTO cust_v_lists (Customer_name, Customer_ref) VALUES ('wouldja', 133)";
Try this insert statement
$sqli = "INSERT INTO cust_v_lists (Customer_name, Customer_ref)
VALUES ('wouldja',133)";
PHP won't let me insert my username field into the database for some reason:
$username = "<a href='user.php?user=".$_SESSION['username']."'>#".$_SESSION['username']."<a>";
/* Query database to save user's post */
/* If field "repostid==0", then the post is not a repost; if the field "repostid>0", then the post is a repost with the field "repostid" linking to the id of the post to be reposted */
$result = mysqli_query($connection, "INSERT INTO posts (user, content, repostid, date) VALUES ('$username', '$final_repostinfo', '$_GET[postid]', '$date_string')");
if (!$result)
{
die('Cannot query. Error: ' . mysqli_error($connection));
}
The returned PHP syntax error:
Cannot query. Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'user.php?user=shawn619'>#shawn619', 'fifth', '8', '01/12/2013 21:38:56')' at line 1
You can solve it by separating the html markup.
I had a similar problem when trying to insert html markup into a database.
Leave $username as being just $_SESSION['username'], then when you need to retrieve the value from the database THAT'S when you add the html markup.
For example, I was trying to cut corners by having the markup entered into the database, rather than putting it where it needs to be used.
I had the following PHP code:
$image = "<img src='".$_FILES['image']['name']."' />";
$query = mysql_query("INSERT INTO news VALUES (CURRENT_DATE,'$image')");
Then in the page I was using to retrieve data from the database:
echo $row['images'];
I discovered that what I SHOULD be doing is PHP code:
$image = $_FILES['image']['name'];
$query = mysql_query("INSERT INTO news VALUES (CURRENT_DATE,'$image')");
and put the markup in its proper place:
echo "<img src='";
echo $row['images'];
echo "' />";
I think you can implement a similar strategy to your code to fix the problem.
NOTE: mySQL is now depreciated, but you can use this technique with it's successors, mySQLi and PDO.
It's because of the single quotes. Try:
$result = mysqli_query($connection, "INSERT INTO posts (user, content, repostid, date) VALUES ('".mysql_real_escape_string($username)."', '$final_repostinfo', '$_GET[postid]', '$date_string')");
Or
$result = mysqli_query($connection, "INSERT INTO posts (user, content, repostid, date) VALUES ('".add_slashes($username)."', '$final_repostinfo', '$_GET[postid]', '$date_string')");
I am trying to insert data into 4 tables ( asset, asset_details, invoice and location). When I submit the form, it tells me that all the data has been submitted successfully but when I check the MySQL database the information is only submitted to the location tables.
Any help will be appreciated, Thank you .
mysql_query("START TRANSITION");
$query1 =("INSERT INTO .asset (asset_tag, asset_number, cap_ex, asset_type_id, invoice_id, status)
Values(".$_POST['asset_tag'] .",,,".$_POST['asset_type'] . ",".$_POST['invoice_number']."," . $_POST['status_id'] .")");
$query2 =("INSERT INTO .asset_details (asset_type_id, asset_tag, asset_type, physical_asset_id, manufacturer, os, os_version, make, model, serial_number, processor, ram, memory, hdd, host_name, notes)
Values(" .",".$_POST['asset_tag']."," .$_POST['asset_type'].",,
,".$_POST['os'].",".$_POST['os_version'].",".$_POST['make'].",".$_POST['model'].",".$_POST['serial_number'].",".$_POST['processor'].",,".$_POST['memory'].",".$_POST['hdd'].",,".$_POST['notes'].")");
$query3 =( "INSERT INTO .invoice (invoice_number, invoice_date, purchas_price, quantity, order_date, vender, warrenty_end, notes)
Values(" .$_POST['invoice_number'].",". $_POST['invoice_date'].",". $_POST['purchase_price'].",,,". $_POST['vender'].")");
$query4 =( "INSERT INTO .location (location_name, rack, row, unit)
Values(" .$_POST['location_name'].",".$_POST['rack'].",".$_POST['row'].",".$_POST['unit'].")");
echo "$query1 $query2 $query3 $query4";
$result1= mysql_query($query1);
$result2= mysql_query($query2);
$result3= mysql_query($query3);
$result4= mysql_query($query4);
$result = mysql_query("COMMIT");
if (!$result)
{
mysql_query("ROLLBACK");
die('Invalid query: ' . mysql_error());
}
else
{
echo "<script>alert('SUCCESS!');</script>";
}
}
mysql_close($con);
?>
There are some strange things;
START TRANSITION should probably be START TRANSACTION.
You're not quoting any of your string values. Strings need to be quoted using ' a'la INSERT INTO TEST VALUES ('olle');
An empty field cannot be indicated by just skipping it, you're doing INSERT INTO TEST (a,b,c) VALUES (1,,2); which is not valid syntax for not setting b.
Also, I recommend using a more modern mysql api than mysql_query, as for example PDO or mysqli, since injecting POST values into a string as you do can be pretty dangerous, you may cause SQL injection problems.
Use '`'s around each attributes(columns) and ''' around each values, it should work
During development, I'd echo each query-expressions before it is sent to the database..
...by the way, mysql_error() is a useful function in php, which returns the last error information of mysql....U may use that for debugging
I have an HTML form which submits values to the following PHP file, which inserts them into a MySQL database:
<?php
$con = mysql_connect("*","*","*");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
mysql_select_db("*", $con);
$sql="INSERT INTO scores (hometeam, awayteam, result)
VALUES
('" . mysql_real_escape_string($_POST['hometeam']) . "',
'" . mysql_real_escape_string($_POST['awayteam']) . "',
'" . mysql_real_escape_string($_POST['result']) . "')";
if (!mysql_query($sql,$con))
{
die('Error: ' . mysql_error());
}
echo "1 record added";
mysql_close($con);
?>
Sometimes an input field in the HTML form will be left blank and in this case I do not want anything inserted into the database. I want the value to remain NULL. At the moment when I fill in my form like this:
Home team: Blue team
Away team: [blank]
Result: Won
The following is inserted into my database:
Home team: Blue team
Away team: ' '
Result: Won
What I want to be inserted/not inserted is:
Home team: Blue team
Away team: NULL
Result: Won
I've hunted hours for a solution. Can anyone help? Thank you.
Well it will insert the final value only , because you are executing the $sql and the last values of $sql is "INSERT INTO scores (result) VALUES ('$_POST[result]')"; You are overiding the previous values by putting same variable name.
Also (!empty($_POST[hometeam])) remove the !empty if the fields can be blank sometimes.
You are overwriting your SQL statements each time. Beacue your 'result' field isn't blank, you are setting your SQL statement to:
"INSERT INTO scores (result) VALUES ('$_POST[result]')"
This is the only statement which is then being executed - your other values are being ignored as they are not part of this statement.
What you need to do is set up your variables first:
$hometeam = isset($_POST['hometeam']) ? $_POST['hometeam'] : NULL;
$awayteam = isset($_POST['awayteam']) ? $_POST['awayteam'] : NULL;
$result = isset($_POST['result']) ? $_POST['result'] : NULL;
You can then do your database interaction:
$sql = "INSERT INTO scores hometeam, awayteam, result VALUES $hometeam, $awayteam, $result";
if (!mysql_query($sql,$con))
{
die('Error: ' . mysql_error());
}
echo "1 record added";
mysql_close($con);
I should say that I haven't included any security on this - you should look into PDO or prepared statements to make sure your database isn't open to SQL Injection.
Hope this helps!
First off, there's a huge security flaw in this code, which is not sanitizing your inputs. A user could insert whatever they like and it's executed on the DB without any checking. This is bad.
At the very least, you should be using something like mysql_real_escape_string(), even though even that is not exactly the best thing for the job (Google PHP + PDO for example).
Secondly, you're actually executing one query using one variable. If $_POST['result'] is set, then $sql will always be the last value. What you might want to do is make the query like so:
$query = 'INSERT INTO scores ('.$fields.') VALUES ('.$values.')';
And construct the $fields and $values variables using your if(!empty( .. )) code.
But to reiterate SANITIZE YOUR INPUTS
3 insert into statements will insert 3 records, with unspecified fields left as null or default.
you must use 1 insert into statement, something like:
<?php
$con = mysql_connect("*","*","*");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
mysql_select_db("*", $con);
#$sql="INSERT INTO scores (hometeam,awayteam,result) VALUES ('{$_POST[hometeam]}','{$_POST[awayteam]}','{$_POST[result]}')";
if (!mysql_query($sql,$con))
{
die('Error: ' . mysql_error());
}
echo "1 record added";
mysql_close($con);
?>
here, unspecified values will come as empty string, if that is a problem, first assign them to 3 seperate variables with ifs (e.g. set empty ones to null), then use them
I think there is some problem with the declaration of name of your input field in you html form. Make sure, $_POST[hometeam] must be the same input name in your form
Example:
In your form
<input type="text" name="hometeam" value="" />
In your PHP
if (!empty($_POST[hometeam])) {
$sql="INSERT INTO scores (hometeam) VALUES ('$_POST[hometeam]')";
}
And also, please use addslashes or mysql_real_escape_string in your post values before adding it on the database.
Look at this link below:
http://php.net/manual/en/function.addslashes.php
http://php.net/manual/en/function.mysql-real-escape-string.php
if (!empty($_POST['hometeam'])) {
$sql="INSERT INTO scores (hometeam) VALUES ('" . $_POST['hometeam'] . "')";
}
Notice the single quotes around the 'hometeam' part.
You should also clean that using mysql_real_escape_string($_POST['hometeam']).
Bear in mind this will create upto 3 rows for each call, if you want to have a row like scores (hometeam, awayteam, result) you'll need to construct your query differently (i.e. a single query not 3 seperate ones).