I've got a syntax error in the following code, but I can't find it:
$tableSelect = $_POST["tableSelect"];
$companyName = $_POST["companyName"];
$telephone = $_POST["telephone"];
$fax = $_POST["fax"];
$email = $_POST["email"];
$address = $_POST["address"];
$postcode = $_POST["postcode"];
$category = $_POST["category"];
$contact = $_POST["contact"];
$contactTel = $_POST["contactTel"];
$contactEmail = $_POST["contactEmail"];
$sql = "INSERT INTO '" . $tableSelect . "' ('" . $companyName . "', '" . $telephone . "', '"
. $fax . "', '" . $email . "', '" . $address . "','" . $postcode . "', '" . $category . "',
'" . $contact . "', '" . $contactTel . "', '" . $contactEmail . "')";
mysqli_query($con,$sql);
if (!mysqli_query($con,$sql)) {
die('Error: ' . mysqli_error($con));
}
Cheers!
EDIT: I have modified the code to this:
$sql = "INSERT INTO `" . $tableSelect . "` (name, telephone, fax, email, address, postcode, category,
contact, contactTel, contactEmail) VALUES (`" . $companyName . "`, `" . $telephone . "`, `"
. $fax . "`, `" . $email . "`, `" . $address . "`,`" . $postcode . "`, `" . $category . "`,
`" . $contact . "`, `" . $contactTel . "`, `" . $contactEmail . "`)";
and now have the error "Error: Unknown column [companyName] in 'field list'", where [companyName] is the value submitted through the form. But surely I've defined the column as "name"?
Edit 2: Thanks, I'm now aware of the injection issue. I'd like to get it working, then I'll change it to using prepared statements.
You need either a values statement or a select statement:
"INSERT INTO '" . $tableSelect . "' VALUES ('" . $companyName . "', '" . $telephone . "', '"
. $fax . "', '" . $email . "', '" . $address . "','" . $postcode . "', '" . $category . "',
'" . $contact . "', '" . $contactTel . "', '" . $contactEmail . "')";
However, I would also recommend that you include the column names in the insert statement:
"INSERT INTO '" . $tableSelect ."(companyname, telephone, fax, email, address, postcode, category, contact, contactTel, contactEmail) ".
"' VALUES ('" . $companyName . "', '" . $telephone . "', '"
. $fax . "', '" . $email . "', '" . $address . "','" . $postcode . "', '" . $category . "',
'" . $contact . "', '" . $contactTel . "', '" . $contactEmail . "')";
I'm not sure if those are the correct names.
Ignoring injection issues...
$sql = "
INSERT INTO $tableSelect
(name
,telephone
,fax
,email
,address
,postcode
,category
,contact
,contactTel
,contactEmail
) VALUES
('$companyName'
,'$telephone'
,'$fax'
,'$email'
,'$address'
,'$postcode'
,'$category'
,'$contact'
,'$contactTel'
,'$contactEmail'
);
";
Incidentally, in my (limited) experience, the practice of calling the variable (e.g. '$companyName') and the column (e.g. name) two (slightly) different things can get very confusing.
Use backquotes: ` instead of straight quotes when quoting table names:
instead of:
'" . $companyName . "'
this:
`" . $companyName . "`
Use prepared statements instead of putting the variables into the query directly. And check, that the tables names are correct, cause now you are open to SQL injection.
How can I prevent SQL injection in PHP?
please check insert query syntax
you are missing values in your program:
Follow the below Syntax:
INSERT INTO table_name (column1, column2, column3,...)
VALUES (value1, value2, value3,...)
try query like this
$query="insert into abc (a,b,c) values ('a','b','c')
and first check your all variables using isset()
Please try below query:
$sql = "INSERT INTO $tableSelect ('" . $companyName."', '".$telephone."',
'".$fax."', '".$email."', '".$address."', '".$postcode."', '".$category."',
'".$contact."', '".$contactTel."', '".$contactEmail."')";
If still getting error, then you should use mysql_real_escape_string() function.
Data may contain special characters.
Related
My script grabs a textfile full with tab delimited data from my inbox and is supposed to import it into my database. The problem is that the data can contain special characters such , or & or ;, which get picked up as delimiters and break my import.
I am unable to use LOAD DATA or LOAD DATA LOCAL due to my webhost's server configuration, hence the below method is the only way I have so far.
How can I hardcode the script below to delimited the data only by tabs and ignore everything else?
// read content of CSV file
while (($row = fgetcsv($getdata)) !== FALSE) {
// skip the top 3 rows (header information) - Line 0, Line 1 and Line 2
if ($line <= 2) {
$line++;
continue;
} else {
$sql = "INSERT INTO `$dbtable`
(`OPERA_CONF`, `CRS`, `HOLIDEX`, `ARRIVAL`, `DEPARTURE`, `NIGHTS`, `ADULTS`, `KIDS`, `TITLE`, `FIRST`, `LAST`, `NATIONALITY`, `ROOM`, `ROOM_TYPE`, `MBR`, `MBR_NO`, `MBR_LVL`, `RATE`, `CURR`, `RATECODE`, `MARKET`, `COMPANY`, `AGENT`, `EMAIL`, `PHONE`, `TIMESTAMP`)
VALUES (
'" . mysqli_real_escape_string($mysqli, $row[0]) . "',
'" . mysqli_real_escape_string($mysqli, $row[1]) . "',
'" . mysqli_real_escape_string($mysqli, $row[2]) . "',
'" . mysqli_real_escape_string($mysqli, $row[3]) . "',
'" . mysqli_real_escape_string($mysqli, $row[4]) . "',
'" . mysqli_real_escape_string($mysqli, $row[5]) . "',
'" . mysqli_real_escape_string($mysqli, $row[6]) . "',
'" . mysqli_real_escape_string($mysqli, $row[7]) . "',
'" . mysqli_real_escape_string($mysqli, $row[8]) . "',
'" . mysqli_real_escape_string($mysqli, $row[9]) . "',
'" . mysqli_real_escape_string($mysqli, $row[10]) . "',
'" . mysqli_real_escape_string($mysqli, $row[11]) . "',
'" . mysqli_real_escape_string($mysqli, $row[12]) . "',
'" . mysqli_real_escape_string($mysqli, $row[13]) . "',
'" . mysqli_real_escape_string($mysqli, $row[14]) . "',
'" . mysqli_real_escape_string($mysqli, $row[15]) . "',
'" . mysqli_real_escape_string($mysqli, $row[16]) . "',
'" . mysqli_real_escape_string($mysqli, $row[17]) . "',
'" . mysqli_real_escape_string($mysqli, $row[18]) . "',
'" . mysqli_real_escape_string($mysqli, $row[19]) . "',
'" . mysqli_real_escape_string($mysqli, $row[20]) . "',
'" . mysqli_real_escape_string($mysqli, $row[21]) . "',
'" . mysqli_real_escape_string($mysqli, $row[22]) . "',
'" . mysqli_real_escape_string($mysqli, $row[23]) . "',
'" . mysqli_real_escape_string($mysqli, $row[24]) . "',
'" . mysqli_real_escape_string($mysqli, $local_time) . "'
)";
if(!$mysqli->query($sql)) {
echo "\n Error while importing row $line.<br>";
$errcount++;
}
$line++;
}
thanks
Set tab as the wanted delimiter like this:
while (($row = fgetcsv($getdata,0,"\t")) !== FALSE) {
The zero indicates no limit with respect to the length of longest line. Documentation: http://php.net/manual/en/function.fgetcsv.php
I'm trying to show an error while entering duplicates using php and mysql, but i'm not getting how to complete, please give an solution........
this is my code:
mysql_query(
"INSERT INTO productcost (product, productCategory, model, purchasePrice, mrp, customerPrice, marginCustomer, dealerPrice, marginDealer)
VALUES ('" . $_POST["product"] . "','" . $_POST["productCategory"] . "','" . $_POST["model"] . "','" . $_POST["purchasePrice"] . "','" . $_POST["mrp"] . "','" . $_POST["customerPrice"] . "','" . $_POST["marginCustomer"] . "','" . $_POST["dealerPrice"] . "', '" . $_POST["marginDealer"] . "')");
$current_id = mysql_insert_id();
if(!empty($current_id)) {
$message = "New Product Added Successfully";
}
}
You have to create unique key in productcost table , using unique fields like (product, productCategory, model). Now execute insert query, if there is a recode in the table return error . now you can handle error and give message.
try{
mysql_query("INSERT INTO productcost (product_key_id,product, productCategory,model,purchasePrice, mrp, customerPrice, marginCustomer, dealerPrice, marginDealer)
VALUES
('" . $_POST["created_product_id"] . "','" . $_POST["product"] . "','".$_POST["productCategory"] . "','" . $_POST["model"] . "','".$_POST["purchasePrice"] . "','" . $_POST["mrp"] . "','".$_POST["customerPrice"] . "','" . $_POST["marginCustomer"] . "','".$_POST["dealerPrice"] . "', '" . $_POST["marginDealer"] . "')");
return TRUE;
}
catch(Exception $e){
return FALSE;
}
or you can check is there a recode in table before insert
select count(*) as cc from doc_upload where product_key_id = $_POST["created_product_id"];
To show an error message while entering duplicates:
// First check there are same data available or not using a query by counting the row
$sqlCheck = "SELECT COUNT(`id`) WHERE product = '" . $_POST["product"] . "' AND productCategory = '" . $_POST["productCategory"] . "' AND model = '" . $_POST["model"] . "'"; // You have to add mroe thing in where clause
$CheckQuery = mysql_query($sqlCheck);
// if there is no duplicate data
//
if ($CheckQuery > 0) {
# code...
mysql_query(
"INSERT INTO productcost (product, productCategory, model, purchasePrice, mrp, customerPrice, marginCustomer, dealerPrice, marginDealer)
VALUES ('" . $_POST["product"] . "','" . $_POST["productCategory"] . "','" . $_POST["model"] . "','" . $_POST["purchasePrice"] . "','" . $_POST["mrp"] . "','" . $_POST["customerPrice"] . "','" . $_POST["marginCustomer"] . "','" . $_POST["dealerPrice"] . "', '" . $_POST["marginDealer"] . "')");
$current_id = mysql_insert_id();
if(!empty($current_id)) {
$message = "New Product Added Successfully";
}
} else {
$message = "Data is Duplicated";
}
Note : I'm Giving you an Example . this is how you have to check
duplicate data
This is going to be an easy one for you but I'm a noob so I need help.
Here is my code, for whatever reason the else statement isn't executing. If I change the NULL value for a $variable = NULL it works, but enters an empty string into my database rather than the NULL value. Can anyone help with why?
if (isset($_POST['agreeto']))
{
$enter_feedback = "INSERT INTO feedback" . //(initial, surname, country_id, date, friend_score, return_score, service_score, comments)
" VALUES('" . $initial. "', '" . $lastname . "', '" . $country_id . "', NOW(), '" . $friend . "', '" . $return . "', '" . $service . "', '" . $_POST['comments'] . "')";
}else
{
$enter_feedback = "INSERT INTO feedback" . //(initial, surname, country_id, date, friend_score, return_score, service_score, comments)
" VALUES('" . $initial. "', '" . $lastname . "', '" . $country_id . "', NOW(), '" . $friend . "', '" . $return . "', '" . $service . "', " . NULL . ")" or die("couldn't execute my query");
}
MySQL requires the string=NULL and you are passing it the value of the php NULL constant.
if (isset($_POST['agreeto']))
{
$enter_feedback = "INSERT INTO feedback" . //(initial, surname, country_id, date, friend_score, return_score, service_score, comments)
" VALUES('" . $initial. "', '" . $lastname . "', '" . $country_id . "', NOW(), '" . $friend . "', '" . $return . "', '" . $service . "', '" . $_POST['comments'] . "')";
}else
{
$enter_feedback = "INSERT INTO feedback" . //(initial, surname, country_id, date, friend_score, return_score, service_score, comments)
" VALUES('" . $initial. "', '" . $lastname . "', '" . $country_id . "', NOW(), '" . $friend . "', '" . $return . "', '" . $service . "',NULL)" or die("couldn't execute my query");
}
This should work as expected.
Try set the column to int, if this does not work.
INSERT INTO table (val1, val2) VALUES('String Value', NULL);
or set default column value to NULL.
A NULL value can not be enclosed in 'apostrophes'
Think about how you will get the SQL:
INSERT INTO table_name VALUES ('null','');?
The database may understand as a string
Just replace the 'NULL' value with NULL without the quotes.
$enter_feedback = "INSERT INTO feedback" . //(initial, surname, country_id, date, friend_score, return_score, service_score, comments)
" VALUES('" . $initial. "', '" . $lastname . "', '" . $country_id . "', NOW(), '" . $friend . "', '" . $return . "', '" . $service . "', NULL) " or die("couldn't execute my query");
Once you do that and save the record you will see NULL in the database column for that field when you browse via PHPMYADMIN. Please make sure that the field in question "comments" allows NULL.
Can you tell me what is wrong with this query? I just can't find the error, this is driving me insane.
<?php
$query = "INSERT INTO atable (fortlaufend, vorname, nachname, land, email, caption1, caption2, caption3, caption4, caption5, datum)
VALUES (NULL,
" . mysql_real_escape_string($_POST[vorname]) . ",
" . mysql_real_escape_string($_POST[nachname]) . ",
" . mysql_real_escape_string($_POST[land]) . ",
" . mysql_real_escape_string($_POST[email]) . ",
" . mysql_real_escape_string($_POST[caption1]) . ",
" . mysql_real_escape_string($_POST[caption2]) . ",
" . mysql_real_escape_string($_POST[caption3]) . ",
" . mysql_real_escape_string($_POST[caption4]) . ",
" . mysql_real_escape_string($_POST[caption5]) . ",
CURRENT_TIMESTAMP)";
?>
'fortlaufend' is the primary index with AUTO_INCREMENT. The mysql_error is
Invalid query: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'name, last name, country, email, What makes this photo special to you?, Wha' at line 3
Thank you!
You need single quotes for non-integer values.
<?php
$query = "INSERT INTO atable (fortlaufend, vorname, nachname, land, email, caption1, caption2, caption3, caption4, caption5, datum)
VALUES (NULL,
'" . mysql_real_escape_string($_POST[vorname]) . "',
'" . mysql_real_escape_string($_POST[nachname]) . "',
'" . mysql_real_escape_string($_POST[land]) . "',
'" . mysql_real_escape_string($_POST[email]) . "',
'" . mysql_real_escape_string($_POST[caption1]) . "',
'" . mysql_real_escape_string($_POST[caption2]) . "',
'" . mysql_real_escape_string($_POST[caption3]) . "',
'" . mysql_real_escape_string($_POST[caption4]) . "',
'" . mysql_real_escape_string($_POST[caption5]) . "',
CURRENT_TIMESTAMP)";
?>
You havent use quotes in your query.
<?php
$query = "INSERT INTO atable (fortlaufend, vorname, nachname, land, email, caption1, caption2, caption3, caption4, caption5, datum)
VALUES (NULL,
'" . mysql_real_escape_string($_POST[vorname]) . "',
'" . mysql_real_escape_string($_POST[nachname]) . "',
'" . mysql_real_escape_string($_POST[land]) . "',
'" . mysql_real_escape_string($_POST[email]) . "',
'" . mysql_real_escape_string($_POST[caption1]) . "',
'" . mysql_real_escape_string($_POST[caption2]) . "',
'" . mysql_real_escape_string($_POST[caption3]) . "',
'" . mysql_real_escape_string($_POST[caption4]) . "',
'" . mysql_real_escape_string($_POST[caption5]) . "',
CURRENT_TIMESTAMP)";
?>
I am able to retrieve data from a website(Nestoria) and store into my PostGIS database. However not every individual result that is returned have latitude and longitude values and as such they are not stored into the database. I tried using (pg_escape_string) so that it can return null values as double quotes(") but it didn't work. The field type of my lat and long columns in the database is "double precision".
This is a sample output of the error: ("Warning: pg_query() [function.pg-query]: Query failed: ERROR: invalid input syntax for type double precision: "" LINE 1: ...droom garden flat set in a period building with...', '', '') ^ in C:\XAMMP...\database.php on line 12")
Please see the code below for retrieving the data:
<?php
$url = ("http://api.nestoria.co.uk/api?action=search_listings¢re_point=51.5424,-0.1734,2km&listing_type=rent&property_type=all&price_min=min&price_max=max&bedroom_min=0&bedroom_max=0&number_of_results=50&has_photo=1&page=4");
$xml = simplexml_load_file($url);
foreach ($xml->response->listings as $entry) {
echo $entry->attributes()->title;
echo $entry->attributes()->bathroom_number;
echo $entry->attributes()->bedroom_number;
echo $entry->attributes()->datasource_name;
echo $entry->attributes()->guid;
echo $entry->attributes()->img_url;
echo $entry->attributes()->keywords;
echo $entry->attributes()->lister_name;
echo $entry->attributes()->listing_type;
echo $entry->attributes()->price;
echo $entry->attributes()->price_type;
echo $entry->attributes()->property_type;
echo $entry->attributes()->summary;
echo $entry->attributes()->latitude;
echo $entry->attributes()->longitude;
// Process XML file
}
?>
Find below the code to store values into database:
<?php
require 'nestoriauk.php';
// Opens a connection to a PostgresSQL server
$connection = pg_connect("dbname=postgis user=postgres password=xxxx");
// Execute query
foreach ($xml->response->listings as $entry) {
$query = "INSERT INTO nestoriaphp(title, bathroom, bedroom, datasource, guid, image, keywords, lister, listype, price, pricetype, property_type, summary, latitude, longitude) VALUES ('" . pg_escape_string($entry->attributes()->title) . "', '" . pg_escape_string($entry->attributes()->bathroom_number) . "', '" . pg_escape_string($entry->attributes()->bedroom_number) . "', '" . pg_escape_string($entry->attributes()->datasource_name) . "', '" . pg_escape_string($entry->attributes()->guid) ."', '" . pg_escape_string($entry->attributes()->img_url) . "', '" . pg_escape_string($entry->attributes()->keywords) . "', '" . pg_escape_string($entry->attributes()->lister_name) . "', '" . pg_escape_string($entry->attributes()->listing_type) . "', '" . pg_escape_string($entry->attributes()->price) . "', '" . pg_escape_string($entry->attributes()->price_type) . "', '" . pg_escape_string($entry->attributes()->property_type) ."', '" . pg_escape_string($entry->attributes()->summary) . "', '" . pg_escape_string($entry->attributes()->latitude) . "', '" . pg_escape_string($entry->attributes()->longitude) . "')";
$result = pg_query($query);
printf ("These values are inserted into the database - %s %s %s", $entry->attributes()->title, $entry->attributes()->bathroom_number, $entry->attributes()->bedroom_number, $entry->attributes()->datasource_name, $entry->attributes()->guid, $entry->attributes()->img_url, $entry->attributes()->keywords, $entry->attributes()->lister_name, $entry->attributes()->listing_type, $entry->attributes()->price, $entry->attributes()->price_type, $entry->attributes()->property_type, $entry->attributes()->summary, $entry->attributes()->latitude, $entry->attributes()->longitude);
}
pg_close();
?>
Yemi
If a POI has no lat-lon, which value it has? empty string?
assuming that an empty string is returned when there is no lat-lon.
$lon = "NULL";
if($entry->attributes()->longitude != "")
$lon = "'".$entry->attributes()->longitude."'";
$lat = "NULL";
if($entry->attributes()->latitude != "")
$lat = "'".$entry->attributes()->latitude."'";
so query looks like this:
$query = "INSERT INTO nestoriaphp(title, bathroom, bedroom, datasource, guid, image, keywords, lister, listype, price, pricetype, property_type, summary, latitude, longitude) VALUES ('" . pg_escape_string($entry->attributes()->title) . "', '" . pg_escape_string($entry->attributes()->bathroom_number) . "', '" . pg_escape_string($entry->attributes()->bedroom_number) . "', '" . pg_escape_string($entry->attributes()->datasource_name) . "', '" . pg_escape_string($entry->attributes()->guid) ."', '" . pg_escape_string($entry->attributes()->img_url) . "', '" . pg_escape_string($entry->attributes()->keywords) . "', '" . pg_escape_string($entry->attributes()->lister_name) . "', '" . pg_escape_string($entry->attributes()->listing_type) . "', '" . pg_escape_string($entry->attributes()->price) . "', '" . pg_escape_string($entry->attributes()->price_type) . "', '" . pg_escape_string($entry->attributes()->property_type) ."', '" . pg_escape_string($entry->attributes()->summary) . "', " . $lat . ", " . $lon . ")";
Note that the NULL value has no '' in sql.