I am using following code to insert a row in database. I always get ERROR
{"error":"SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'show) VALUES('A E Jewelers','Quintin','Schmidt','131 South Rolling Meadows Dr.',' at line 1"}
Here is my query
xxx/webservice/api.php?action=addStore&name=A%20E%20Jewelers&firstname=Quintin&lastname=Schmidt&address=131%20South%20Rolling%20Meadows%20Dr.&city=Fond%20du%20Lac&state=WI&country=USA&zip=54935&phone=(920)%20933%203601%0A&fax=(920)%20486-1734&email=Diadori#aejewelers.com&latitude=43.775931&longitude=-88.482894&website=www.aejewelers.com&show=1
function AddStore()
{
$name = trim($_REQUEST['name']);
$firstname = trim($_REQUEST['firstname']);
$lastname = trim($_REQUEST['lastname']);
$address = trim($_REQUEST['address']);
$city = trim($_REQUEST['city']);
$state = trim($_REQUEST['state']);
$country = trim($_REQUEST['country']);
$zip = trim($_REQUEST['zip']);
$phone = trim($_REQUEST['phone']);
$fax = trim($_REQUEST['fax']);
$email = trim($_REQUEST['email']);
$latitude = trim($_REQUEST['latitude']);
$longitude = trim($_REQUEST['longitude']);
$website = trim($_REQUEST['website']);
$show = 1;
return $show;
$insert_id = 0;
try {
$conn = $this->GetDBConnection();
$statement = $conn->prepare('INSERT INTO stores( name, firstname, lastname, address, city, state, country, zip, phone, fax, email, latitude,longitude, website,show) VALUES(:name,:firstname,:lastname,:address,:city,:state,:country,:zip,:phone,:fax, :email, :phone, :zip)');
$statement->bindParam(':name', $name, PDO::PARAM_STR);
$statement->bindParam(':firstname', $firstname, PDO::PARAM_STR);
$statement->bindParam(':lastname' , $lastname, PDO::PARAM_STR);
$statement->bindParam(':address', $address, PDO::PARAM_STR);
$statement->bindParam(':city', $city, PDO::PARAM_STR);
$statement->bindParam(':state', $state, PDO::PARAM_STR);
$statement->bindParam(':country', $country, PDO::PARAM_STR);
$statement->bindParam(':zip', $zip, PDO::PARAM_STR);
$statement->bindParam(':phone', $phone, PDO::PARAM_STR);
$statement->bindParam(':fax' , $fax, PDO::PARAM_STR);
$statement->bindParam(':email' , $email, PDO::PARAM_STR);
$statement->bindParam(':latitude' , $latitude, PDO::PARAM_STR);
$statement->bindParam(':longitude', $longitude, PDO::PARAM_STR);
$statement->bindParam(':website' , $website, PDO::PARAM_STR);
$statement->bindParam(':show' , $show, PDO::PARAM_INT);
$statement->execute();
$insert_id = $conn->lastInsertId();
$conn = null;
} catch(PDOException $e) {
throw $e;
}
return $insert_id;
}
Replace the column name show with `show`
INSERT INTO stores(
name, firstname, lastname, address, city, state,
country, zip, phone, fax, email, latitude,longitude,
website,`show`)
VALUES (:name,:firstname,:lastname,:address,:city,
:state,:country,:zip,:phone,:fax, :email,
:phone, :zip)'
The word show is a keyword in SQL
It's good practice to always wrap field names and table names in backticks ` to prevent this common "gotcha" with accidentally using a reserved keyword. There are an amazing number of reserved words in SQL, so it's probably easier just to backtick names rather than remembering to check each field or table name used.
I take it you have confirmed that none of the values are empty/null or have embedded spaces, quotes, or commas? Does the PDO library take care of escaping quotes (e.g., Mrs. O'Leary's Cow) and wrapping the data in quotes?
Related
public function register($uname,$age,$sex,$image,$dpart,$joind,$job,$uposition,$phone,$umail,$upass,
$unumber,$address,$nssf,$bank,$passp,$home,$village,$nation,$permit)
{
try
{
$new_password = password_hash($upass, PASSWORD_DEFAULT);
$stmt = $this->conn->prepare("INSERT INTO users(user_name,birth,gender,image,job_title,curr_position,telephone,department,joining_date,user_email,user_pass,box_number,residence,nssf_number,bank_account,passport_number,home_district,village,nationality,work_permit)
VALUES(:uname,:age,:sex,:image,:dpart,:joind,:job,:uposition,:phone,:umail,:upass,:unumber,:nssf,:bank,:passp,:home,:village,:nation,:permit)");
$stmt->bindparam(":uname",$uname);
$stmt->bindparam(":age",$age);
$stmt->bindparam(":sex",$sex);
$stmt->bindparam(":image",$image);
$stmt->bindparam(":dpart",$dpart);
$stmt->bindparam(":joind",$joind);
$stmt->bindparam(":job",$job);
$stmt->bindparam(":uposition",$uposition);
$stmt->bindparam(":phone",$phone);
$stmt->bindparam(":umail",$umail);
$stmt->bindparam(":upass",$new_password);
$stmt->bindparam(":unumber",$unumber);
$stmt->bindparam(":address",$address);
$stmt->bindparam(":nssf",$nssf);
$stmt->bindparam(":bank",$bank);
$stmt->bindparam(":passp",$passp);
$stmt->bindparam(":home",$home);
$stmt->bindparam(":village",$village);
$stmt->bindparam(":nation",$nation);
$stmt->bindparam(":permit",$permit);
$stmt->execute();
return $stmt;
}
catch(PDOException $e)
{
echo $e->getMessage();
}
}
I'm posting this as a community wiki answer, since there shouldn't be any rep from this, nor do I want rep from it; given an answer that can't determine which one is missing.
It's the one for $stmt->bindparam(":address",$address); that is missing in the VALUES().
Also make sure that all variables do contain value.
PHP's error reporting will be of help:
http://php.net/manual/en/function.error-reporting.php
Side note: Using a code editor that automatically finds matching words when double-clicked and using the same naming convention would have helped you greatly.
One (free) of which that has option, is Notepad++.
Your sql statement is inconsistent: the table columns and the values
to insert don't correspond. For example, in a curr_position field
you are trying to insert a value of :joind, etc.
Also, in terms of number, the columns and the values to insert don't
coincide: 19 values to insert in 20 fields.
Recommendations:
My recommendation would be to always use column names for the marker names. Then you know exactly to which markers you are inserting the corresponding values.
NB: Markers: "...VALUES (:marker1, :marker2, ...);".
You should also define the type of input parameteres that you are binding. Example:
$stmt->bindparam(":age", $age, PDO::PARAM_INT);
Try to maintain some consistency between the function parameters and the field names, if it's possible and... makes sense.
My code proposal would look like this:
<?php
public function register(
$userName
, $birth
, $gender
, $image
, $jobTitle
, $currPosition
, $telephone
, $department
, $joiningDate
, $userEmail
, $userPass
, $boxNumber
, $residence
, $nssfNumber
, $bankAccount
, $passportNumber
, $homeDistrict
, $village
, $nationality
, $workPermit
) {
try {
$newUserPassword = password_hash($userPass, PASSWORD_DEFAULT);
$stmt = $this->conn->prepare('INSERT INTO users (
user_name,
birth,
gender,
image,
job_title,
curr_position,
telephone,
department,
joining_date,
user_email,
user_pass,
box_number,
residence,
nssf_number,
bank_account,
passport_number,
home_district,
village,
nationality,
work_permit
) VALUES (
:user_name,
:birth,
:gender,
:image,
:job_title,
:curr_position,
:telephone,
:department,
:joining_date,
:user_email,
:user_pass,
:box_number,
:residence,
:nssf_number,
:bank_account,
:passport_number,
:home_district,
:village,
:nationality,
:work_permit
)');
$stmt->bindparam(":user_name", $userName, PDO::PARAM_STR);
$stmt->bindparam(":birth", $birth, PDO::PARAM_INT);
$stmt->bindparam(":gender", $gender, PDO::PARAM_STR);
$stmt->bindparam(":image", $image, PDO::PARAM_STR);
$stmt->bindparam(":job_title", $jobTitle, PDO::PARAM_STR);
$stmt->bindparam(":curr_position", $currPosition, PDO::PARAM_STR);
$stmt->bindparam(":telephone", $telephone, PDO::PARAM_STR);
$stmt->bindparam(":department", $department, PDO::PARAM_STR);
$stmt->bindparam(":joining_date", $joiningDate, PDO::PARAM_STR);
$stmt->bindparam(":user_email", $userEmail, PDO::PARAM_STR);
$stmt->bindparam(":user_pass", $newUserPassword, PDO::PARAM_STR);
$stmt->bindparam(":box_number", $boxNumber, PDO::PARAM_INT);
$stmt->bindparam(":residence", $residence, PDO::PARAM_STR);
$stmt->bindparam(":nssf_number", $nssfNumber, PDO::PARAM_INT);
$stmt->bindparam(":bank_account", $bankAccount, PDO::PARAM_STR);
$stmt->bindparam(":passport_number", $passportNumber, PDO::PARAM_STR);
$stmt->bindparam(":home_district", $homeDistrict, PDO::PARAM_STR);
$stmt->bindparam(":village", $village, PDO::PARAM_STR);
$stmt->bindparam(":nationality", $nationality, PDO::PARAM_STR);
$stmt->bindparam(":work_permit", $workPermit, PDO::PARAM_STR);
$stmt->execute();
return $stmt;
} catch (PDOException $e) {
echo $e->getMessage();
}
}
Good luck!
Thank you all for your efforts and input i figured out the problem actually was this one:
$stmt->bindParam("userPass", $newUserPassword, PDO::PARAM_STR);
which had to be changed to this:
$stmt->bindParam("userPass", $userPass, PDO::PARAM_STR);
I was trying to use a parameter that i had not defined all because i di this:
$newUserPassword = password_hash($userPass, PASSWORD_DEFAULT);
So I thought of replacing it in the bindParameters....Hope it helps other!
Afternoon,
Currently I am writing a program that allows an admin to update the members datebase.
My code is as follows:
$member_id = $formdata['update'];
$surname = $formdata['surname'];
$other_name = $formdata['othername'];
$contactmethod = $formdata['contactmethod'];
$email = $formdata['email'];
$mobilenum = $formdata['mobilenum'];
$phonenum = $formdata['phonenum'];
$occupation = $formdata['occupation'];
$userpass = $formdata['userpass'];
if(!isset($formdata['magazine']))
$magazine = 0;
else
$magazine = 1;
//Get ready to talk to the DB
$db = getDBConnection();
//Make a prepared query so that we can use data binding and avoid SQL injections.
$insertUser = $db->prepare('INSERT into member VALUES
(:surname, :other_name, :contact_method,
:email, :mobile, :landline, :magazine, :street,
:suburb, :postcode, :password,
:occupation) WHERE member_id=$member_id');
//Bind the data from the form to the query variables.
//Doing it this way means PDO sanitises the input which prevents SQL injection.
$insertUser->bindParam(':surname', $surname, PDO::PARAM_STR);
$insertUser->bindParam(':other_name', $other_name, PDO::PARAM_STR);
$insertUser->bindParam(':contact_method', $contactmethod, PDO::PARAM_STR);
$insertUser->bindParam(':email', $email, PDO::PARAM_STR);
$insertUser->bindParam(':mobile', $mobilenum, PDO::PARAM_STR);
$insertUser->bindParam(':landline', $phonenum, PDO::PARAM_STR);
$insertUser->bindParam(':magazine', $magazine, PDO::PARAM_INT);
$insertUser->bindParam(':street', $streetaddr, PDO::PARAM_STR);
$insertUser->bindParam(':suburb', $suburbstate, PDO::PARAM_STR);
$insertUser->bindParam(':postcode', $postcode, PDO::PARAM_INT);
$insertUser->bindParam(':password', $userpass, PDO::PARAM_STR);
$insertUser->bindParam(':occupation', $occupation, PDO::PARAM_STR);
Current error is within WHERE member_id=$member_id
I have no idea what the error is and how to fix it.
Any tips?
try using an UPDATE.
'UPDATE member SET surname = :surname, other_name = :other_name, contact_method = :contact_method,
email = :email, mobile = :mobile, landline = :landline, magazine = :magazine, street = :street,
suburb = :suburb, postcode = :postcode, password = :password,
occupation = :occupation) WHERE member_id = :member_id'
Additionally, bind another param for member_id otherwise ther isnt much point in doing the others
$insertUser->bindParam(':member_id', $member_id, PDO::PARAM_INT);
I have the following block of code in a PDO statement:
$stmt = $db->prepare("INSERT INTO first_page_data (title, first_name, surname, phone, email, add1, add2, add3, add4, add5) VALUES(?,?,?,?,?,?,?,?,?,?)");
$stmt->bindValue(1, $_POST['title'], PDO::PARAM_STR);
$stmt->bindValue(2, $_POST['first_name'], PDO::PARAM_STR);
$stmt->bindValue(3, $_POST['surname'], PDO::PARAM_STR);
$stmt->bindValue(4, $_POST['phone'], PDO::PARAM_INT);
$stmt->bindValue(5, $_POST['email'], PDO::PARAM_STR);
$stmt->bindValue(6, $_POST['add1'], PDO::PARAM_STR);
$stmt->bindValue(7, $_POST['add2'], PDO::PARAM_STR);
$stmt->bindValue(8, $_POST['add3'], PDO::PARAM_STR);
$stmt->bindValue(9, $_POST['add4'], PDO::PARAM_STR);
$stmt->bindValue(10, $_POST['add5'], PDO::PARAM_STR);
$stmt->execute();
$_SESSION['buyer_email'] = $_POST['email'];
Can these parameters (title, first_name, etc) be put into the bindValues using an array and a for each loop? I can get the prepare statement working by just having an array containing the titles but cant seem to get the variable names inside the $_POST values. It would save quite a few lines of code, but I cant quite get there!
The following is the array im using in the prepared statement that I want to use in the bind value loop:
$first = array('title','first_name','surname','phone','email','add1','add2','add3','add4','add5');
Just simply loop over $first and call bindValue for each one.
foreach($first as $key=>$val){
$stmt->bindValue($key+1, $_POST[$val], PDO::PARAM_STR);
}
Or you can use it like this:
$stmt = $db->prepare("INSERT INTO first_page_data (title, first_name, surname, phone, email, add1, add2, add3, add4, add5) VALUES(?,?,?,?,?,?,?,?,?,?)");
$stmt->execute($array);
The array would be like:
$array = array($_POST['title'],$_POST['first_name']);
or if you have the correct order already just
$array = $_POST;
trying to setup a warranty registration page for a friends company and I'm not great at Mysql or PHP (Read: Noob). I've scoured the web for answers and have tried several variations to the code below with no success.
I have the table setup with the matching column names. The form submission is also setup correctly I believe.
Just not certain as to what is stopping it from actually posting the data to the database. Any help would be greatly appreciated.
Here's my post code.
<?php
error_reporting(-1);
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$address = $_POST['address'];
$city = $_POST['city'];
$state = $_POST['state'];
$zipcode = $_POST['zipcode'];
$country = $_POST['country'];
$phone = $_POST['phone'];
$email = $_POST['email'];
$ordernumber = $_POST['ordernumber'];
$receivedate = $_POST['receivedate'];
$placeofpurchase = $_POST['placeofpurchase'];
$newsletter = $_POST['newsletter'];
?>
<?php
$con = mysqli_connect("localhost","DB_Username","PASSWORD","DB_NAME");
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
$sql = ("INSERT INTO warrantyregistration (firstname, lastname, address, city, state, zipcode, country, phone, email, ordernumber, receivedate, placeofpurchase, newsletter)
VALUES
($firstname, $lastname, $address, $city, $state, $zipcode, $country, $phone, $email, $ordernumber, $receivedate, $placeofpurchase, $newsletter)");
if (mysqli_query($con,$sql))
{
die('Error: ' . mysqli_error($con));
}
echo "Success!";
mysqli_close($con)
?>
Change this line:
if (mysqli_query($con,$sql))
to:
if (!mysqli_query($con,$sql))
and you should see an error message.
You got the wrong syntax for the SQL statement. You have to set your Php variables into ´$variable´
See my working code here:
insert into user
(
userid,
signedin_at,
)
values
(
'$vp_userid',
now()
);
You should be paramaterizing your queries and using prepared statements. This would protect you from the SQL injection and fix your issues. An abridged version of what you need to do is:
$stmt = mysqli_prepare($con, "INSERT INTO warrantyregistration
(firstname, lastname, address) VALUES (?, ?, ?)");
mysqli_stmt_bind_param($stmt, "sss", $firstname, $lastname, $address);
mysqli_stmt_execute($stmt);
I got the same error. Without the paramaterizing you can fix that error in your sql statement:
...
$sql = "INSERT INTO warrantyregistration VALUES ($firstname, $lastname, $address, $city, $state, $zipcode, $country, $phone, $email, $ordernumber, $receivedate, $placeofpurchase, $newsletter)";
...
i have a pdo block for inserting values into my table as follows
try{
$user = 'root';
$pass = null;
$pdo = new PDO('mysql:host=localhost; dbname=divebay', $user, $pass);
$name = $_POST['name'];
$desc = $_POST['description'];
$cond = $_POST['condGroup'];
$sprice = $_POST['sprice'];
$iprice = $_POST['iprice'];
$incprice = $_POST['incprice'];
$duration = $_POST['duration'];
$img = $_POST['img'];
$owner = $_SESSION['username'];
$valid = "set";
$stmt2 = $pdo->prepare("SELECT * FROM auction WHERE ID = :id");
$stmt2->bindParam(":id", $random, PDO::PARAM_INT);
while(isset($valid)){
$random = rand(100000,999999);
$stmt2->execute();
if(!$stmt2->fetch(PDO::FETCH_ASSOC)){
unset($valid);
}
}
$timestamp = time() + ($duration * 24 * 60 * 60);
$stmt = $pdo->prepare("INSERT INTO auction(ID, name, owner, holder, sprice, iprice, incprice, etime, img, condition, description)
VALUES (:id, :name, :owner, :holder, :sprice, :iprice, :incprice:, :etime, :img, :condition, :description");
$stmt->bindParam(':id', $random, PDO::PARAM_INT);
$stmt->bindParam(':name', $name, PDO::PARAM_STR);
$stmt->bindParam(':owner', $owner, PDO::PARAM_STR);
$stmt->bindParam(':holder', $owner, PDO::PARAM_STR);
$stmt->bindParam(':iprice', $iprice, PDO::PARAM_STR);
$stmt->bindParam(':sprice', $sprice, PDO::PARAM_STR);
$stmt->bindParam(':incprice', $incprice, PDO::PARAM_STR);
$stmt->bindParam(':etime', $timestamp, PDO::PARAM_INT);
$stmt->bindParam(':img', $img, PDO::PARAM_STR);
$stmt->bindParam(':condition', $condition, PDO::PARAM_STR);
$stmt->bindParam(':description', $description, PDO::PARAM_STR);
if($stmt->execute()){
$worked ="yes";
}
}catch(PDOException $e){
echo $e->getMessage();
}
i cant tell why this statement wont execute, the $worked variable has not been set when it is the script is run. all database column names and datatypes have been checked correct as they are. ive never had a problem with a statement not executing until now. whats wrong? how do i go about debugging this?
If you setup the database connection with error mode exception PDO will throw an exception if something is wrong with your statement. I also see that you are using the MySQL driver for PDO. If you do this you should always disable emulated prepared statements. So I would write you connection as following (note that I have also set the encoding):
$pdo = new PDO('mysql:host=localhost; dbname=divebay;charset=utf8', $user, $pass);
$pdo->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
Also see this post for more information about this.
Once you have done this you will see that your statement is wrong. You have one missing ) at the end of the statement:
$stmt = $pdo->prepare("INSERT INTO auction(ID, name, owner, holder, sprice, iprice, incprice, etime, img, condition, description)
VALUES (:id, :name, :owner, :holder, :sprice, :iprice, :incprice:, :etime, :img, :condition, :description)");
^
Modify this line:
$stmt = $pdo->prepare("INSERT INTO auction(ID, name, owner, holder, sprice, iprice, incprice, etime, img, condition, description)
VALUES (:id, :name, :owner, :holder, :sprice, :iprice, :incprice:, :etime, :img, :condition, :description");
To
$stmt = $pdo->prepare("INSERT INTO auction(ID, name, owner, holder, sprice, iprice, incprice, etime, img, condition, description)
VALUES (:id, :name, :owner, :holder, :sprice, :iprice, :incprice:, :etime, :img, :condition, :description)");
The difference is the ) at the end.
And tell me if it works now.