I am trying to insert information into a table, using the following query;
$sql2 = "INSERT into `djs` (`name`,`pic`,`about`) VALUES (".$row['dj_name'].",".$row['dj_picture'].",".$row['dj_intro'].")";
Whenever I have tried doing this, the following error has occurred, "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use"
What is causing this error and how may it be resolved?
Use mysql_real_escape_string(); to escape your values and put them into single quotes:
$sql2 = "INSERT into `djs` (`name`,`pic`,`about`) VALUES ('".mysql_real_escape_string($row['dj_name'])."', '".mysql_real_escape_string($row['dj_picture'])."', '".mysql_real_escape_string($row['dj_intro'])."')";
You are not putting quotes around the strings you are inserting:
$sql2 = "INSERT into `djs` (`name`,`pic`,`about`) VALUES
('".$row['dj_name']."','".$row['dj_picture']."','".$row['dj_intro']."')";
The values all need quoting (assuming they are all strings):
$sql2 = "INSERT into `djs` (`name`,`pic`,`about`) VALUES ('".$row['dj_name']."','".$row['dj_picture']."','".$row['dj_intro']."')";
Also even if your data is coming from existing data in the database, you should still consider the possibility of Second Order SQL Injection. The most appropriate safeguard is to use a Prepared Statement instead of concatenating values into the query.
You need quotes around the values you are inserting. But you should also consider a better method of inserting records.
$sql2 = "INSERT into `djs` (`name`,`pic`,`about`) VALUES ('".$row['dj_name']."','".$row['dj_picture']."','".$row['dj_intro']."')";
Related
I am attempting to insert some user-inputted data into my MySQL table using the following command:
$sql = "INSERT INTO Queued ('$role') VALUES ('$sname')";
Interestingly enough, I get the following error:
Error: INSERT INTO Queued ('Tops') VALUES ('Summoner')
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''Tops') VALUES ('Summoner')' at line 1
To be honest, I am relatively new at using PHP as well as MySQL, but I can't seem to find the error in my syntax; the Queued table does exist, $role and $sname are both strings so I encased them in single quotes. I suspect this is a newbie mistake, could anyone point me in the right direction?
This is due to use of single quotes ' around the column name. The query should be like:
$sql = "INSERT INTO Queued ($role) VALUES ('$sname')";
OR
$sql = "INSERT INTO Queued (`$role`) VALUES ('$sname')";
Try this format
$sql = "INSERT INTO Queued ('".$role."') VALUES ('".$sname."')";
`s role is to differentiate between built in SQL words and the column names, so if a word is used for name of a column that might be also a built in sql expression then `` are needed around it
I have a necessity to insert some record from one table1 in database1 to another table2 in database2.
So far I have this..
$records_r = mysqli_fetch_assoc(mysqli_query($conn_r, "SELECT * FROM `export` WHERE ID < 100"));
$columns_r = implode(",",array_keys($records_r));
$values_r = implode(",",array_values($records_r));
$import = mysqli_query($conn_i,"INSERT INTO NOTimport ($columns_r) values ($values_r)");
if (!$import) {
printf("Error: %s\n", mysqli_error($conn_i));
exit();}
It gives me the error:
Error: You have an error in your SQL syntax;
This is how the syntax looks:
INSERT INTO `NOTimport` ('xx,xx,xx,xx,xx,xx,xx,xx') values ('11,'11,E,2079,1931,xx,xx,x')
I am 99% sure that single quotes are causing the error, but why are there?
As per your original post https://stackoverflow.com/revisions/31116693/1 and completely overwriting your original post without marking it as an edit:
You're using the MySQL import reserved word
https://dev.mysql.com/doc/refman/5.5/en/keywords.html
It needs to be wrapped in ticks
INSERT INTO `import` ($columns_r) values ($values_r)
or rename that table to something other than a reserved word.
Plus, $values_r may require to be quoted and depending on what's being passed through $columns_r, you may need to use ticks around that.
I.e.:
INSERT INTO `import` (`$columns_r`) values ('".$values_r."')
Even then, that is open to SQL injection.
So, as per your edit with these values values ('11,'11,E,2079,1931,xx,xx,x'), just quote the values since you have some strings in there. MySQL will differentiate between those values.
Escape your values:
$values_r = implode(",",array_values($records_r));
$values_r = mysqli_real_escape_string($conn_r, $values_r);
or $conn_i I'm getting confused as to which variable is which here. Be consistent if you're using the same db.
Edit:
As stated in comments by chris85, use prepared statements and be done with it.
http://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php
http://php.net/pdo.prepared-statements
import is a reserved word in MYSQL. So, you need to use backticks (``) around it in your query.
So rewrite as follows:
$import = mysqli_query($conn_i,"INSERT INTO `import` ($columns_r) values ($values_r)");
Without Using PHP you can use MySql Query Which Will Perform Insert Operation As:-
$columns_r='`name`,`class`';
mysqli_query($conn_i,"INSERT INTO `import` ({$columns_r}) select {$columns_r} from `export`");
When I proceed to run the following query:
$sql3 = mysqli_query($con, 'INSERT INTO berichten (from, naar, file) VALUES ('.$id.', '.$to.', "'.$url.'")') or die(mysqli_error($con));
I'll received this error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'from, naar, file) VALUES (2, 2, "b9173a1b9ade8767280009f9638bd987.caf")' at line 1
id = an id number,
to = an id number and
url = the filename (e.g. sound.caf)
Why do I get this error and what to do to fix it?
Thanks!
from is a special SQL keyword. You have to escape it by putting it into backticks:
$sql3 = mysqli_query($con, 'INSERT INTO berichten (`from`, naar, file) VALUES ('.$id.', '.$to.', "'.$url.'")') or die(mysqli_error($con));
Besides that you might need to quote ID and file as you did for $url.
Btw. You should really consider to use prepared statements in order to prevent SQL injections.
I am using following insert command to insert value in my db table called demo_organization
$sql = "INSERT INTO demo_organization (org_name, abn_acn_no, org_url,city,
state, country, pin, street, primary_mobile,
secondary_mobile, primary_landline,
secondary_landline, primary_email, secondary_email)
VALUES ($org_name, $abn_acn_no, $org_url, $city, $state, $country,
$pin, $street, $primary_mobile, $secondary_mobile,
$primary_landline, $secondary_landline, $primary_email,
$secondary_email)";
$result = mysql_query($sql) or die (mysql_error());
in php
but i am getting error like
You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near '://loc.com,Melburn,Melburn,Australia,56007,123 park
avenue,+6190567890,+89685552' at line 2
i am completely new in php mysql please tell me what i am doing wrong
You are missing single quotes around the text values:
insert into demo (org_name, abn_acn_no) values ('$org_name', abn_acn_no);
// assumes that abn_acn_no is numeric.
You also cannot pass an empty variable into the query. If you don't have it, you will need to insert it as , null, rather than as a variable with no value - which would result in , , which SQL won't accept - even if the column accepts null values.
If you will be using MYSQL, you need to escape the values mysql_escape_string($string)
There is a problem with the url provided in the query, try escaping it and running it again.
Otherwise, MYSQL is becoming depreciated, use MYSQLi or PDO
http://php.net/manual/en/book.mysqli.php
http://php.net/manual/en/book.pdo.php
your code is vulverable with your sql injection. I'll recomend MYSQLi or PDO. But anyway, your values that are string format should be wrap with single quotes.
$sql = "INSERT INTO demo_organization (org_name, abn_acn_no, org_url,city,
state, country, pin, street, primary_mobile,
secondary_mobile, primary_landline,
secondary_landline, primary_email, secondary_email)
VALUES ('$org_name', 'abn_acn_no, '$org_url', '$city', ...,
'$secondary_email')";
I'm having problems with an INSERT statement, and the error only says:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1
It's not helpful at all.
The version I have tried so far and failed is:
mysql_query("INSET INTO `cos` VALUES ('".$_GET['prod']."','".$_GET['page']."')");
[needless to say that the two variables when printed show the right values]
I've also tried versions with nothing around the table name, with ` or ', a million combinations really and nothing works. Not even with constants or into different tables. It just won't insert anything ever. I've checked the privileges (I'm logging into it with root), and it's all on.
I've tried similar stuff on two different machines with the same server (XAMPP 1.7.7) and it works. I'm completely baffled! What can it be?
Thank you for your time!
First and foremost, just type INSERT correctly.
Using _GET like that really opens you up to SQL INJECTIONS...
Do take a look into MySQL prepared statements.
It is also considered good practice to name the columns that you're inserting data into. That allows you to, latter on, insert extra-columns and keep application logic.
INSERT INTO cos(rowName1, rowName2) VALUES(?, ?)
Where ? would be prepared statements.
Correct:
mysql_query("INSERT INTO `cos` VALUES ('".$_GET['prod']."','".$_GET['page']."')");
Have you tried passing the $link to mysql_query ?
Like:
mysql_query("INSERT INTO `cos` VALUES ('".$_GET['prod']."','".$_GET['page']."')", $link);
EDIT:
And of course you must take some security measures before inserting anything into the database, maybe mysql_real_escape_string() or even prepared statements.
You are doing it wrong. Why aren't you escaping the values?
Php.net documentation is providing some good and safe working examples:
$query = sprintf("SELECT firstname, lastname, address, age FROM friends
WHERE firstname='%s' AND lastname='%s'",
mysql_real_escape_string($firstname),
mysql_real_escape_string($lastname));
// Perform Query
$result = mysql_query($query);
So adapted to your code:
$query = sprintf("INSERT INTO `cos` VALUES (%s, %s);",
mysql_real_escape_string($_GET['prod']),
mysql_real_escape_string($_GET['page']));
$result = mysql_query($query);
Please, always escape your values. And use INSERT, not INSET :)
first this is you are using INSET make it correct with INSERT like
$pro = mysql_real_escape_string($_GET['prod']);
$page = mysql_real_escape_string($_GET['page']);
mysql_query("INSERT INTO `cos` (column1, column2)
VALUES ('$pro', '$page')" );
you forget to set the column names...
Try this:
$prod = $_GET['prod'];
$page = $_GET['page'];
mysql_insert("INSERT INTO 'cos' VALUES('$prod','$page)");
This should very well do it :)