I am new to PHP and MySQL and I don't have anyone to help me so I am asking here. I was trying to update the database it shows some errors. Can anyone help me to correct the code below?
Database fields are s.no, name, description, `top_banner_image
Here is the code:
<?
php
if(isset($_POST['submit']))
{
$product_name=$_POST['product_name'];
$description=$_POST['description'];
$photo_n=$_FILES['baner_image']['name'];
move_uploaded_file($_FILES['top_banner_image']['tmp_name'],
$sql="INSERT INTO product_catergory (product_name, description, top_banner_image)
VALUES
('$_POST[product_image]','$_POST[description]','$_POST[top_banner_image]')";
if (!mysqli_query($con,$sql))
{
die('Error: ' . mysqli_error($con));
}
echo "1 record added";
mysqli_close($con);
?>
<?php include("foot.php"); ?>
$sql="INSERT INTO `product_catergory` (`product_name`, `description`, `top_banner_image`)
VALUES
('".$_POST[product_image]."','".$_POST[description]."','".$_POST[top_banner_image]."')";
By the way, you spelled "category" wrong.
$product_name=$_POST['product_name'];
$description=$_POST['description'];
$photo_n=$_FILES['baner_image']['name'];
$sql="INSERT INTO product_category (product_name, description, top_banner_image) VALUES
('$_POST[product_image]','$_POST[description]','$_POST[top_banner_image]')";
the first thing that i see is wrong -> why are you making variables if you're not using them? $product_name, $photo_n are not used, $description should be in the insert statement, but if you have written $_POST['description'] then that variable is not needed, also test on sql injection as was mentioned in comments by people
Related
I am working on my website and I can't access myPhpAdmin right now, so I tried making a script for inserting values for a search thing. However, when I visit the link, website.com/search/create.php?l=link&d=description&t=title, I get an error. This one
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'link, description, title)' at line 1
Here's what my script looks like.
$link = "https://website.com";
$description = "The homepage of the site";
$title = "Home";
// sql to create table
$sql = "INSERT INTO search (link, description, title) VALUES (".$link.", ".$description.", ".$title.")";
if (mysqli_query($conn, $sql)) {
echo "it's working";
} else {
echo "it's not working?" . mysqli_error($conn);
}
replace
$sql = "INSERT INTO search (link, description, title) VALUES ('".$link."', '".$description."', '".$title."')";
instead of :
$sql = "INSERT INTO search (link, description, title) VALUES (".$link.", ".$description.", ".$title.")";
you are trying to insert a string without '
it seems you are missing single quotation in SQL query, try the following:-
$sql = "INSERT INTO search (link, description, title) VALUES ('".$link.", '".$description."', '".$title."')";
Just Change the Query syntax in your code and check it ... Hope your error should be resolve.
// sql to create table
$sql = "INSERT INTO search (link, description, title) VALUES ('$link', '$description', '$title')";
Your code for inserting data into database table is wrong (assuming you already executed database connection query ($conn) and have 'search' table on database).
$sql = "INSERT INTO search (link, description, title) VALUES ('$link', '$description', '$title')";
You don't have to put concatenate operator ('.') inside your SQL query as you are not concatenating PHP and markup texts.
Is it possible to overwrite a user's input and replace it with whatever prepared statement you have hardcoded into your PHP file? I have included the parts of the my PHP file that are relevant to this question. I am literally trying to overwrite whatever the user inputs is for a single string value with my hardcoded string. All of the values would then be inserted into a table in my database. In this case the value I am trying to overwrite is $empid which previously acquired its value from user input. Any suggestions, comments and advice would be greatly appreciated since I have only been studying PHP for a few weeks now.
Thank you for taking the time to read this post.
<?php
$sql = "INSERT INTO employee (EMPID, NAME, DATEHIRED, POSITION, SALARY, DEPTCODE, CANHIRE, BOSSID) VALUES ('$empid', '$employee', '$date', '$position', '$salary', '$department', '$canhire', '$bossid')";
if ($conn->query($sql) === TRUE) {
echo "New record created successfully";
} else {
echo "Error: " . $sql . "<br>" . $conn->error;
}
$stmt = $conn->prepare("INSERT INTO employee (EMPID) VALUES (?)");
$stmt->bind_param("s", $empid);
$empid='EMP2022';
$stmt->execute();
$stmt->close();
$conn->close();
?>
I am having error and I am not able to identify the problem. I will really appreciate help.
$sql = "INSERT INTO scrapeddata (Id,Store, ImageURL, ShortDescription, CashPercentage, ShoppingPoints, LongDescription, Contact, Information)
VALUES ($ID, $name, $ImageUrl, $ShortDecription, $CashBack, $SallingPoints, $LongtDecription, $Contact, $Information)";
Structure of my Table is :
Update :
Following image illustrate the actual error, php variable is resolved dynamically to retreive the string , but "with in the string" it contains single quotes ' according to me these quotes are causing error . Help !!
Put quotations on string variables.
And escape all ur variables before inserting in query.
mysql-escape-string
$name = mysql_escape_string($name);
$sql = "INSERT INTO scrapeddata (Id,Store, ImageURL, ShortDescription, CashPercentage, ShoppingPoints, LongDescription, Contact, Information)
VALUES ('$ID', '$name', '$ImageUrl', '$ShortDecription', '$CashBack', '$SallingPoints', '$LongtDecription', '$Contact', '$Information')";
Below is my php code, which should take the data from my form and put it into two tables in my database. However I keep getting an SQL syntax error by the values, I was originally putting the values in ' ' however I got the error so then I changed the values to backticks . But that still didnt seem to make much difference. Im receiving the error, however street, city, county, postcode, tel and date of birth are all inputting into the users table. But nothing else, and nothing is going into the members table.
Any help would be greatly appreciated. Many thanks
$con = mysql_connect("localhost", "alex", "");
if(!$con)
{
die('Could not connect: ' .mysql_error());
}
mysql_select_db("gym", $con);
//** code above connects to database
$sql ="INSERT INTO users (First_Name, Last_Name, Street, City, County, Postcode, Telephone, Email, Date_Of_Birth, Gender)
VALUES
(`$_POST[FirstName]`,
`$_POST[LastName]` ,
`$_POST[Street]`,
`$_POST[City]`,
`$_POST[County]`,
`$_POST[Postcode]`,
`$_POST[Tel]`,
`$_POST[Email]`,
`$_POST[Date_Of_Birth]`,
`$_POST[Gender]`)";
$result1=mysql_query($sql,$con);
$sql1 = "INSERT INTO members( Membership_Number, Membership_Type, Membership_Referal, Trainer_Required, Medical_Informaton, Contract, Card_Holder_Name, Bank, Card_Number, Sort_Code, valid, Exp, Security_Number
VALUES
(`$_POST[MembershipNumber]`,
`$_POST[MembershipType]`,
`$_POST[MembershipReferral]`,
`$_POST[TrainerRequired]`,
`$_POST[MedicalInformation]`,
`$_POST[Contract]`,
`$_POST[BankBranch]`,
`$_POST[CardHolderName]`,
`$_POST[CardNUMBER]`,
`$_POST[Expiry]`,
`$_POST[SecurityCode]`)";
$result2=mysql_query($sql1,$con);
//***** code below is error message if it doesnt work
if($result1 && $result2){
printf("window.alert(\"New Record Added!\");");
}
else
{
echo "Error:". mysql_error()."";
}
mysql_close($con)
?>
Remove backtics and add `single quote` to values parameter
User SQL query like.
$sql = "INSERT INTO users (First_Name, Last_Name) VALUES('".$_POST[FirstName]."','".$_POST[LastName]."')";
You must pass parameter between {$_POST['variable']} like this:
$sql1 = "INSERT INTO members( Membership_Number, Membership_Type, Membership_Referal, Trainer_Required, Medical_Informaton, Contract, Card_Holder_Name, Bank, Card_Number, Sort_Code, valid, Exp, Security_Number
VALUES
(`{$_POST['MembershipNumber']}`,
`{$_POST['MembershipType']}`,
`{$_POST['MembershipReferral']}`,
`{$_POST['TrainerRequired']}`,
`{$_POST['MedicalInformation']}`,
`{$_POST['Contract']}`,
`{$_POST['BankBranch']}`,
`{$_POST['CardHolderName']}`,
`{$_POST['CardNUMBER']}`,
`{$_POST['Expiry']}`,
`{$_POST['SecurityCode']}`)";
please use ' not use `
just like
'$_POST[value]', ........, ........
I've looked at other examples on here, but everyone else's syntax is different from what I have, so I have no clue where to put "mysql_real_escape_string".
Here is my current code:
include("dbconnect.php");
mysql_select_db("scratch", $con);
$sql= "INSERT INTO stories (author, story_name, story)
VALUES
('$_POST[author]','$_POST[story_name]', '$_POST[story]')";
if (!mysql_query($sql,$con))
{
die('Error: ' . mysql_error());
}
echo "Story Submitted!";
mysql_close($con)
Where would I add that string in this?
You need to escape any variable values you're including in your query. So in your code these would be:
$_POST['author']
$_POST['story_name']
$_POST['story']
So change your $sql variable to look like:
$author = mysql_real_escape_string($_POST['author']);
$story_name = mysql_real_escape_string($_POST['story_name']);
$story = mysql_real_escape_string($_POST['story']);
$sql= "
INSERT INTO stories (author, story_name, story)
VALUES ('$author','$story_name', '$story')
";
You should probably also add isset or empty checks when using the $_POST variables to avoid notices if they don't exist. Finally, you'd be better served to use PDO with prepared statements than the less robust mysql extension.
//USE IN THIS WAY THE QUERY WILL RUN PROPERLY WITH mysql_real_escape_string
$sql= 'INSERT INTO stories (author, story_name, story)
VALUES
('.mysql_real_escape_string($_POST[author]).',
'.mysql_real_escape_string($_POST[story_name]).',
'.mysql_real_escape_string($_POST[story]).')';
put POST variables into new variables and then apply mysql_real_escape_string, and finally put new variables into the SQL statement
Here's the code:
include("dbconnect.php");
mysql_select_db("scratch", $con);
$author = mysql_real_escape_string($_POST[author]);
$story_name = mysql_real_escape_string($_POST[story_name]);
$story=mysql_real_escape_string($_POST[story]);
$sql= "INSERT INTO stories (author, story_name, story)
VALUES
('$author','$story_name', '$story')";
if (!mysql_query($sql,$con))
{
die('Error: ' . mysql_error());
}
echo "Story Submitted!";
mysql_close($con);