My own SQL syntax error [closed] - php

This question is unlikely to help any future visitors; it is only relevant to a small geographic area, a specific moment in time, or an extraordinarily narrow situation that is not generally applicable to the worldwide audience of the internet. For help making this question more broadly applicable, visit the help center.
Closed 9 years ago.
My code is.
$newModel = "INSERT INTO models (id," .
" firstname," .
" lastname," .
" email," .
" password," .
" group," .
" phone," .
" timeofday," .
" dayofweek," .
" address," .
" city," .
" state," .
" zip," .
" gender," .
" hair," .
" eye," .
" birthday," .
" birthmonth," .
" birthyear," .
" bustshirt," .
" cup," .
" waist," .
" hips," .
" waist," .
" hips," .
" weight," .
" inches," .
" dressjacket," .
" workxp," .
" twitter," .
" facebook," .
" joindate," .
" instagram," .
" imdb," .
" parentid," .
" error) VALUES (".
PrepSQL($modelid) . ", " .
PrepSQL($firstname) . ", " .
PrepSQL($lastname) . ", " .
PrepSQL($email) . ", " .
PrepSQL($password) . ", " .
PrepSQL($group) . ", " .
PrepSQL($phone) . ", " .
PrepSQL($timeofday) . ", " .
PrepSQL($dayofweek) . ", " .
PrepSQL($address) . ", " .
PrepSQL($city) . ", " .
PrepSQL($state) . ", " .
PrepSQL($zip) . ", " .
PrepSQL($gender) . ", " .
PrepSQL($hair) . ", " .
PrepSQL($eyes) . ", " .
PrepSQL($bday) . ", " .
PrepSQL($bmonth) . ", " .
PrepSQL($byear) . ", " .
PrepSQL($bust) . ", " .
PrepSQL($cup) . ", " .
PrepSQL($waist) . ", " .
PrepSQL($hips) . ", " .
PrepSQL($weight) . ", " .
PrepSQL($height) . ", " .
PrepSQL($dressjacket) . ", " .
PrepSQL($workxp) . ", " .
PrepSQL($twitter) . ", " .
PrepSQL($facebook) . ", " .
PrepSQL($joindate) . ", " .
PrepSQL($instagram) . ", " .
PrepSQL($imdb) . ", " .
PrepSQL($parentid) . ", " .
PrepSQL($error) . ")";
mysql_query($newModel) or die(mysql_error());
Its Shooting out an error:
You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near 'group, phone, timeofday, dayofweek, address, city, state, zip,
gender, hair, eye' at line 1


group is a reserved word in MySQL. You must wrap it in backticks:
`group`,
phone
etc.


GROUP is a reserved keyword and happens to be the name of your column. To avoid syntax error, you need to escape it using backtick. eg,
`group`
MySQL Reserved Keywords List
If you have the privilege to alter the table, change the column name to which is not a reserved keyword to avoid problem from occurring again.
As a sidenote, the query is vulnerable with SQL Injection if the value(s) of the variables came from the outside. Please take a look at the article below to learn how to prevent from it. By using PreparedStatements you can get rid of using single quotes around values.
How to prevent SQL injection in PHP?

Related

Database error: Invalid SQL: WHERE id IN (91220,91222,91232,91233,91244,91263,

The SQL below when echoed in the PHP script displays only WHERE id IN (91220,91222,91232,91233,91244,91263,91264,91277)
Please help me find what is wrong with the SQL.
$sql = "UPDATE customers SET customers.name=AES_ENCRYPT('" . self::PII_OBFUSCATE_NAME . "','" . AES_CRYPT_KEY . "')"
. ", address1=AES_ENCRYPT('" . self::PII_OBFUSCATE_ADDRESS1 . "','" . AES_CRYPT_KEY . "')"
. ", day_phone=AES_ENCRYPT('" . self::PII_OBFUSCATE_PHONE . "','" . AES_CRYPT_KEY . "')"
. ", nite_phone=AES_ENCRYPT('" . self::PII_OBFUSCATE_PHONE . "','" . AES_CRYPT_KEY . "')"
. (is_array($customers_to_obfuscate))
? " WHERE id IN (" . implode(",", $customers_to_obfuscate) . ")"
: " WHERE id = '$customers_to_obfuscate'";

You need to check your braces in the ternary operator. It must look like follows:
((is_array($orders_to_obfuscate)) ? " WHERE id IN (" . implode(",", $orders_to_obfuscate) . ")" : " WHERE id = '$orders_to_obfuscate'");

unix command to delete line break for php command

I have php files with SQL queries broken into multiples lines.
for example:
$sql = "select count( aa." . BOOK_ART_ID . ") as book_count
from " . BOOK_ART_TABLE . " as aa
inner join " . AUTHER_TABLE . " as l on aa." . BOOK_ART_AUTHER_ID . " = l." . AUTHER_ID . " AND
l." . AUTHER_CODE . " = '" . "'
where aa." . BOOK_ART_TITLE_ID . " = " . $book_id;
I'm trying to extract all SQL statements from the PHP files. I tried grep on $sql and only getting the first line back.
How do I extract entire SQL string from all PHP files?
I was thinking more around deleted line break until ';' character.

You can try this sed,
sed -n '/\$sql/{ :loop; N; s/ *\n *//g; /;/{p;q}; t loop}' yourfile
Test:
$ sed -n '/\$sql/{ :loop; N; s/ *\n *//g; /;/{p;q}; t loop}' yourfile
$sql = "select count( aa." . BOOK_ART_ID . ") as book_countfrom " . BOOK_ART_TABLE . " as aainner join " . AUTHER_TABLE . " as l on aa." . BOOK_ART_AUTHER_ID . " = l." . AUTHER_ID . " ANDl." . AUTHER_CODE . " = '" . "'where aa." . BOOK_ART_TITLE_ID . " = " . $book_id;

MySQL Error: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL

MySQL Error: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ')' at line 1)
Session halted.
$sql = "INSERT INTO ". GALLERY_MASTER
. "(gallery_title,gallery_code, gallery_images,gallerycat_id, gallery_description,gallery_status) "
. " VALUES ( "
. " '". $post['gallery_title'] . "', "
. " '". $post['gallery_code'] . "', "
. " '". $file . "', "
. " '". $post['gallery_cat_id'] . "', "
. " '". $post['gallery_description'] . "', "
. " '". $post['gallery_status'] . "', "
. " )";
Invalid SQL:
INSERT INTO
GALLERY_MASTER(gallery_title,gallery_code, gallery_images,gallerycat_id, gallery_description,gallery_status)
VALUES ( 'image1', '021', '201411050700381463949438_img3.jpg', '4', '', '1', )

You had an additional , in the end of query.
Copy this code
$sql = "INSERT INTO " . GALLERY_MASTER . "(gallery_title,gallery_code, gallery_images,gallerycat_id, gallery_description,gallery_status) " . " VALUES ( " . " '" . $post['gallery_title'] . "', " . " '" . $post['gallery_code'] . "', " . " '" . $file . "', " . " '" . $post['gallery_cat_id'] . "', " . " '" . $post['gallery_description'] . "', " . " '" . $post['gallery_status'] . "' " . " )";

Based on the error message, the problem is the additional comma in the end before the closing parentheses
Invalid SQL: INSERT INTO GALLERY_MASTER(gallery_title,gallery_code, gallery_images,gallerycat_id, gallery_description,gallery_status)
VALUES ( 'image1', '021', '201411050700381463949438_img3.jpg', '4', '', '1', )
---------------------------------------------------------------------------^
You need to remove it using the below code
$sql = "INSERT INTO ". GALLERY_MASTER . "(gallery_title,gallery_code, gallery_images,gallerycat_id, gallery_description,gallery_status) " . " VALUES ( " . " '". $post['gallery_title'] . "', " . " '". $post['gallery_code'] . "', " . " '". $file . "', " . " '". $post['gallery_cat_id'] . "', " . " '". $post['gallery_description'] . "', " . " '". $post['gallery_status'] . "' " . " )";

Stuck with unknown column in field MySQL

I keep getting this error
Unknown column 'Hello' in 'field list'
when I execute this code
$sql = "INSERT INTO installs (date,addedBy,customer,reg,vehMake,vehModel,colour,mileage,location,tracker,serial,sim,extr as,satnav,input1,input2,output,comments) VALUES (" . $date . ", " . $addedBy . ", " . $customer . ", " . $reg . ", " . $vehMake . ", " . $vehModel . ", " . $colour . ", " . $mileage . ", " . $location . ", " . $tracker . ", " . $serial . ", " . $sim . ", " . $extras . ", " . $satnav . ", " . $input1 . ", " . $input2 . ", " . $output . ", " . $comments . ")";
$result = $connect->query($sql) or die($connect->error);

replace this
(' . "Hello" . ', ' . 2 . ', ' . 3 . ', ' . 4 . ', ' . 4 . ', ' . 5 . ', ' . 6 . ', ' . 7 . ', ' . 8 . ', ' . 9 . ', ' . 10 . ', ' . 11 . ', ' . 12 . ', ' . 13 . ', ' . 14 . ', ' . 15 . ', ' . 16 . ', ' . 17 . ')';
by
("Hello", 2 ,3, 4,4,5,6,7,8,9,10,11,12, 13,14,15,16,17)';
EDIT:
replace this
(" . $date . ", " . $addedBy . ",..........
by
('$date', '$addedBy',...........
or this
('" . $date . "', '" . $addedBy . "',..........

Hello needs to be enclosed in single quotes. Escape the quotes like this:
$sql = 'INSERT INTO installs
(date,addedBy,customer,reg,vehMake,vehModel,colour,
mileage,location,tracker,serial,sim,extras,satnav,
input1,input2,output,comments)
VALUES
(\'' . "Hello" . '\', ' . 2 . ', ' . 3 . ', ' . 4 . ', ' . 4 . ',
' . 5 . ', ' . 6 . ', ' . 7 . ', ' . 8 . ', ' . 9 . ',
' . 10 . ', ' . 11 . ', ' . 12 . ', ' . 13 . ', ' . 14 . ', ' . 15 . ',
' . 16 . ', ' . 17 . ')';

One likely explanation for this behavior is that sql_mode inclues (or enables) ANSI_QUOTES.
SELECT ##SESSION.sql_mode
If ANSI_QUOTES is enabled, then double quotes can't be used around string literals; whatever is between the double quotes will be interpreted as an identifier (e.g. column name). If ANSI_QUOTES is enabled, then string literals should be enclosed in single quotes.
For the love of all that is good and beautiful in this world, just use prepared statements with placeholders, to avoid issues with quotes and to thwart SQL injection vulnerabilities.
e.g.
$sql = "INSERT INTO installs (date,addedBy,customer, ...)
VALUES ( :date, :addedBy, :customer, ...)";
$sth = $connect->prepare($sql);
$sth->execute(array(':date' => $date, ':addedBy' => $addedBy, ':customer' => $customer, ... ));

Multiple table echos not displaying in page

The above code is designed to display info stored in sql table. everything is corresponding to the titles in the table and in the correct order. however the page it is from is only displaying the first 2 columns and not the others. everything looks as if it is in order to me. is my statement wrong?
<?php
$con=mysqli_connect("xxx","y","y","yyyy");
// Check connection
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
$result = mysqli_query($con,"SELECT * FROM tripdata ");
while($row = mysqli_fetch_array($result))
{
echo $row['trip_id'] . " " . $row['image'] . " " . $row['date'] . " " . $row['destination'] . " " . $row['hl'] . " " . $row['cost'] . " " . $row['blurb'] . " " . $row['whatinc'] . " " . $row['whatopt'] . " " . $row['itin'] . " " . $row['depinfo'] . " " . $row['ppcode'];
echo "<br>";
}
mysqli_close($con);
?>

maybe you can try using assoc
while($row = mysqli_fetch_assoc($result))
{
echo $row['trip_id'] . " " . $row['image'] . " " . $row['date'] . " " . $row['destination'] . " " . $row['hl'] . " " . $row['cost'] . " " . $row['blurb'] . " " . $row['whatinc'] . " " . $row['whatopt'] . " " . $row['itin'] . " " . $row['depinfo'] . " " . $row['ppcode'];
echo "<br>";
}
i usual use this and no problem
assoc is index name based on field name
but array is based on number (0, 1, 2, 3)

Strange. Try do loop instead:
do {
echo $row['trip_id'] . " " . $row['image'] . " " . $row['date'] . " " . $row['destination'] . " " . $row['hl'] . " " . $row['cost'] . " " . $row['blurb'] . " " . $row['whatinc'] . " " . $row['whatopt'] . " " . $row['itin'] . " " . $row['depinfo'] . " " . $row['ppcode'];
echo "<br>";
} while($row = mysqli_fetch_array($result));

Categories