I have an error with my insert into line, it's about this bad boy
mysql_query("INSERT INTO accounts('username', 'password', 'firstname', 'lastname', 'email')
VALUES($username, $password, $firstname, $lastname, $email)")
or die("Could not create account! <br/>" . mysql_error());
the error I am supplied with is the following:
Could not create account!
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''username', 'password', 'firstname', 'lastname', 'email') VALUES(test, test,' at line 1
I suspect it has something to do with the variables not being called correctly?
There are a variety of problems, so I'll summarize them:
INSERT INTO t1 ('col' -- note that 'col' is wrapped in quotes. This means that it attempts to insert into the string literal "col1" rather than the column name. Remove the quotes and replace them with backticks (or nothing)
The values themselves are not wrapped in quotes. You have VALUES(test -- this semantically means insert the value of column "test," which makes no sense. You actually need to wrap this one in quotes.
I'd venture to guess that none of the input parameters are properly escaped. You should use properly parameterized queries with PDO or mysqli.
My friend the fields in the querys shouldn't be quoted. Try this:
mysql_query("INSERT INTO accounts (username, password, firstname, lastname, email) VALUES($username, $password, $firstname, $lastname, $email)") or die("Could not create account!" . mysql_error());
Good luck
you don't have to use quotes ' in the query but backtick `
mysql_query("INSERT INTO `accounts` (`username`, `password`, `firstname`, `lastname`, `email`) VALUES('".$username."', '".$password."','". $firstname."', '".$lastname."', '".$email."')") or die("Could not create account! " . mysql_error())
insert into documentation
I would like to also to remember you that mysql_ functions are deprecated so i would advise you to switch to mysqli or PDO for new projects.
mysql_query is not recommended, soon to be deprecated. Probably best to use PDO or mysqli instead.
http://php.net/manual/en/function.mysql-query.php
But to answer your question, I believe it's because your column names are in single quotes(rather than backticks).
It's your values that need to be within single-quotes. You'll probably want to run mysql_real_escape_string on those variables too, to prevent SQL injection. Or just use PDO prepared statements instead.
http://php.net/manual/en/pdo.prepared-statements.php
Related
I have a PHP file that recieves an associative array of name, email and password.
When I try to insert the data using PHP MySQL query in this PHP file, it flashes following error
"You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near '#gmail.com, qweqwe)' at line 1"
My PHP code is as follows:
$data = array
(
'name' => $name,
'email' => $email,
'password' => $password,
);
mysql_query("INSERT INTO `other_doktrs` (`dnme` ,`emyl` ,`paswrd`) VALUES ($name, $email, $password)");
I tried to change the order of column names but it was of no help.
thanks in advance
You still need to put quotes around strings if you want to use the old direct (and SQL Injection prone) methods:
mysql_query("INSERT INTO `other_doktrs` (`dnme` ,`emyl` ,`paswrd`) VALUES ('$name', '$email', '$password')");
You really should look at PDO though and prepared statements. Much much safer - and as a bonus when you pass params, you don't need the quotes. Irony huh? :)
Try this :
mysql_query("INSERT INTO `other_doktrs` (`dnme` ,`emyl` ,`paswrd`) VALUES ('$name', '$email', '$password')");
Try this,
mysql_query("INSERT INTO `other_doktrs` (`dnme` ,`emyl` ,`paswrd`) VALUES ("'.$name.'"," '.$email.'", "'.$password.'")");
passing query with quotes.
Hope this helps you.
How to secure SQL query from input?
I am posting parameter to a page in php & then I have to insert it into database but I don't know how to secure the input parameter
<?php
$con=mysqli_connect("example.com","peter","abc123","my_db");
// Check connection
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
mysqli_query($con,"INSERT INTO Persons (FirstName, LastName, Age)
VALUES ($_POST['FirstName'], $_POST['LastName'],$_POST['Age'])");
mysqli_close($con);
?>
You can easily do this with the mysqli set of functions by escaping those strings beforehand. The MySQL PHP drivers contains a function to safely escape strings for insertion into a string -> mysqli_real_escape_string.
That would change your query to:
mysqli_query($con,"INSERT INTO Persons (FirstName, LastName, Age) VALUES ('" . mysqli_real_escape_string($_POST['FirstName']) . "', '" . mysqli_real_escape_string($_POST['LastName']) . "', '" . mysqli_real_escape_string($_POST['Age']) . "')");
This will handle the majority of your concerns with securing input for SQL.
Optionally
Take full advantage of the driver escaping for other types and safer queries by using prepared statements, which you can also do with mysqli like:
// Prepare our query
$stmt = mysqli_prepare($con, "INSERT INTO Persons (FirstName, LastName, Age) VALUES (?, ?, ?)");
// Bind params to statement
mysqli_stmt_bind_param($stmt, "ssi", $_POST["FirstName"], $_POST["LastName"], $_POST["Age"]);
// Execute the query
mysqli_stmt_execute($stmt);
You will need to do multiple things. First of all, why are you using the usual MYSQL methods? You should use PDO objects. http://php.net/manual/en/book.pdo.php
Then you can use the prepare() method and then insert it as an array.
Please check http://php.net/manual/en/pdo.prepared-statements.php
the best thing for you to do is to use a framework like CodeIgniter, Kohana, Zend ...
that already has secure classes built in.
if you dont want to use the frameworks you can just take these classes.
another way, you can use ORM's.
you can use redbean
http://www.redbeanphp.com/
the best and easiest ORM i have ever used
I am using following insert command to insert value in my db table called demo_organization
$sql = "INSERT INTO demo_organization (org_name, abn_acn_no, org_url,city,
state, country, pin, street, primary_mobile,
secondary_mobile, primary_landline,
secondary_landline, primary_email, secondary_email)
VALUES ($org_name, $abn_acn_no, $org_url, $city, $state, $country,
$pin, $street, $primary_mobile, $secondary_mobile,
$primary_landline, $secondary_landline, $primary_email,
$secondary_email)";
$result = mysql_query($sql) or die (mysql_error());
in php
but i am getting error like
You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near '://loc.com,Melburn,Melburn,Australia,56007,123 park
avenue,+6190567890,+89685552' at line 2
i am completely new in php mysql please tell me what i am doing wrong
You are missing single quotes around the text values:
insert into demo (org_name, abn_acn_no) values ('$org_name', abn_acn_no);
// assumes that abn_acn_no is numeric.
You also cannot pass an empty variable into the query. If you don't have it, you will need to insert it as , null, rather than as a variable with no value - which would result in , , which SQL won't accept - even if the column accepts null values.
If you will be using MYSQL, you need to escape the values mysql_escape_string($string)
There is a problem with the url provided in the query, try escaping it and running it again.
Otherwise, MYSQL is becoming depreciated, use MYSQLi or PDO
http://php.net/manual/en/book.mysqli.php
http://php.net/manual/en/book.pdo.php
your code is vulverable with your sql injection. I'll recomend MYSQLi or PDO. But anyway, your values that are string format should be wrap with single quotes.
$sql = "INSERT INTO demo_organization (org_name, abn_acn_no, org_url,city,
state, country, pin, street, primary_mobile,
secondary_mobile, primary_landline,
secondary_landline, primary_email, secondary_email)
VALUES ('$org_name', 'abn_acn_no, '$org_url', '$city', ...,
'$secondary_email')";
I am trying to use PHP variables in an INSERT SQL statement. Ive seen previous answers to this but can not get mine to work. Here is the code..
mysql_query("INSERT INTO message (message_id, from, content) values ('', " . $uid . ", 'test message content')");
The main problem is that from is a reserved word and should be in backticks.
mysql_query("INSERT INTO message (message_id, `from`, content) VALUES ...");
But I'd also advise you to stop using the deprecated mysql_* functions. I'd recommend that you take a look at PDO and prepared statements with parameters.
If message_id is primary key, you don't need to include it in the query unless you have a value..
mysql_query("INSERT INTO message (`from`, `content`) values (" . $uid . ", 'test message content')");
There are at least three issues in your query. Two of them are syntax errors and one is a huge vulnerability.
To make the query work, you should write it as follows:
mysql_query("INSERT INTO message (message_id, `from`, content) values ('', '" . $uid . "', 'test message content')");`
Here's a summary of the errors:
- As another user indicated, "from" is a keyword and you should not use it to name table columns. If you really want to use such name, you must use backticks to indicate it in the query.
- The value of $uid should be enclosed by single quotes.
- The third, and most important error, is that your query is vulnerable to SQL Injection. You should use prepared statements, which would protect you from such attacks.
So this is probably a dumb beginner question, but I've been looking at it and can't figure it out. A bit of background: just practicing making a web app, a form on page 1 takes in some values from the user, posts them to the next page which contains the code to connect to the DB and populate the relevant tables.
I establish the DB connection successfully, here's the code that contains the query:
$conn->query("SET NAMES 'utf9'");
$query_str = "INSERT INTO 'qa'.'users' ('id', 'user_name','password' ,'email' ,'dob' ,'sx') VALUES (NULL, $username, $password, $email, $dob, $sx);";
$result = #$conn->query($query_str);
Here's the error that is returned:Insert query failed: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''qa'.'users' ('id', 'user_name' ,'password' ,'email' ,'dob' ,'s' at line 1
Thanks in advance!
Unless it's changed since I did MySQL in PHP, escape your db/column/table names with backticks (`), not apostrophes (').
A good general trouble-shooting technique is to make the query work via another interface to the database. For example, phpMyAdmin. If it works there, you have some confidence going forward. or you may find how to fix your SQL. (phpMyAdmin is handy because it will convert your SQL into a ready-made string for PHP.)
You need to escape your column names with a backtick (`) instead of (')
You also need to properly escape the actual values you are inserting as well (use a single quote)
OMG not a single right answer
$query_str = "
INSERT INTO `qa`.`users` (`id`, `user_name`,`password` ,`email` ,`dob` ,`sx`)
VALUES (NULL, '$username', '$password', '$email', '$dob', '$sx')";
identifiers being quoted with backticks, while strings being quoted with apostrophes!
and I hope you have passed all your variables through mysql_real_escape string BEFORE putting it into query, i.e.:
$username = mysql_real_escape string($username);
and so on