PHP:PDO: Why wont my data insert?

PHP:PDO: Why wont my data insert? - php

I dont no what the problem is with my code. It doesn't insert the data into the database. Here it is.
$adduser = $con->prepare("INSERT INTO 'basicuserinfo'(email, password, firstname, lastname) VALUES(:email, :password, :firstname, :lastname)");
$adduser->bindValue(':email', $email);
$adduser->bindValue(':password', $password);
$adduser->bindValue(':firstname', $firstname);
$adduser->bindValue(':lastname', $lastname);
$adduser->execute();

INSERT INTO 'basicuserinfo'(email, password, firstname, lastname) VALUES(:email, :password, :firstname, :lastname)
That isn't a valid SQL statement. Get rid of the 's.

Are you sure it is succeeding? You aren't checking the execute as in:
if(!$adduser->execute()) echo "Execute failed";
You will likely find that it is throwing an error on the ' around the table name.

Try this..
$adduser = $con->prepare("INSERT INTO `basicuserinfo`(email, password, firstname, lastname)
VALUES(?, ? , ? , ? )");
$adduser->bindParam('ssss', $email,$password , $firstname,$lastname);
$adduser->execute();
In this way of prepare statement you can reduce your executing time..
then dont put apostapy before the tablename

Related

PDO MySQL prepared INSERT syntax error

Have seen tons of similar questions but still can't find out what's going on.
I'm using PHP's PDO to prepare a statement like that:
try{
$statement = $db->prepare("INSERT INTO $date (name, surname, email, phone, comment) VALUES (:name, :surname, :email, :phone, :comment)");
$statement->bindParam(':name', $name);
$statement->bindParam(':surname', $surname);
$statement->bindParam(':email', $email);
$statement->bindParam(':phone', $phone);
$statement->bindParam(':comment', $comment);
$statement->execute();
}
catch(PDOException $e){
die("Connection to database failed: " . $e->getMessage());
}
Have tried escaping everything with [] and specifying the database name before table name, but keep getting
SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in
your SQL syntax; check the manual that corresponds to your MySQL server
version for the right syntax to use near '2017-08-11 (name, surname, email,
phone, comment) VALUES ('Test', 'Test', 'Test#' at line 1

INSERT INTO $date
It seems that there is a 2017-08-11 in $date var.
If you want to insert data into '2017-08-11' table, it should be escaped with ` symbol
try{
$statement = $db->prepare("INSERT INTO `$date` (name, surname, email, phone, comment) VALUES (:name, :surname, :email, :phone, :comment)");
$statement->bindParam(':name', $name);
$statement->bindParam(':surname', $surname);
$statement->bindParam(':email', $email);
$statement->bindParam(':phone', $phone);
$statement->bindParam(':comment', $comment);
$statement->execute();
}
catch(PDOException $e){
die("Connection to database failed: " . $e->getMessage());
}

Assuming that 2017-08-11 is a table name, simply encase it in backticks.
$statement = $db->prepare("INSERT INTO `$date` (name, surname, email, phone, comment) VALUES (:name, :surname, :email, :phone, :comment)");

sorry but you can't use special character when using the prepare statement, so what MySQL is actually seeing is INSERT INTO $date (name, surname, email, phone, comment) VALUES (:name, :surname, :email, :phone, :comment) which will trigger a syntax error.
here is a quick solution
try{
$db->query("INSERT INTO $date (name, surname, email, phone, comment) VALUES ($name, $surname, $email, $phone, $comment)");
}
catch(PDOException $e){
die("Connection to database failed: " . $e->getMessage());
}

Insering question marks('?') into the database rather than actual values

I'm making a registration form and I am using PHP bind parameters when inserting data into the database.
$fnameclean = mysqli_real_escape_string($mysqli_conn, $_POST['first_name']);
$passwordclean = mysqli_real_escape_string($mysqli_conn, hash("sha512", $_POST['password']));
$lnameclean = mysqli_real_escape_string($mysqli_conn, $_POST['last_name']);
$emailclean= mysqli_real_escape_string($mysqli_conn, $_POST['email']);
$stmt = $mysqli_conn->prepare("INSERT INTO user (firstname, surname, email, password) VALUES ('?', '?', '?', '?')");
$stmt->bind_param("ssss", $fnameclean, $lnameclean, $emailclean, $passwordclean);
$stmt->execute();
$stmt->close();
When I press the submit button, all I can see in my database are question marks in the fields: firstname, surname, email and password.
However, when I try to add information to the database without bind parameters it works perfectly fine
code:
$query1 = "INSERT INTO user (firstname, surname, email, password) VALUES ('$fnameclean', '$lnameclean', '$emailclean', '$passwordclean')";
$mysqli_conn->query($query1);
What am I doing wrong here?

VALUES (?, ?, ?, ?)
No ' to be used in query where you use ? for binding parameter. So your query should be like
$stmt = $mysqli_conn->prepare("INSERT INTO user (firstname, surname, email, password) VALUES (?, ?, ?, ?)");

PDO insert statement not posting

I dont get any errors, but when I refresh my database nothing seems to be going through. The connection credentials are definitely correct.
$query = $pdo->prepare('INSERT INTO direct_transfer (fname, lname, add, city, post, country, email, nummag, donate) VALUES (:fname, :lname, :add, :city, :post, :country, :email, :nummag, :donate)');
$query->execute(array(':fname'=>$fname,
':lname'=>$lname,
':add'=>$add,
':city'=>$city,
':post'=>$post,
':country'=>$country,
':email'=>$email,
':nummag'=>$nummag,
':donate'=>$donate));

When you use reserved words in mysql, you need to escape them in backticks:
... (fname, lname, `add`, city, post, country, email, nummag, donate) ...
You should also add error handling so that PDO tells you right away what is wrong.
You can tell PDO to throw exceptions by adding this after you connect to the database:
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
You can also set the error handling mode when you open the connection, see the manual.

Without ':' in the array.
$query = $pdo->prepare('INSERT INTO `direct_transfer` (`fname`, `lname`, `add`, `city`, `post`, `country`, `email`, `nummag`, `donate`) VALUES (:fname, :lname, :add, :city, :post, :country, :email, :nummag, :donate)');
$query->execute(array('fname'=>$fname,
'lname'=>$lname,
'add'=>$add,
'city'=>$city,
'post'=>$post,
'country'=>$country,
'email'=>$email,
'nummag'=>$nummag,
'donate'=>$donate));

PDO prepared statement, correctly used?

I just to need make sure I've got the PDO prepare statements correctly, will the following code be secured by SQL Injection?
$data['username'] = $username;
$data['password'] = $password;
$data['salt'] = $this->generate_salt();
$data['email'] = $email;
$sth = $this->db->prepare("INSERT INTO `user` (username, password, salt, email, created) VALUES (:username, :password, :salt, :email, NOW())");
$sth->execute($data);

Yes, your code is safe. It can be shortened however:
$data = array( $username, $password, $this->generate_salt(), $email );
// If you don't want to do anything with the returned value:
$this->db->prepare("
INSERT INTO `user` (username, password, salt, email, created)
VALUES (?, ?, ?, ?, NOW())
")->execute($data);

You could start with an empty array for your $data like
// start with an fresh array for data
$data = array();
// imagine your code here
Your code looks good so far.
EDIT: I missed your NOW() call. Imho you should add it with a bind variable as well, like
// bind date
$data['created'] = date("Y-m-d H:i:s");
// updated prepare statement
$sth = $this->db->prepare("INSERT INTO `user` (username, password, salt, email, created) VALUES (:username, :password, :salt, :email, :created)");

Select last insert id

I am inserting a record and i want to use the id of the last record inserted.
This is what i have tried:
$sql = 'INSERT INTO customer
(first_name, last_name, email, password,
date_created, dob, gender, customer_type)
VALUES(:first_name, :last_name, :email, :password,
:date_created, :dob, :gender, :customer_type)'
. ' SELECT LAST_INSERT_ID()' ;
I am getting the error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'SELECT LAST_INSERT_ID()'.
Can anyone show me where is my mistake?
Thanks!

Check out mysql_insert_id()
mysql_query($sql);
$id = mysql_insert_id();
When that function is run after you've executed your INSERT statement in a mysql_query() command its result will be the ID of the row that was just created.

You can do another query:
$last_id = "SELECT LAST_INSERT_ID()";
Or try to add ; in your query:
INSERT INTO customer
(first_name,
last_name,
email,
password,
date_created,
dob,
gender,
customer_type)
VALUES(:first_name,
:last_name,
:email,
:password,
:date_created,
:dob,
:gender,
:customer_type)<b>;</b>' . ' SELECT LAST_INSERT_ID()';

We Keep Coding

PHP, A popular general-purpose scripting language that is especially suited to web development.

PHP:PDO: Why wont my data insert? - php

INSERT INTO 'basicuserinfo'(email, password, firstname, lastname) VALUES(:email, :password, :firstname, :lastname) That isn't a valid SQL statement. Get rid of the 's.

Are you sure it is succeeding? You aren't checking the execute as in: if(!$adduser->execute()) echo "Execute failed"; You will likely find that it is throwing an error on the ' around the table name.

Related

PDO MySQL prepared INSERT syntax error

Insering question marks('?') into the database rather than actual values

PDO insert statement not posting

PDO prepared statement, correctly used?

Select last insert id

Categories

Resources