This question is unlikely to help any future visitors; it is only relevant to a small geographic area, a specific moment in time, or an extraordinarily narrow situation that is not generally applicable to the worldwide audience of the internet. For help making this question more broadly applicable, visit the help center.
Closed 9 years ago.
I`m trying to have a form that writes to a mysql database using php and html. After submitting the form I get the error
MySQL error: You have an error in your SQL syntax; check the manual
that corresponds to your MySQL server version for the right syntax to
use near '', '1', '1362154007', '127.0.0.1'' at line 2
The code to the submission php file is
<?php
require 'connection.php';
$ip = $_SERVER['REMOTE_ADDR'];
$sql="INSERT INTO entries (summoner, role, level, time, ip)
VALUES ('" . mysql_real_escape_string($_POST['summoner']) . "', " . mysql_real_escape_string($_POST['role']) . "', '" . intval($_POST['level']) . "', '" . time() . "', '" . $ip . "'";
if (!mysql_query($sql)) die("MySQL error: " . mysql_error());
echo "1 record added";
?>
and the code to line two is
<?php
$con = mysql_connect("localhost", "ratchet132", "password", "lookingforq") or die(mysql_error());
mysql_select_db("lookingforq", $con) or die(mysql_error());
header("Content-Type: text/html; charset=utf-8");
mysql_set_charset("utf8");
mb_internal_encoding("UTF-8");
?>
The error only occurs with integers that are not submitted by the html form (although the level is submitted by it, but it seems to due to the same reason as the others, not the forms). I'm thinking this is probably an error with how I have my MYSQL table set up but I can't figure out what I've done wrong. Any help would be awesome.
there is an extra single quote in your integer value,
VALUES ('" . mysql_real_escape_string($_POST['summoner']) . "', " . mysql_real_escape_string($_POST['role']) . "', '" . intval($_POST['level']) . "', '" . time() . "', '" . $ip . "'";
^ HERE
My suggestion is to store the values in variable first so it is easy to debug the code, eg
$summoner = mysql_real_escape_string($_POST['summoner']);
$role = mysql_real_escape_string($_POST['role']);
$intV = intval($_POST['level']);
$sTime = time();
$ip = $_SERVER['REMOTE_ADDR'];
$sql="INSERT INTO entries (summoner, role, level, time, ip)
VALUES ('$summoner', $role, $intV, $sTime,'$ip' )')";
Use PDO or MySQLi extension so you can paramaterized the query. The link below talks about SQL Injection but it also shows there the usage of PDO and MySQLi Extension.
How to prevent SQL injection in PHP?
Why you wrap int value in quotes?
'" . intval($_POST['level']) . "'
You're missing a '. Try:
$sql="INSERT INTO entries (summoner, role, level, time, ip)
VALUES ('" . mysql_real_escape_string($_POST['summoner']) . "', '" . mysql_real_escape_string($_POST['role']) . "', '" . intval($_POST['level']) . "', " . time() . ", '" . $ip . "'";
Related
This question already has an answer here:
Syntax error due to using a reserved word as a table or column name in MySQL
(1 answer)
Closed 6 years ago.
I am trying save to database row. But I get always error.
My code is:
function save_activation_key($connection, $username, $key) {
$date = time();
$is_used = 0;
$query = "INSERT INTO account_activation_key ( key, date, is_used)
VALUES ( '" . $username . "',"
. " '" . $date . "',"
. " '" . $is_used . "')";
$retval = mysql_query($query, $connection);
echo $retval;
$retval = mysql_query( $query, $connection );
if(! $retval )
{
die('Could not enter data: ' . mysql_error());
}
}
In $connection is valid connection to database.
Database structure:
id : int
key: varcha(45)
date: date
is_used: tinyint(1)
When I call my code I get error:
Could not enter data: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'key, date, is_used) VALUES ( 'uzivatelsky_jmeno', '1459971829', '0')' at line 1
Where is a problem?
Thanks for help
key is a MYSQL reserved word and should not really be used as column names.
MYSQL Reserved Words List can be found here https://dev.mysql.com/doc/refman/5.7/en/keywords.html
However if you wrap these column names in backticks you can get away with it.
You can also simplify your query string concatenation like the following, which makes it a lot easier to debug.
function save_activation_key($connection, $username, $key) {
$date = time();
$is_used = 0;
$query = "INSERT INTO `account_activation_key`
( `key`, `date`, `is_used`)
VALUES ( '$username', '$date', '$is_used')";
$retval = mysql_query($query, $connection);
echo $retval;
$retval = mysql_query( $query, $connection );
if(! $retval )
{
die('Could not enter data: ' . mysql_error());
}
}
BIG NOTE
Please dont use the mysql_ database extension, it
is deprecated (gone for ever in PHP7) Which means this code will never run when all that is available is PHP7 or greater.
Especially if you are just learning PHP, spend your energies learning the PDO or mysqli_ database extensions,
and here is some help to decide which to use
probably your query contains an error at the place where you are giving integer as a string , like your string
'" . $username . "',"
. " '" . $date . "',"
. " '" . $is_used . "'
should be :
'" . $username . "',"." . $date . ","." . $is_used . "
the integers should'nt be with single qoutes " ' "
probably this is the mistake!
I am trying to inserts some values to the database in my php program but I am getting the error
Parse error: parse error, expecting `T_STRING' or `T_VARIABLE' or `T_NUM_STRING' in C:\wamp\www\php\books.php on line 9
mysql_query..
mysql_query("insert into books values('$_GET["title"]','$_GET["author"]','$_GET["edition"]','$_GET["publish"]','$_GET["isbn"]',)") or die(mysql_error());
get your values in variables like
$title = $_GET["title"];
$author = $_GET["author"];
then use query like this
mysql_query("insert into books values('$title','$author','$edition','$publish','$isbn',)") or die(mysql_error());
you are using nested double quotes
mysql_query("insert into books values('{$_GET["title"]}','{$_GET["author"]}','{$_GET["edition"]}','{$_GET["publish"]}','{$_GET["isbn"]}',)") or die(mysql_error());
or
mysql_query("insert into books values('$_GET[title]','$_GET[author]','$_GET[edition]','$_GET[publish]','$_GET[isbn]',)") or die(mysql_error());
The good query is :
mysql_query("insert into books values('" . $_GET["title"] . "','" . $_GET["author"] . "','" . $_GET["edition"] . "','" . $_GET["publish"] . "','" . $_GET["isbn"] . "')") or die(mysql_error());
There are non escaped quotes but also a comma which has nothing to do here, at the end of the query.
Maybe you should learn PHP and its syntax first.
This question is unlikely to help any future visitors; it is only relevant to a small geographic area, a specific moment in time, or an extraordinarily narrow situation that is not generally applicable to the worldwide audience of the internet. For help making this question more broadly applicable, visit the help center.
Closed 10 years ago.
I'm trying to run a PHP script, but I keep getting this error whenever I run it.
Error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''id', 'firstname', 'lastname', 'email', 'username', 'password', 'hash', 'active'' at line 1
PHP:
<?php
require('includes/connect.php');
if($_POST['submit'] == true) {
$firstname = mysql_real_escape_string($_POST['firstname']);
$lastname = mysql_real_escape_string($_POST['lastname']);
$email = mysql_real_escape_string($_POST['email']);
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
$hash = mysql_real_escape_string(md5(uniqid(rand(), true)));
$active = mysql_real_escape_string(0);
$query = mysql_query(" INSERT INTO users_main ( 'id', 'firstname', 'lastname', 'email', 'username', 'password', 'hash', 'active' ) VALUES ( '', '" . $firstname . "', '" . $lastname . "', '" . $email . "', '" . $username . "', '" . $password . "', '" . $hash . "', '" . $active . "' ) ") or die(mysql_error());
} else {
}
?>
Don't quote column names with single quotes. MySQL uses backticks for quoting column and table identifiers.
Some special keywords need to be quoted with backticks if used as an identifier, but you have not used any of those. None of your columns require quoting.
$query = mysql_query(" INSERT INTO users_main ( id, firstname, lastname, email, username, password, hash, active ) VALUES ( '', '" . $firstname . "', '" . $lastname . "', '" . $email . "', '" . $username . "', '" . $password . "', '" . $hash . "', '" . $active . "' ) ") or die(mysql_error());
This question is unlikely to help any future visitors; it is only relevant to a small geographic area, a specific moment in time, or an extraordinarily narrow situation that is not generally applicable to the worldwide audience of the internet. For help making this question more broadly applicable, visit the help center.
Closed 9 years ago.
I'm new to PHP and get the message Parse error: syntax error, unexpected T_VARIABLE in .. on line 25. I would be ever so grateful if someone could help me with this error as it's really started to stress me out. Been on dreamweaver and it says error where it says $Username=... But I just can't seem to fix it
<?php
$host="******"; // Host name
$username="******"; // Mysql username
$password="******"; // Mysql password
$db_name="******"; // Database name
$tbl_name="avaya"; // Table name
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
$con = mysql_connect("localhost","root","");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
mysql_select_db("inventory", $con);
$addavaya="INSERT INTO avaya_pabx(critical_spare_id, serial_no, ,comcode, version, circuit_pack, classification, location, availability, date, client)
VALUES ('". $_POST['critical_spare_id'] . "', '" . $_POST['serial_no']. "', '". $_POST['comcode'] . "','". $_POST['version'] . "','". $_POST['circuitp_pack'] . "','". $_POST['classification'] . "','". $_POST['location'] . "', '". $_POST['availability'] . "', '". $_POST['date'] . "', '". $_POST['client'] . "')";
mysql_query($addavaya,$con)
if (!mysql_query($addavaya,$con))
{
die('Error: ' . mysql_error());
}
echo "1 record added";
mysql_close($con);
?>
You're missing a semicolon at the end of this line:
mysql_query($addavaya,$con)
My sql query when I check manually in phpmyadmin works fine, but when I try to handle it through php mysql_query throw me a syntax error. How to solve this issue?
Error message:
Invalid query:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'INSERT INTO scores( user_id ) VALUES (LAST_INSERT_ID( ))' at line 1
Whole query:
INSERT INTO users (id_fb, name, first_name, last_name, email, link, first_login)
VALUES ('1000001010101010', 'Bart Roza', 'Bart', 'Roza', 'lalalala#gmail.com','http://www.facebook.com/profile.php?id=1000001010101010','2011-05-07 11:15:24');
INSERT INTO scores( user_id ) VALUES (LAST_INSERT_ID( ));
My php function:
public function createUser()
{
$time = date("Y-m-d H:i:s");
$insert = "INSERT INTO users (id_fb, name, first_name, last_name, email, link, first_login) VALUES (" .
"'" . $this->me['id'] . "', " .
"'" . $this->me['name'] . "', " .
"'" . $this->me['first_name'] . "', " .
"'" . $this->me['last_name'] . "', " .
"'" . $this->me['email'] . "'," .
"'" . $this->me['link'] . "'," .
"'" . $time . "'); " .
"INSERT INTO scores( user_id ) VALUES (LAST_INSERT_ID( ));";
$result = mysql_query($insert);
if (!$result) {
$message = 'Invalid query: ' . mysql_error() . "\n";
$message .= 'Whole query: ' . $insert;
die($message);
}
}
EDIT:
Thanks for the solution!
Since mysql_query accepts only one query you need to split your query string into 2 separated queries and perform it with 2 mysql_query calls.
You can not run multiple queries in once using mysql_query function. you have to run these two queries with separate mysql_query call
mysql_query() sends a unique query
(multiple queries are not supported)
AS #zerkms and #Shakti said, mysql_query does not support multiple queries. If you want to use such functionality, consider migrating to mysqli. It supports multiple queries in a single packet by mysqli_multi_query