I'm trying to run the following code:
mysql_query("INSERT INTO friend_data (UID, Name) VALUES ($friendUID, $friendName)");
where $friendUID is the user ID grabbed from Facebook, and $friendName is the name of the friend grabbed from Facebook. For some reason, $friendName just won't write to MySQL. $friendUID writes fine, and so does regular text. Does anyone have an idea why, or how to get this working? Relevant code is below:
$uid = $facebook->getUser();
$friends = $facebook->api('/me/friends');
$friendUID = $value["id"];
$friendName = $value["name"];
echo $friendName;
mysql_query("INSERT INTO friend_data (UID, Name) VALUES ($friendUID, $friendName)");
Thank you!
First, you should look into using MySQLi or PDO, as the PHP MySQL extension is quite old (and now deprecated in PHP5.5)
http://www.php.net/manual/en/mysqlinfo.api.choosing.php
The issue is that you are trying to insert raw text into the SQL query, which in addition to being an injection risk, causes an invalid statement:
Desired result:
INSERT INTO friend_data (UID, Name) VALUES (1234, "Friend Name");
Actual Result:
INSERT INTO friend_data (UID, Name) VALUES (1234, Friend Name);
You need to encapsulate the name value in quotes, as well as escape the values before inserting them:
$uid = $facebook->getUser();
$friends = $facebook->api('/me/friends');
$friendUID = mysql_real_escape_string($value["id"]);
$friendName = mysql_real_escape_string($value["name"]);
mysql_query("INSERT INTO friend_data (UID, Name) VALUES ($friendUID, \"$friendName\")");
Related
EDIT:
Im trying to submit a form with a title and body but i want the title to go to one table and body to go to another table, this in itself i can do but i need the ID generated from the title being inserted into its table to then be inserted into a field in the table the body is inserted so as to keep them linked.
What i have so far: I know its not pretty and its not safe, i will be reworking them once i learn how to do it properly.
if (#$_POST['post'])
{
$body = #$_POST['body'];
$title = #$_POST['title'];
$BoardID = #$_POST['BoardID'];
$MemberID = #$_POST['MemberID'];
$date = date("Y-m-d H:i:s");
include ('connect.php');
$insert = mysql_query("INSERT INTO threads VALUES ('','$BoardID','$title','$date','$MemberID','','')");
if($insert) {
header("location: ?p=posts&thread=$Thread_ID");
exit();
}
}
I need to somehow get $Thread_ID which has been generated in the insert and add that to a second insert for adding body to the post table, if that makes sense.
I tried getting the latest $Thread_ID and adding +1 but if multiple threads are posted at once they might get crossed over.
How would i go about fixing this?
The PHP manual tell us:
This extension Mysql is deprecated as of PHP 5.5.0, and is not recommended for writing new code as it will be removed in the future. Instead, either the mysqli or PDO_MySQL extension should be used.
(see ref.)
You must use mysqli or PDO, to make a connection between PHP and a MySQL database.
mysqli
If you want the id of the inserted row, you can use $mysqli->insert_id (ref)
Example:
$query = "INSERT INTO myCity VALUES (NULL, 'Stuttgart', 'DEU', 'Stuttgart', 617000)";
$mysqli->query($query);
printf ("New Record has id %d.\n", $mysqli->insert_id);
PDO
If you want the id of the inserted row, you can use $dbh->lastInsertId(); (ref)
And don't forget to sanatize all your inputs.
You need to execute both insert queries separately.
$insert = "INSERT INTO threads VALUES ('','$BoardID','$title','$date','$MemberID','','')";
$result = #mysql_query($insert);
$Thread_ID=#mysql_insert_id();
$insert = "INSERT INTO posts VALUES ('','$BoardID',$Thread_ID','$body','$date','$MemberID')";
$result = #mysql_query($insert);
Thanks,
I'm trying to get the row ID after the slug (ex. post 1 returns "/bligpost.php?id=1").
Instead, it returns no ID.
Where am I doing it wrong? (I have included my other attempts in comments.)
mysql_connect("$hosty","$uname","$paswd");
#mysql_select_db($dbnme) or die( "Unable to select database");
$name=$_POST['Title'];
$slug="blogpost.php?id=";
$auth=$_POST['Author'];
$date=$_POST['Date'];
$cont=$_POST['Content'];
//$query = ("INSERT INTO Blogs (Name, URL, Content, Author, Date) VALUES ('$name', '$slug', '$cont', '$auth', '$date')");
mysql_query("INSERT INTO Blogs (id, Name, URL, Content, Author, Date) VALUES (NULL, '$name', '$slug', '$cont', '$auth', '$date')");
//$pind = mysql_query("SELECT LAST_INSERT_ID()");
mysql_query("UPDATE Blogs SET URL=blogpost.php?id=`id` WHIERE id=LAST_INSERT_ID()");
//mysql_query("UPDATE Blogs SET URL=blogpost.php?id=".$pind." WHERE Content=".$cont);
mysql_close();
Try with mysql_insert_id() like
mysql_query("INSERT INTO Blogs (id, Name, URL, Content, Author, Date) VALUES (NULL, '$name', '$slug', '$cont', '$auth', '$date')");
$id = mysql_insert_id();
echo "My Last Inserted Id ".$id;
Tr this LINK And dont use mysql_* functions due to they are depricated,instead of it,use mysqli_* or PDO statements
And try to update your update query like
mysql_query("UPDATE Blogs SET URL = 'blogpost.php?id=$id' WHERE id=$id");
EDIT Based on your commented query try like
mysql_query("UPDATE Blogs SET URL=blogpost.php?id=$pind WHERE Content='".$cont."'")
or
mysql_query("UPDATE Blogs SET URL=blogpost.php?id=$pind WHERE Content='$cont'")
What you're actually doing wrong in the commented line when assigning to $pind is you expect the mysql_query to return your new id, but what it actually returns is a resource from which you must get the id using mysql_fetch_row or any similar function from the mysql_fetch_ family.
As for the uncommented row with WHIERE id=LAST_INSERT_ID(), it would probably work, but you're not concatenating the prefix string with your id. You should do it like this:
mysql_query("UPDATE blogs SET url = CONCAT('blogpost.php?id=', id) WHERE id = LAST_INSERT_ID()");
On the other hand I don't approve of your design of holding your urls in the database when you already have everything you need in the database (i.e. the id), so you should just prepend the "blogpost.php?id=" to the id you get when selecting that row and you're all set, this url of yours is completely unnecessary.
Oh and people are correct when they say this is deprecated, but it seems you're still learning so this is probably a little easier to grasp than the mysqli approach so you can stick with it for now and move up to mysqli once you're comfortable.
Hope that helps. Good luck.
How about this?
$pind = mysql_insert_id();
http://php.net/manual/en/function.mysql-insert-id.php
$id = mysql_insert_id();
In table id field should be auto increment field
I am having some problems with a script, I am basically inputting data into a MySQL table. This data will be inserted in the table as 1 row.
Upon a row of data being entered into the table I want the current/specific row currently being entered to have the column 'account_type' to be updated from its default value 'member' to 'client'.
It's a long story why I need to do it this way but I do not want to simply just enter the value 'client' it must be updated from 'member' to client.
The script I have (which is the bit at the bottom) is currently doing just this but it is affecting all rows in the table, is there a way I can add a where clause to the update to say only affect the current row being entered and do not update all other rows in the table?
<?php ob_start();
// CONNECT TO THE DATABASE
require('../../includes/_config/connection.php');
// LOAD FUNCTIONS
require('../../includes/functions.php');
$username = $_POST['username'];
$password = $_POST['password'];
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$email = $_POST['email'];
$number = $_POST['number'];
$dob = $_POST['dob'];
$accounttype = $_POST['accounttype'];
$query="INSERT INTO ptb_registrations (
username,
password,
firstname,
lastname,
email,
number,
dob,
accounttype,
date_created )
VALUES(
'".$username."',
'".$password."',
'".$firstname."',
'".$lastname."',
'".$email."',
'".$number."',
'".$dob."',
'".$accounttype."',
now()
)";
mysql_query($query) or die();
$query="INSERT INTO ptb_users (
first_name,
last_name,
email,
password )
VALUES(
'".$firstname."',
'".$lastname."',
'".$email."',
MD5('".$password."')
)";
mysql_query($query) or dieerr();
$result = mysql_query("UPDATE ptb_users SET ptb_users.user_id = ptb_users.id,
ptb_users.account_type = 'Client'");
Please, don't use mysql_* functions in new code. They are no longer maintained and are officially deprecated. See the red box? Learn about prepared statements instead, and use PDO, or MySQLi - this article will help you decide which. If you choose PDO, here is a good tutorial.
You can use the MySQL function LAST_INSERT_ID() to do this.
The old ext/MySQL extension exposes this functionality through mysql_insert_id(), but you can also access it directly, and more cleanly, and safely, in a query.
So you can do something like this:
$result = mysql_query("
UPDATE ptb_users
SET ptb_users.user_id = ptb_users.id,
ptb_users.account_type = 'Client'
WHERE id = LAST_INSERT_ID()
");
I know you say "it's a long story..." But what you are doing makes little-to-no sense. I can only imagine you are doing this because of a trigger - and that demonstrates quite nicely why triggers are generally a bad idea ;-)
Please try and re-think your design if at all possible.
Get the inserted ID after your first query then use it in the update (assuming you have a primary key with auto-increment).
Try With WHERE Condition on unique coloumn
mysql_query("UPDATE ptb_users SET ptb_users.user_id = ptb_users.id,
ptb_users.account_type = 'Client'" WHERE ptb_user.email='$email');
I'm working on an application but what i want to do is get the user likes and store it in my database
But when i try to save it in the database it won't insert it in my database
$likes = $facebook->api('/me/likes');
$fblikes = '';
foreach($likes['data'] as $like){
$fblikes .= $like['name'].', ';
}
$insert = "INSERT INTO users (name, email, gender, liked)
VALUES (
'$fbname',
'$fbemail',
'$fbgender',
'$fblikes'
)";
$add_bericht = mysql_query($insert);
But whenever i remove $fblikes from the insert sql it will insert into my database
Any idea's ?
I think there is an escaping problem in your query. You are (Very) susceptible to SQL Injection.
See this post on how to prevent it: How can I prevent SQL injection in PHP?
newbie at php here, basically I wish to know how to add data to my mysql table manually using the url.
For example, say I have a table called users which has 3 fields called 'ID', 'username' and 'password'. I wish to add data to the table like this:
http://localhost/register.php?id=1#username=bob#password=123#act=register (I'm not sure if this is entirely right) but yeah something like that.
Any help on how to do this would be much appreciated!
mysql_connect('localhost', 'mysql_user', 'mysql_password');
mysql_select_db('database');
mysql_query("INSERT INTO table (id, username, password) VALUES ('".mysql_real_escape_string($_GET['id'])."', '".mysql_real_escape_string($_GET['username'])."', '".mysql_real_escape_string($_GET['password'])."')");
$query = "insert into users (username, password) values ('".$_GET['username']."','".$_GET['password']."'";
That would be to insert a user based on the act parameter.
Also, usually parameters on a get are split up by "&", not "#".
First of all, if you're saving large data, better to use POST, rather than GET. But if you really need to send data to the server with URL, your URL should be change as below:
You should use '&' in place of '#'
http://localhost/register.php?id=1&username=bob&password=123&act=register
In Server side, you can retrieve the data by following:
$id = mysql_real_escape_string($_GET['id']);
$username = mysql_real_escape_string($_GET['username']);
$password = mysql_real_escape_string($_GET['password']);
$sql = mysql_query('INSERT INTO table_name (id, username, password) VALUES ('.$id.', '.$username.', '.$password.');
if(!$sql){
echo "Error " . mysql_error();
}else{
echo "Success";
}
use
$id = $_REQUEST['id'];
$username = $_REQUEST['username'];
$password = $_REQUEST['password'];
$act = $_REQUEST['act'];
to get values from url
Then usual MySQL
Insert Query
refer
http://dev.mysql.com/doc/refman/5.5/en/insert.html