This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
How do I handle single quotes inside a SQL query in PHP?
Greeting ,
I have a small script which is used for applications and it saves questions answer into the database. The script is given below:
while(list($QKey,$QVal) = each($AppQuestions)) {
$result2= mysql_query("
INSERT INTO forum_app_answers (AID, AppID, Question, Answer)".
" VALUES (NULL, '$AppID', '$Questions[$QKey]', '$QVal')"
) or die(mysql_error());
Now the problem is that if someone write ' character in the answer , the data doesnt get saved. For simple writing its okay . The problem is only if the answer contains ' in it. any help will be highly appreciated tx
The following error occures:
You Have An Error In Your SQL Syntax; Check The Manual That Corresponds To Your MySQL Server Version For The Right Syntax To Use Near 's GF. Channel Services')' At Line 1
Use prepared statements. Look up PDO and use prepared statements.
mysql_ is deprecated.
After connecting with $dbh = new PDO(),
$sql = 'sql';
$stmt = $dbh->prepare($sql);
$stmt->execute($params);
do the following:
$QVal = $mysqli->real_escape_string($QVal);
$query = "INSERT INTO forum_app_answers (AID, AppID, Question, Answer)
VALUES (NULL, '$AppID', '$Questions[$QKey]', '$QVal')";
// $mysqli is previously defined
$mysqli->query($query);
if ($mysqli->errno !=0){
printf("you have an error in your query %s", $mysqli->error);
}
You may try:
while(list($QKey,$QVal) = each($AppQuestions)) {
$result2= mysql_query("
INSERT INTO forum_app_answers
(AID, AppID, Question, Answer)". "
VALUES (
NULL,
'$AppID',
'$Questions[$QKey]',
'". mysql_real_escape_string($QVal). "')
") or die(mysql_error());
Without mysql_real_escape_string() your script also has huge security issues.
Related
This question already has answers here:
MySQL Insert query doesn't work with WHERE clause
(31 answers)
Closed 2 years ago.
please help me to solve this error.i tired from searching solution...
error: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'WHERE name=NULL' at line 1
my database have 3 column=id(int),name(varchar),comment(varchar) and i want insert comment to it.
my php code :
<?php
include "./Config.php";
include './MyPDO.php';
$response = array() ;
$connect = MyPDO::getInstance();
$name = $_REQUEST['name'];
$comment=$_REQUEST['comment'];
$query = " INSERT INTO user "
. " (comment) "
. " VALUES "
. " (:comment) "
. " WHERE name=:name ";
$stmt = $connect->prepare($query);
$stmt->bindParam(":name",$name);
$stmt->bindParam(":comment",$comment);
try {
$stmt->execute();
$response['massage'] = "sucess";
echo json_encode($response);
exit;
} catch (PDOException $ex) {
$response['massage'] = "error";
$response['error']=$ex->getMessage();
echo json_encode($response);
}
Looks like you mixed the syntax here. You seem to want to update an existing record. Use
update user
set comment = :comment
where name = :name
insert if for creating a new record.
The insert into ... values() syntax does not take a where clause.
If you want to insert, then:
insert into user(name, comment) values(:name, :comment)
But actually it looks like you might want an update:
update users set comment = :comment where name = :name;
The former creates a new record in the table, with the given name and comment.
The latter modifies the already-existing record that has the same name and sets its comment value.
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 8 years ago.
I am trying to insert a sample blog post into my 'posts' table in MySQL (using PHP) however I receive a syntax error whenever a large character post is submitted. If I submit content of say 20 characters it works but something like 500 characters will throw the following error:
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''uid', 'username', 'p_date', 'title', 'content') VALUES('1','Mark Twain', '2014-' at line 1
The 'content' is to be inserted into the database via a varchar(1000) variable. The table is defined in mysql as:
CREATE TABLE posts
(
pid int NOT NULL AUTO_INCREMENT,
uid int NOT NULL,
username varchar(100) NOT NULL,
p_date date NOT NULL,
title varchar(225) NOT NULL,
content varchar(10000) NOT NULL,
PRIMARY KEY(pid),
FOREIGN KEY(uid) REFERENCES users(uid)
);
The actual content I am trying to submit is this:
Secondly, these missionaries would gradually, and without creating suspicion or exciting alarm, introduce a rudimentary cleanliness among the nobility, and from them it would work down to the people, if the priests could be kept quiet. This would undermine the Church. I mean would be a step toward that. Next, education -- next, freedom -- and then she would begin to crumble. It being my conviction that any Established Church is an established crime, an established slave-pen, I had no scruples, but was willing to assail it in any way or with any weapon that promised to hurt it. Why, in my own former day -- in remote centuries not yet stirring in the womb of time -- there were old Englishmen who imagined that they had been born in a free country: a "free" country with the Corporation Act and the Test still in force in it -- timbers propped against men's liberties and dishonored consciences to shore up an Established Anachronism with.
The insert statement for this is the following:
$sql = "INSERT INTO posts ('uid', 'username', 'p_date', 'title', 'content') VALUES('$uid','$uname', '$date', '$title', '$content')";
if(!mysql_query($sql,$con)){
echo "Oops! Something went wrong during the posting process. Please try again. ";
die('Error: ' . mysql_error($con));
header('Refresh: 1; URL=postingform.php');
}else{
// Now return the user to their post page
header('Refresh: 0; URL=postlist.php?uid='.$uid.'');
}
For some reason it is error-ing out during the INSERT process. The one thing strange I notice is that the date is cut off in the error. To call the date I am using. $date = date("Y-m-d");
I have used this same syntax before without issues.
****Edit
A few posters have pointed out that there are single quotations in my INSERT column statements. I have changed these to back tics and completely removed them but the error still results.
New Error:
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's Court', 'Secondly, these missionaries would gradually, and without creating su' at line 1
There is something still wrong with my insert syntax but everything I am reading says it should be correct.
$sql = "INSERT INTO posts (`uid`, `username`, `p_date`, `title`, `content`) VALUES('$uid','$uname', '$p_date', '$title', '$content')";
Remove all the quotes in (for your columns)
('uid', 'username', 'p_date', 'title', 'content')
Those aren't the correct column identifiers
http://dev.mysql.com/doc/refman/5.5/en/identifiers.html
use
(uid, username, p_date, title, content)
or use backticks.
(`uid`, `username`, `p_date`, `title`, `content`)
However and as a quick FYI, backticks are mostly used for reserved keywords, or if a table/column contains spaces, hyphens.
http://dev.mysql.com/doc/refman/5.5/en/reserved-words.html
The error message was letting you know here
check the manual that corresponds to your MySQL server version for the right syntax to use near ''uid',
^--« right there
Notice the quote just before 'uid'? That's where the problem starts.
Edit:
Try the following using prepared statements and replace xxx with your own credentials.
This should take care of the quotes issue from your input values.
You will need to add the variables according to your inputs.
<?php
$DB_HOST = "xxx";
$DB_NAME = "xxx";
$DB_USER = "xxx";
$DB_PASS = "xxx";
$conn = new mysqli($DB_HOST, $DB_USER, $DB_PASS, $DB_NAME);
if($conn->connect_errno > 0) {
die('Connection failed [' . $conn->connect_error . ']');
}
$uid = ""; // replace with proper value
$uname = ""; // replace with proper value
$date = ""; // replace with proper value
$title = ""; // replace with proper value
$content = ""; // replace with proper value
$stmt = $conn->prepare("INSERT INTO posts (`uid`, `username`, `p_date`, `title`, `content`) VALUES (?, ?, ?, ?, ?)");
$stmt->bind_param('sssss', $uid, $uname, $date, $title, $content);
if (!$stmt->execute()) {
echo "Execute failed: (" . $stmt->errno . ") " . $stmt->error;
}
else{
echo "Success";
}
$stmt->close(); // Statement
$conn->close(); // MySQLi
Footnotes:
In order to allow single and/or double quotes, based yourself on the following, while using the stripslashes() function.
$content = stripslashes($_POST['content']);
This will enter in DB properly:
Bob's sister was here today and said: "Bob, what lovely hair you have!".
i recently started working with PHP and MYSQL, everything was going fine till I starter to get this error. Code works when I insert it into the query window at phpMyAdmin, but it doesnt work inside php code when i open it with a browser. Im already connected to database, so thats not the problem.
this is the error i get:
SQLSTATE[42000]: Syntax error or access violation: 1064 You have an
error in your SQL syntax; check the manual that corresponds to your
MySQL server version for the right syntax to use near ''fatmam' (user,
messageid) VALUES ('ayihan', '5')' at line 1
try
{
$alicengiz = $_POST['actor'].'m';
$sql = 'INSERT INTO :tablename (user, messageid) VALUES
(:user, :messageid)';
$s = $pdo->prepare($sql);
$s->bindValue(':user', $_SESSION['username']);
$s->bindValue(':messageid', $_POST['action1']);
$s->bindValue(':tablename', $alicengiz);
$s->execute();
}
catch (PDOException $e)
{
$error = 'Error 1qqq. '. $e->getMessage();
include 'error.php';
exit();
}
No. You cannot prepare table names, field names and sql keywords.
Problem is, that prepare() will add single quotes around the input, but table names and field names require backticks around them when you want to escape them.
This time you need to escape manually (*real_escape_string doesn't help here):
$sql = 'INSERT INTO `'.addcslashes($alicengiz, "\\'").'` (user, messageid) VALUES
(:user, :messageid)';
$s = $pdo->prepare($sql);
$s->bindValue(':user', $_SESSION['username']);
$s->bindValue(':messageid', $_POST['action1']);
P.s.: but really, this is a bad idea. I'd use a whitelist instead of escaping, because when $_POST["actor"]."m" isn't a table name, a PDOException will be thrown.
How about this?
$alicengiz = $_POST['actor'].'m';
$sql = 'INSERT INTO messages (user, messageid) VALUES
(:user, :messageid)';
$s = $pdo->prepare($sql);
$s->bindValue(':user', $_SESSION['username']);
$s->bindValue(':messageid', $_POST['action1']);
$s->execute();
This question already has an answer here:
Syntax error due to using a reserved word as a table or column name in MySQL
(1 answer)
Closed 8 years ago.
A MySQL query that I am running is throwing up the following error
You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near 'desc = 'Enter Description Here'' at line 2
The desc is a variable '$desc' the error suggests that there is an extra ' before desc but there is nothing in the code (below) if I remove desc altogether it works fine (obviously not updating that part) its very strange, your help is greatly appreciated :-)
The code is
//Get the form data
$title = $_POST['title'];
$keywords = $_POST['keywords'];
$desc = $_POST['desc'];
//initialise connection with databse
require_once('../Connections/EliteGrooming.php');
mysql_select_db($database_EliteGrooming, $EliteGrooming);
//Execute the query
mysql_real_escape_string($title, $keywords, $desc);
$query = "
UPDATE site_settings
SET site_title = '$title', keywords = '$keywords', desc = '$desc';";
mysql_query($query) or die(mysql_error());
mysql_close();
header('Location: ../admin/site-settings.php?updated');
desc is a reserved keyword, you must escaped it with backtick
$query = "
UPDATE site_settings
SET site_title = '$title', keywords = '$keywords', `desc` = '$desc';";
but your query is vulnerable with SQL Injection, please read the article below,
How can I prevent SQL injection in PHP?
You need to escape reserved words in MySQL like desc with backticks
UPDATE site_settings
SET site_title = '$title', keywords = '$keywords', `desc` = '$desc';";
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
Mysql can't perform more than 1 query at a time
$query = "TRUNCATE TABLE nw_world;";
$query = $query . " INSERT INTO `nw_world`";
$query = $query . " SELECT * FROM `x_world` WHERE x <0 AND y >=0";
$query = $query . " AND tid !=5 AND aid NOT IN ( 29, 908, 935, 941, 950 )";
$query = $query . " AND population <=50";
echo "$query";
mysql_query($query,$con) or die("error ".mysql_error());
This results in an error
error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'INSERT INTO `nw_world` SELECT * FROM `x_world` WHERE x <0 AND y >=0 AND tid !=5 ' at line 1
But when i execute the same query in mysql it works fine. Due to which i am having a feeling that i am making some mistake in the php coding. Please help
PHP, by default, will only execute 1 query per mysql_query call (security measure).
If you want to execute more than one at a time look at http://se2.php.net/manual/en/mysqli.multi-query.php
mysql_query does not let you execute more than 1 query. Use mysqli::multi_query
or execute each command separately.