Having trouble inserting into mysql database using mysqli - php

I'm having trouble getting this to work. I've searched this site and found many other posts regarding this, but none seem to be working.
Here is my simple code:
if (isset($_POST['submit']))
{
$startDate = strtotime($_POST['from']);
$endDate = strtotime($_POST['to']);
for($i = $startDate; $i <= $endDate; $i = strtotime('+1 day', $i))
{
$date = date('Y-m-d',$i);
//echo $date . "<br>";
$sql = ("INSERT INTO `calendar` (`Cal_Date`) VALUES (`$date`)");
}
if(!$result = $db->query($sql))
{
die('There was an error running the query [' . $db->error . ']');
}
}
The form is just as simple and the dates are entered in "YYYY-MM-DD" format. What I'm trying to do is populate my database table with a range of dates. The only thing that happens is one row gets inserted and it is "0000-00-00" and I suspect this is because I've got that column set to Date, Not Null. When I echo the results, everything works perfectly, it's just getting it into the db doesn't seem to work. I've tried many other combinations of the INSERT line including:
$sql = $db->query("INSERT INTO `calendar` (`Cal_Date`) VALUES (`$date`)");
($db is from db_connect.php )
$sql = ("INSERT INTO `calendar` (`Cal_Date`) VALUES (`{$date}`)");
$sql = ("INSERT INTO calendar ('Cal_Date') VALUES ($date)");
$sql = ("INSERT INTO `calendar` (`Cal_Date`) VALUES (`$date`)");
...and I think even a couple of others. I do know that my db_connect.php is connecting to the database as I've got:
$sql = ("SELECT * FROM calendar");
further down the page and it's working fine. I've been going at this for far too long and I'm convinced I'm just missing something obvious. I would appreciate your feedback.
mySQL 5.5.24
PHP 5.3.13
Apache 2.2.22


Try it without the ` for your value, and flicking back to php... as in:
$sql = ("INSERT INTO calendar (`Cal_Date`) VALUES (".$date.")");
If that doesn't help, echo out the SQL and let us know exactly what the built SQL is, that will net you a faster fix


String literals should be quoted with the single-quote ' (or double-quote ", if ANSI_QUOTES is disabled) character, not backticks (which in MySQL are only for quoting SQL identifiers).


First off, there's no need to wrap you string in round brackets!
This should do the trick!
$sql = "INSERT INTO `calendar` (`Cal_Date`) VALUES ('$date')";
An even nicer yet harder to understand solution ( in terms of quotes ) :
$sql = 'INSERT INTO `calendar` (`Cal_Date`) VALUES (\''.$date.'\')';
This one should work as well :
$sql = "INSERT INTO calendar (Cal_Date) VALUES ('$date')";
NOTE : The back-tick ( ` ) is used only for fieldnames and tablenames and needed only if your tablename or fieldname has spaces in it!
Use single or double quotes to delimit strings, dates, chars, varchars within SQL and nothing for booleans, nulls and numeric values!
Hope this helped!

Related

MySQL error on form submission

I'm getting a mysql error saying "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near..."
Here's the basics of my code:
First I'm populating the select menu options with rows from the categories table. This is working fine:
<select id="dropdown-select" name="Name">
<option value="" id="dropdown-option">Please select a category.</option>
<?php
$query_categories = "SELECT * FROM categories";
$result_categories = mysql_query($query_categories) or die(mysql_error());
while($categories_row = mysql_fetch_array($result_categories)) {
echo '<option id="dropdown-option" value="' . $categories_row['cat_name'] . '">' . $categories_row['cat_name'] . '</option>';
}
?>
</select>
Later, when I go submit the form to the transactions table (the above table I pulled data from was the categories table, could this be a problem?) is when I get the error. I think its related to the above code bc if I remove this element from my form submission, it writes the rest of the values to the database without any errors.
if(!isset($_POST['Name'])) {
die('You must select an income or expense from the drop down menu.');
} else {
$Name = $_POST['Name'];
}
//create query
$query = "INSERT INTO transaction (month, trans_name, budgeted, actual) VALUES ('$Month', '$Name', $Budgeted', '$Actual')";
$result = mysql_query($query) or die("Error in query: $query. " . mysql_error());
Thanks for any help you can provide.

You are missing a single quote in your insert statement before $Budgeted
INSERT INTO transaction (month, trans_name, budgeted, actual) VALUES ('$Month', '$Name', '$Budgeted', '$Actual')"

If you have some fields which are defined in Database as VARCHAR, CHAR.
Also, if you are inserting a string value in Database from a PHP script, you need to add an enclosing single quote (') around it.
In your case, you are inserting a string without semicolons, so, it showing error in MySQL.
Your statement should be corrected by adding a single quote around $budget as:
$query = "INSERT INTO transaction (month, trans_name, budgeted, actual) VALUES ('$Month',
'$Name', '$Budgeted', '$Actual')";
------^

The error "You have an error in your SQL syntax" is exactly correct!
$query = "INSERT INTO transaction (month, trans_name, budgeted, actual)
VALUES ('$Month', '$Name', $Budgeted', '$Actual')";
Look here, you missed something ----^
There is a ' missing from your statement causing the syntax error. Put the single quote in and you should be good to go!

Query Failed!You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version

I am trying to put this into the database. And I am getting an unexpected error, however, saying:
Query Failed! You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'order(Order_Date,Order_Time,Delivery_Charge,Delivery_Fname,Delivery_Lname,Delive' at line 1.
Here's my PHP:
<?php
//error_reporting(E_ERROR | E_PARSE);
include("includes/db.php");
include("includes/functions.php");
if($_REQUEST['command']=='update')
{
$date = date('Y-m-d');
$time = time('H:i:s');
$charge = $_REQUEST['ocharge'];
$fname = $_REQUEST['ofname'];
$lname = $_REQUEST['olname'];
$mobile = $_REQUEST['omobile'];
$add1 = $_REQUEST['oadd1'];
$add2 = $_REQUEST['oadd2'];
$postcode = $_REQUEST['opostcode'];
$state = $_REQUEST['ostate'];
$country = $_REQUEST['ocountry'];
$weight = $_REQUEST['oweight'];
$credit = $_REQUEST['ocredit'];
$pin = $_REQUEST['opin'];
$city = $_REQUEST['ocity'];
$result=mysql_query("insert into order(Order_Date,Order_Time,Delivery_Charge,Delivery_Fname,Delivery_Lname,Delivery_HP,Delivery_Street1,Delivery_Street2,Delivery_Postcode,Delivery_State,Delivery_Country,Total_Weight,Credit_No,Pin_No,Delivery_City) values ('$date',$time,$charge,'$fname','$lname',$mobile,'$add1','$add2',$postcode,'$state','$country',$weight,$credit,$pin,'$city')");
if($result === FALSE)
{
die("Query Failed!".mysql_error().$result);
}
$orderid=mysql_insert_id();
$max=count($_SESSION['cart']);
for($i=0;$i<$max;$i++)
{
$pid=$_SESSION['cart'][$i]['productid'];
$q=$_SESSION['cart'][$i]['qty'];
$price=get_price($pid);
mysql_query("insert into order_detail (Order_ID,Product_ID,Order_Quantity,Sub_Total) values ('$orderid','$pid','$q','$price')");
}
die('Thank You! your order has been placed!');
}
?>
What is wrong with the query?

ORDER is a reserved keyword. So, you'll need to escape it in backticks, like so:
INSERT INTO `order` ...
Not using reserved keywords in your query would be the better solution, but escaping them with backticks works, too.

Here's a few debugging tips. Rather than this:
$result=mysql_query("insert into order(Order_Date,Order_Time,Delivery_Charge,Delivery_Fname,Delivery_Lname,Delivery_HP,Delivery_Street1,Delivery_Street2,Delivery_Postcode,Delivery_State,Delivery_Country,Total_Weight,Credit_No,Pin_No,Delivery_City) values ('$date',$time,$charge,'$fname','$lname',$mobile,'$add1','$add2',$postcode,'$state','$country',$weight,$credit,$pin,'$city')");
Always do this:
$sql ="insert into order(Order_Date,Order_Time,Delivery_Charge,Delivery_Fname,Delivery_Lname,Delivery_HP,Delivery_Street1,Delivery_Street2,Delivery_Postcode,Delivery_State,Delivery_Country,Total_Weight,Credit_No,Pin_No,Delivery_City) values ('$date',$time,$charge,'$fname','$lname',$mobile,'$add1','$add2',$postcode,'$state','$country',$weight,$credit,$pin,'$city')";
$result = mysql_query($sql);
This makes it trivial, when working on your code, to also do this:
echo htmlentities($sql);
That will show you the query you are working with (and not the PHP code that builds the query, which may hide awkward characters inside your values).
Finally, consider writing your code like this:
$sql = "
INSERT INTO order (
Order_Date, Order_Time, Delivery_Charge,
Delivery_Fname, Delivery_Lname, Delivery_HP,
Delivery_Street1, Delivery_Street2, Delivery_Postcode,
Delivery_State, Delivery_Country, Total_Weight,
Credit_No, Pin_No, Delivery_City
)
VALUES (
'$date', $time, $charge,
'$fname', '$lname', $mobile,
'$add1', '$add2', $postcode,
'$state', '$country', $weight,
$credit, $pin, '$city'
)
";
$result = mysql_query($sql);
I've upper-cased the SQL and formatted the query to make it readable, so you can be sure you are supplying the right value for the right column. No horizontal scrolling (in your editor or on our screens) is now necessary.
As indicated in the comments, if you take this approach to database inserts, you need to ensure that all of your values are correctly escaped, especially if they come from user input. However, parameterisation is a better way to do this, and note that the "mysql" library is now deprecated.
Addendum: looking at the query, I would say that you need apostrophes around $time, $mobile and $postcode (assuming they are all strings). I presume $charge and $weight are numeric and so therefore do not need quoting.

Insertion query in sql php function

i'am beginner in php and i have problem in insertion query
if(isset($id)){
$qry = "insert into user_to_birds(user_id,tax_id)values( 1 ,'.$id .') ";
$result = mysql_query($qry);
}
I'am connected to the database but the query didn't work.
Why it is not working? how can i correct it?

Don't create queries this way. It is very vulnerable to SQL injection.
Use a prepared statement instead. A prepared statement is precompiled, hence will not be subject to SQL injection.
$id = 99;
$tax = 8;
$stmt = $mysqli->prepare("insert into user_to_birds(user_id,tax_id)values(?,?)"));
$stmt->bind_param("ii", $user, $tax);
$stmt->execute();
.. work on it ..
$stmt->close();
ii stands for two integers. After that first part of the binding, telling which type of variables you use in which order, can you add the values of those variables to the statement. The values will be escaped automatically using this method.

if(isset($id)){
$qry = "insert into user_to_birds(user_id, tax_id)values('1','$id') ";
$result = mysql_query($qry);
}
Work like a charm.

I think your single quotes should be double quotes:
$qry = "insert into user_to_birds(user_id,tax_id )values( 1 ,".$id .") ";
You are confusing strings in PHP with strings in SQL (which is, admittedly, easy to do).

For how to insert into there's a nice article here
http://www.w3schools.com/php/php_mysql_insert.asp
INSERT INTO table_name (column1, column2, column3,...)
VALUES (value1, value2, value3,...)
//not sure if this will make a difference buy i would try a space between tax_id) and values(
also, im not sure if the way youve done it is wrong but i would have written like this
if(isset($id))
{
$qry = "insert into user_to_birds (user_id, tax_id)
values( '1' ,'".$id ."') ";
$result = mysql_query($qry);
}
look at string concatination aswell either have
" ' ' ".$variable." ' ' ";
in that fashion

As others have said, it looks like you're not using string concatenation correctly in your query. Try changing your query to something like:
$qry = "INSERT INTO user_to_birds (user_id,tax_id) VALUES ( 1 ,'$id') ";
Another possibility is that your $id variable isn't set. Try printing out the variale before doing the isset() check and that will tell you if you need to look at an earlier point in your code.
Finally, I'd recommend you look at mysqli functions rather than mysql.
http://php.net/manual/en/book.mysqli.php

You have some confusion in quotes: your string in " ", your sql value in ' ', but when you concatenate you need to close your string and write dot and variable, after this you need write dot, open string quotes again and write text if it needed. Your mistake - you didn't close string (") before concatenation and this leads to misinterpretation of the code. In this case your code will look like:
$qry = "insert into user_to_birds(user_id,tax_id)values( 1 ,'" .$id ."') ";
But you can not use concatenation,you can do it simply: PHP allows write your variable $id in string, without use concatenation:
$qry = "insert into user_to_birds(user_id,tax_id)values( 1 ,'$id') ";

Can not send information from PHP form to multiple mysql database tables

I am trying to insert data into 4 tables ( asset, asset_details, invoice and location). When I submit the form, it tells me that all the data has been submitted successfully but when I check the MySQL database the information is only submitted to the location tables.
Any help will be appreciated, Thank you .
mysql_query("START TRANSITION");
$query1 =("INSERT INTO .asset (asset_tag, asset_number, cap_ex, asset_type_id, invoice_id, status)
Values(".$_POST['asset_tag'] .",,,".$_POST['asset_type'] . ",".$_POST['invoice_number']."," . $_POST['status_id'] .")");
$query2 =("INSERT INTO .asset_details (asset_type_id, asset_tag, asset_type, physical_asset_id, manufacturer, os, os_version, make, model, serial_number, processor, ram, memory, hdd, host_name, notes)
Values(" .",".$_POST['asset_tag']."," .$_POST['asset_type'].",,
,".$_POST['os'].",".$_POST['os_version'].",".$_POST['make'].",".$_POST['model'].",".$_POST['serial_number'].",".$_POST['processor'].",,".$_POST['memory'].",".$_POST['hdd'].",,".$_POST['notes'].")");
$query3 =( "INSERT INTO .invoice (invoice_number, invoice_date, purchas_price, quantity, order_date, vender, warrenty_end, notes)
Values(" .$_POST['invoice_number'].",". $_POST['invoice_date'].",". $_POST['purchase_price'].",,,". $_POST['vender'].")");
$query4 =( "INSERT INTO .location (location_name, rack, row, unit)
Values(" .$_POST['location_name'].",".$_POST['rack'].",".$_POST['row'].",".$_POST['unit'].")");
echo "$query1 $query2 $query3 $query4";
$result1= mysql_query($query1);
$result2= mysql_query($query2);
$result3= mysql_query($query3);
$result4= mysql_query($query4);
$result = mysql_query("COMMIT");
if (!$result)
{
mysql_query("ROLLBACK");
die('Invalid query: ' . mysql_error());
}
else
{
echo "<script>alert('SUCCESS!');</script>";
}
}
mysql_close($con);
?>

There are some strange things;
START TRANSITION should probably be START TRANSACTION.
You're not quoting any of your string values. Strings need to be quoted using ' a'la INSERT INTO TEST VALUES ('olle');
An empty field cannot be indicated by just skipping it, you're doing INSERT INTO TEST (a,b,c) VALUES (1,,2); which is not valid syntax for not setting b.
Also, I recommend using a more modern mysql api than mysql_query, as for example PDO or mysqli, since injecting POST values into a string as you do can be pretty dangerous, you may cause SQL injection problems.

Use '`'s around each attributes(columns) and ''' around each values, it should work
During development, I'd echo each query-expressions before it is sent to the database..
...by the way, mysql_error() is a useful function in php, which returns the last error information of mysql....U may use that for debugging

My insert statement (php to mysql) fails to use my variables

It must be the simplest error, but I dont see nor find it.
I fill a variable $aa_minerid with value 7.
I use this variable in a insert.
The insert always inserts a 0 (zero) in the database never a 7
The field i put it in is a smallint(6)
I tried
VALUES ('$aa_productid')
VALUES ($aa_productid)
VALUES ("$aa_productid")
VALUES ('{$aa_productid}')
VALUES ("{$aa_productid}")
and all with use of ` aswell
into script placed hereafter.
If I put there : VALUES ( 7 )
It does work perfect.
So what do I do wrong in this script?
BTW the echo at the end DOES show the right value of the variable $aa_productid
<?php
/* This php script should transfer data from the aa to the sql database */
// Info coming from aa
$aa_productid = 7 ;
include ("dogs.inc");
$cxn=mysqli_connect($host,$user,$passwd,$dbname);
$query = 'SELECT * FROM `Price` WHERE '
. ' `Time_Stamp`=(select max(`Time_Stamp`) from `Price` where `Product_ID` = \'1\')';
$result=mysqli_query($cxn,$query) or
die("Couldn't execute select query");
$row = mysqli_fetch_row($result);
$aa_price=$row[3] ;
$aa_value = $aa_price * $aa_amount;
// Info ready to go to database
$sqlinsert = 'INSERT INTO Mining (Product_ID)'
. ' VALUES ( $aa_productid )' ;
echo $aa_productid;

Single quotes don't do variable expansion in PHP. But I would recommend you use prepared statements, such as:
$stmt = $cxn->prepare('INSERT INTO Mining (Product_ID) VALUES ( ? )');
$stmt->bind_param('i', $aa_productid);
$stmt->execute();
See the documentation at prepare and bind_param.
This will protect you from SQL injection.

Try
'.$aa_productid.'
or
".$aa_productid."
Depending on the type of apostrophe used to beging the string, use the same one.
Also, if You are using ", then You should be able to Just do
$insert="INSERT INTO $tablename;";

It's been a while since I have done any PHP but..
I think you need to have smartquotes turned on
Try this instead:
$sqlinsert = 'INSERT INTO Mining (Product_ID)'
. ' VALUES ('. $aa_productid .' )' ;
concatenate the variable into the query.

When you are using variables within quotes, you must use the double-quote if you want PHP to parse variables within it. So, this would work:
$sqlinsert = 'INSERT INTO Mining (Product_ID) VALUES ('.$aa_productid.')';
Or this would:
$sqlinsert = "INSERT INTO Mining (Product_ID) VALUES ($aa_productid)";

Try:
$query = "SELECT * FROM Price WHERE Time_Stamp=(select max(Time_Stamp) from Price where Product_ID = "1")";
$sqlinsert = "INSERT INTO Mining (Product_ID) VALUES ( '$aa_productid' )" ;
Also, its always a good idea to escape the strings before entering them in the db.

Try this syntax instead:
$sqlinsert = "INSERT INTO Mining (Product_ID) VALUES ("' . $aa_productid . '")";
no need to concatenate the two parts of the insert. Also double quoting the variable seems to avoid problems.

Categories