I am encountering one little problem here:
I am entering one MySQL query through PHP. I have checked the connection works fine and looks like the following:
INSERT INTO table (q1,q2,q3) VALUES ('".$_POST['Q1']."', '".$_POST['Q2']."'...)
then when I change the query to the following, there is an error:
INSERT INTO table (q1,q2,q3-1) VALUES ('".$_POST['Q1']."', '".$_POST['Q2']."'...)
The following error appears:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-1) VALUES ('N', 'asdfasdf', '' )' at line 1
Now, I am thinking, is it because:
I name the table column as 'q3-1'
or any other problem?
Would it be okay if I change it to q3_1 instead?
If you put backticks ` around the field names, it should be OK
ie:
INSERT INTO table (`q1`,`q2`,`q3-1`) ...
Use backticks. Look into PDO.
INSERT INTO table (q1,q2,`q3-1`)
VALUES ('".$_POST['Q1']."', '".$_POST['Q2']."'...)
You have error in your second query because of q3-1. It should be in quotes :
INSERT INTO table (q1,q2,`q3-1`) VALUES ('".$_POST['Q1']."', '".$_POST['Q2']."'...)
escape the columns name with backtick ( ` )
INSERT INTO table (`q1`, `q2`, `q3-1`)
VALUES ('".$_POST['Q1']."', '".$_POST['Q2']."'...)
but this statement is vulnerable with SQL Injection. Try using it with PDO
ex.)
<?php
$stmt = $dbh->prepare("INSERT INTO table (`q1`, `q2`, `q3-1`) VALUES (?, ?, ?)");
$stmt->bindParam(1, $_POST['Q1']);
$stmt->bindParam(2, $_POST['Q2']);
$stmt->bindParam(3, $_POST['Q3']);
$stmt->execute();
?>
Related
I am trying to Insert data from a form with the use of a query. The query ( below ) has a WHERE clause to pick a position from visitorsystem.position.
$query = "INSERT INTO visitorsystem.employee(idNumber,name,surname,position,email)
VALUES ('$idNumber','$name','$surname',SELECT positionid FROM visitorsystem.position WHERE position LIKE '%$position%','$email')";
When executed the following error is given. I have tried adding quotes and single quotes around the SELECT...WHERE clause with no luck. Any ideas if the problem is with the query itself or the SELECT...WHERE clause ?
Error in query: You have an error in your SQL syntax; check the manual
that corresponds to your MySQL server version for the right syntax to
use near '','fdsf',SELECT positionid FROM visitorsystem.position WHERE
position LIKE '%inf' at line 2
Change your query to :
$query = "INSERT INTO visitorsystem.employee(idNumber,name,surname,position,email)
SELECT '$idNumber','$name','$surname',positionid,'$email' FROM visitorsystem.position WHERE position LIKE '%$position%'";
First of all, learn about prepared Statements to prevent SQL injection.
Second you should add all values to the select Statement:
query = "INSERT INTO visitorsystem.employee(idNumber,name,surname,position,email)
SELECT $idNumber,'$name','$surname',positionid,'$email' FROM visitorsystem.position WHERE position LIKE '%$position%'";
Also you do not need singlequotes around $idNumber, because it is numeric
im writing a app that checks user status
im using mysql and i want to have a table name check
this is my code :
mysqli_report(MYSQLI_REPORT_ALL);
$stmt = $mysqli->prepare("INSERT INTO check VALUES (?,?)");
i get error :
Uncaught exception 'mysqli_sql_exception' with message 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'check VALUES (?,?)' at line 1'
what am i doing wrong ?
your table name (check)
is a reserved word in MySQL.
Surround it in backticks like this:
$mysqli->prepare("INSERT INTO `check` VALUES (?,?)");
check is a reserved word in MySQL . Enclose it in backticks !
Like this
mysqli_report(MYSQLI_REPORT_ALL);
$stmt = $mysqli->prepare("INSERT INTO `check` VALUES (?,?)");
This question already has an answer here:
Syntax error due to using a reserved word as a table or column name in MySQL
(1 answer)
Closed 8 years ago.
this call fails with error :
mysqli_report(MYSQLI_REPORT_ALL);
$stmt = $mysqli->prepare("INSERT INTO check VALUES (?,?,?,?,?,?)");
error i get :
Uncaught exception 'mysqli_sql_exception' with message 'You have an
error in your SQL syntax; check the manual that corresponds to your
MySQL server version for the right syntax to use near 'check VALUES
(?,?,?,?,?,?)' at line 1'
I have a table named "check" with right amount of fields
if i change table name to checkSomething it works ...
any idea ?
check is a reserved keyword. To use it as table name, you have to escape it with backticks like this: `check` :
$stmt = $mysqli->prepare("INSERT INTO `check` VALUES (?,?,?,?,?,?)");
Check is a reserved word in MySQL. You need to either surround it in backticks like this:
$mysqli->prepare("INSERT INTO `check` VALUES (?,?,?,?,?,?)");
Or much better, rename it to something that you don't need to constantly have a special case for.
$mysqli->prepare("INSERT INTO checks VALUES (?,?,?,?,?,?)");
I am using following insert command to insert value in my db table called demo_organization
$sql = "INSERT INTO demo_organization (org_name, abn_acn_no, org_url,city,
state, country, pin, street, primary_mobile,
secondary_mobile, primary_landline,
secondary_landline, primary_email, secondary_email)
VALUES ($org_name, $abn_acn_no, $org_url, $city, $state, $country,
$pin, $street, $primary_mobile, $secondary_mobile,
$primary_landline, $secondary_landline, $primary_email,
$secondary_email)";
$result = mysql_query($sql) or die (mysql_error());
in php
but i am getting error like
You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near '://loc.com,Melburn,Melburn,Australia,56007,123 park
avenue,+6190567890,+89685552' at line 2
i am completely new in php mysql please tell me what i am doing wrong
You are missing single quotes around the text values:
insert into demo (org_name, abn_acn_no) values ('$org_name', abn_acn_no);
// assumes that abn_acn_no is numeric.
You also cannot pass an empty variable into the query. If you don't have it, you will need to insert it as , null, rather than as a variable with no value - which would result in , , which SQL won't accept - even if the column accepts null values.
If you will be using MYSQL, you need to escape the values mysql_escape_string($string)
There is a problem with the url provided in the query, try escaping it and running it again.
Otherwise, MYSQL is becoming depreciated, use MYSQLi or PDO
http://php.net/manual/en/book.mysqli.php
http://php.net/manual/en/book.pdo.php
your code is vulverable with your sql injection. I'll recomend MYSQLi or PDO. But anyway, your values that are string format should be wrap with single quotes.
$sql = "INSERT INTO demo_organization (org_name, abn_acn_no, org_url,city,
state, country, pin, street, primary_mobile,
secondary_mobile, primary_landline,
secondary_landline, primary_email, secondary_email)
VALUES ('$org_name', 'abn_acn_no, '$org_url', '$city', ...,
'$secondary_email')";
I don't know what's wrong with my syntax, but I'm missing something:
$createrequest = mysql_query("INSERT INTO products_updates_queue (id, kid,
product_version_id, key, ip) VALUES ('$request_id', '$uid', '$version_id',
'$request_key', '$request_ip')");
I receive this error:
"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'key, ip) VALUES ('j4ctveyd0x62', '1', 'z451ah3', 'hqbyu7bhg8za', '64.134.163.2' at line 2"
Can anyone see what I am missing?
I think key is a reserved word, and you should avoid using it as a column name. Try using backticks around it:
$createrequest = mysql_query("INSERT INTO products_updates_queue (id, uid, product_version_id, `key`, ip) VALUES ('$request_id', '$uid', '$version_id', '$request_key', '$request_ip')");
key is a reserved word in MySQL. Avoid it, or wrap it in backticks.
Edit: And I hope you escaped the variables you're putting into that query.