sql query works in phpmyadmin but not with mysql_query - php

I am stuck with this.
Here is the code:
This is how I call the function,
$res = DataManager::agregarPropiedad($_POST);
here is the function that generate the query and send it,
public static function agregarPropiedad($datos){
$sql = "INSERT INTO propiedades (id_propiedad, nombre, tipopropiedad, descripcion, dormitorios, baños, direccion, localidad, provincia, fecha_alta, sup_cubierta, sup_total)
VALUES (null, '" . $datos['nombre'] . "', '" . $datos['tipo'] . "', '" . $datos['descripcion'] . "', '" . $datos['dormitorios'] . "', '" . $datos['baños'] . "', '" . $datos['direccion'] . "', '" . $datos['localidad'] . "', '" . $datos['provincia'] . "', CURRENT_TIMESTAMP, '" . $datos['supcubierta'] . "', '" . $datos['suptotal'] . "')";
//$sql = "insert into prueba values(null,'".$datos['nombre']."')";
echo $sql;
return DataManager::consulta($sql);
}
When I copy the echo$sql and paste in phpMyAdmin works fine, but when I try to send my function is not inserting anything, but I have no errors. mysql_erros() its empty too.
U can see that, there is a commented $sql. I use that just for test with another table which is much simpler and query the function "consulta" which works fine too.
This is maybe the 40 function that insert things in mysql database, but the first with which I have problems, and I don't know why =(
helppppp...


From personal experience, MySQL queries that work when dumped / copied / pasted into PhPMyAdmin that don't work in code are caused by:
autoincrement / unique field issues
unexpected characters in unprocessed form data
duplicate POST values ( like an array )
mismatched field count
encoding / character set issues
It may well be that if you address the second issue the problem might fix itself. In any case at a minimum you should process you POST(ed) data with strip_tags and add_slashes, but for MySQL mysql_real_escape_string() is strongly recommended.
http://php.net/manual/en/function.mysql-real-escape-string.php
http://www.adminsehow.com/2010/03/prevent-mysql-injection-in-php


There is a problem with your quotes inside the VALUES() and its vulnerable.
<?php
public static function agregarPropiedad($datos)
{
$tipo = mysql_real_escape_string($datos['tipo']);
$nomber = mysql_real_escape_string($datos['nombre']);
$dormitorios = mysql_real_escape_string($datos['descripcion']);
$baños = mysql_real_escape_string($datos['baños']);
$direccion = mysql_real_escape_string($datos['direccion']);
$localidad = mysql_real_escape_string($datos['localidad']);
$provincia = mysql_real_escape_string($datos['provincia']);
$supcubierta = mysql_real_escape_string($datos['supcubierta']);
$suptotal = mysql_real_escape_string($datos['suptotal']);
$sql = "INSERT INTO propiedades (id_propiedad, nombre, tipopropiedad, descripcion, dormitorios, baños, direccion, localidad, provincia, fecha_alta, sup_cubierta, sup_total)";
$sql .= "VALUES (null,'$tipo','$nomber ','$dormitorios ','$baños ','$direccion ','$localidad','$provincia ',CURRENT_TIMESTAMP,'$supcubierta','$suptotal')";
if(mysql_query($sql))
{
return TRUE;
}else{ return FALSE; }
}
?>

Related

parsing rss feed in php and dump to sql

found this floating script to dump given feed into sql. however unable to save feed description and images separately in table. below is the part of code which is currently saving some contents but with empty columns.
any help or advise would be appreciated.
$db = mysql_connect($db_hostname,$db_username,$db_password);
if (!$db)
{
die("Could not connect: " . mysql_error());
}
.....snip.............
EDIT#1:
studying simplepie script and its caching. will update should get it resolved tonight.
EDIT#2:
SQL query which was modified to include description and screengrab for the table contents.
CREATE TABLE rss (
............snip........................
enter image description here
EDIT #3:
thx robert for correcting me yes it was a quick copy paste from the original script and havent put correct query init. i had updated sql query and get things fixed however now the moded script needs more juice by retrieving a image link along with the post. i am using xpath to get each post image link however not able to incorporate the respective image with each row dump. both scripts are running perfectly at their individual grounds but i need more help in merging them together.
require_once("./config.php");
.......snip................
EDIT#4:
well it didnt work i mange to updated existing table with another script
i upvoted your answer but havent accepted it as correct answer due to this reason. might i failed to explain properly but my script is working like a charm and just missing some CSS.
thanks though for your help
NOTE: i snip original scripts from the post/

From your screenshot you're missing info inside "item_enclosure" and "item_status" columns, the rest is filled.
Problem is that your query doesn't try to insert those missing entries
$item_insert_sql = "INSERT INTO rssingest(item_id, feed_url, item_title, item_date, item_description, item_url, fetch_date) VALUES ('" . $item_id . "', '" . $feed_url . "', '" . $item_title . "', '" . $item_date . "', '" . $item_description . "', '" . $item_url . "', '" . $fetch_date . "')";
^ Will never insert "item_enclosure" and "item_status" since the 2 columns are not part of the insert query...
You'd need to extract the 2 missing items and modify the insert query to:
$item_insert_sql = "INSERT INTO rssingest(item_id, feed_url, item_title, item_date, item_description, item_url, fetch_date, item_enclosure, item_status) VALUES ('" . $item_id . "', '" . $feed_url . "', '" . $item_title . "', '" . $item_date . "', '" . $item_description . "', '" . $item_url . "', '" . $fetch_date . "', '" . $item_enclosure . "', '" . $item_status . "')";
You'll need to first define:
$item_enclosure
$item_status
Btw the query you pasted in your updated reply is wrong, it should start with "INSERT INTO" not "CREATE TABLE", you're not echoing the right query.
UPDATE:
In your original code there's this line
$has_image = preg_match('/<img.+src=[\'"](?P<src>.+?)[\'"].*>/i', $RSSitem, $image);
So right now if your code finds an image it should be putting it in an array called $image
Try print_r of $image to see in which array item it's stored, I think it will be $image[0][0] or $image[0]
So do the following to define the image URL (I'm guessing it's $image[0][0], but double check just in case):
$img_url = (isset($image)) ? $image[0][0] : "";
Then you'll need to update the insert query (i don't know what column name is used for the image so it's just an example):
$item_insert_sql = "INSERT INTO rssingest(item_id, feed_url, item_title, item_date, item_description, item_url, fetch_date, item_enclosure, item_status, image_column) VALUES ('" . $item_id . "', '" . $feed_url . "', '" . $item_title . "', '" . $item_date . "', '" . $item_description . "', '" . $item_url . "', '" . $fetch_date . "', '" . $item_enclosure . "', '" . $item_status . "', '" . $img_url . "')";

how to insert into multiple fields in same db

I am looking to insert a single selection into a field for multiple users. I have the following code, when the selection is made and submit is entered. I do not get an error, I get the next page with the message posted 5 times, which is how many users are not it the weekpicks table. But nothing is inserted into the DB.
<?
// This code is to use to place info into the MySQL
$sTeam1 = $_POST['sTeam1'];
// (WHERE username FROM authorize WHERE username not in ( SELECT username FROM weekpicks WHERE whatweek='$totalnoOfWeek' )" .
//$nMemberID = (integer) Query
$sql_events = mysql_query("SELECT username FROM authorize WHERE username not in ( SELECT username FROM weekpicks WHERE whatweek='$totalnoOfWeek' )") or die(mysql_error());
while ($row = mysql_fetch_array($sql_events)) {
$username = $row["username"];
("INSERT INTO weekpicks SET " . "username = '" . ($username) . "'," . "date_create = NOW(), " . "whatweek = '" . ($totalnoOfWeek) . "'," . "team = '" . addslashes($sTeam1) . "'" . 'INSERT');
echo "<HTML>
<BODY>
<h2>Your pick of " . ($sTeam1) . ", for week " . ($totalnoOfWeek) . ", has been added.</h2>
<P align=left>Return to main page</p>
</BODY>
</HTML>";
}
?>

You are creating the string for insert but you are not running it.
Fixing your code it'd be:
while ($row = mysql_fetch_array($sql_events)) {
$username = $row["username"];
mysql_query("INSERT INTO weekpicks SET " . "username = '" . ($username) . "'," . "date_create = NOW(), " . "whatweek = '" . ($totalnoOfWeek) . "'," . "team = '" . addslashes($sTeam1) . "'");
//echo ...
}
Fixing the string syntax you could do this, which looks nicer. Also using mysql_real_escape_string() instead of addslashes(), since addslashes is not as safe as mysql's native function for php.
$sTeam1 = mysql_real_escape_string($sTeam1);
mysql_query("INSERT INTO weekpicks SET username = '$username', date_create = NOW(), whatweek = '$totalnoOfWeek', team = '$sTeam1');
Another thing I must tell you:
Stop using mysql_*, use mysqli_* instead.
mysql_ was removed from PHP7 and deprecated after PHP 5.5
It's not as safe as mysqli_, so consider improving your code to the new model.
Follow this guide in order to change your code properly.

I can't check if the SQL Query return a result

I'm trying to check if my SQL query returned a result, and if everything is working well..
I'm doing that to validate one INSERT Query.
$insert = "INSERT INTO offers (status, description logo) VALUES
'" . safe($add['status'][$key]) . "',
'" . safe($add['description'][$key]) . "',
'" . safe($add['logo'][$key]) . "')";
$send = db_query($insert, '+');
The db_query($insert, '+') comes from a switch statement that i created, to not repeat the same thing over and over again:
case '+':
while ($resultset = mysql_fetch_row($q)) {
$val[] = $resultset[0];
}
break;
To validate my Query, i use this:
if(!$send){
echo 'something went wrong';
} else {
echo 'everything is ok';
}
But it show me the same message "everything is ok", even when i put something wrong on my Query:
$insert = "INSET INTO offers (statOs, description logo) VALUES
'" . safe($add['status'][$key]) . "',
'" . safe($add['description'][$key]) . "',
'" . safe($add['logo'][$key]) . "')";
How can i fix that?

An INSERT statement doesn't return rows. You can check, how many rows were affected.
You can use
$rows = mysql_affected_rows();
See PHP manual, mysql_affected_rows() and please look at the red box and stop using the old mysql_* functions. Consider moving to mysqli or PDO.

Insert into mysql and php using array

I have part of the code below:
while($array = $result->fetch_assoc() ){
$second_query = "INSERT INTO".TBL_USERSDONTPAY."VALUES ($array[\"username\"], $array[\"password\"], '0',$array[\"userid|\"], )";
$second_result = $database->query($second_query);
}
The query doesn't seem to work. Any clues? I think it's a problem with the quotes or something. How can actually pass array elements?
here is my whole code i want to move one row to another table
$q = "SELECT * FROM ".TBL_USERS." WHERE username = '$subuser'";
$result = $database->query($q);
if($result && $result->num_rows == 1){
while($array = $result->fetch_assoc() ){
$second_query = "INSERT INTO" . TBL_USERSDONTPAY . "VALUES ('" . $array['username'] . "', '" . $array['password'] . "', '0', '" . $array['userid'] ."')";
$second_result = $database->query($second_query);
if($second_result){
// it worked!
$q = "DELETE FROM ".TBL_USERS." WHERE username = '$subuser'";
$database->query($q);
}
}
}

You need to clean that query up and remove the final comma.
$second_query = "INSERT INTO " . TBL_USERSDONTPAY . " VALUES ('" . $array['username'] . "', '" . $array['password'] . "', '0', '" . $array['userid'] . "')";

I see several issues with your query code
escaping of the array indexes in your string:
you can either end the string and concatenate the parts together:
$second_query = "INSERT INTO " . TBL_USERSDONTPAY .
" VALUES ('" . $array['username'] . "', '" . $array['password'] . "', '0', '" . $array['userid'] . "')";
or use the {$var} syntax:
$second_query = "INSERT INTO " . TBL_USERSDONTPAY .
" VALUES ('{$array['username']}', '{$array['password']}', '0', '{$array['userid']}')";
missing spaces (see example code above .. you were missing the spaces before and after the table name)
missing field names. your query may work without if you specify all fields in the right order, but will fail misteriously when you alter the table later (e.g. add a field to the table)
$second_query = "INSERT INTO " . TBL_USERSDONTPAY .
" (username, password, foo, user_id)".
" VALUES ('{$array['username']}', '{$array['password']}', '0', '{$array['userid']}')";
please note you should actually insert the correct field names in the second line of my example above. You can find more information on this in the MySQL docs for INSERT

hacking an INSERT query to become a mysql UPDATE query

I am a MySQL noob and basically hacking an insert query to become an update query instead. So I am sure it's something simple with the grammar. But what's wrong with this?
// Save data
$mySQLQuery = 'update `'. $fl['mysql_table']. '` SET '. $fl['mysql_query']. "' WHERE speres = '" . mysql_real_escape_string($_POST['speres']);
$rs = #mysql_query($mySQLQuery);
the original INSERT query (working) was
// Save data
$mySQLQuery = 'INSERT INTO `'. $fl['mysql_table']. '` SET '. $fl['mysql_query'];
$rs = #mysql_query($mySQLQuery);
The data is generated here:
$fl['mysql_query'] = "menrecin = '" . mysql_real_escape_string(YDFLValue($_SESSION['form']['item_17'])) . "', menrecvej = '" . mysql_real_escape_string(YDFLValue($_SESSION['form']['item_18'])) . "', menrecser = '" . mysql_real_escape_string(YDFLValue($_SESSION['form']['item_19'])) . "', menrecud = '" . mysql_real_escape_string(YDFLValue($_SESSION['form']['item_20'])) . "', menresmor = '" . mysql_real_escape_string(YDFLValue($_SESSION['form']['item_22'])) . "', menresfro = '" . mysql_real_escape_string(YDFLValue($_SESSION['form']['item_23'])) . "', menresmid = '" . mysql_real_escape_string(YDFLValue($_SESSION['form']['item_24'])) . "', menresres = '" . mysql_real_escape_string(YDFLValue($_SESSION['form']['item_25'])) . "', menrumind = '" . mysql_real_escape_string(YDFLValue($_SESSION['form']['item_28'])) . "', menrumren = '" . mysql_real_escape_string(YDFLValue($_SESSION['form']['item_29'])) . "', menrumved = '" . mysql_real_escape_string(YDFLValue($_SESSION['form']['item_30'])) . "', tekip = '" . $_SERVER['REMOTE_ADDR'] . "', tekbro = '" . $_SERVER['HTTP_USER_AGENT'] . "', tektid = NOW()";
I have an entry with speres = 100525 in the database, so please try:
http://www.konferencer.nu/form/index.php?speres=100525

Good practices of troubleshooting dynamic SQL:
Look at the SQL, not the code that builds the SQL. In other words, echo out $mySQLQuery to see the final SQL, and most of the time you can see the error right away.
Don't suppress errors. Error-checking is helpful and necessary in any code.
It looks to me like your query ends up being:
update `tablename` SET ..., tektid = NOW()' WHERE speres = '...;
So you have a spurious quote after the NOW() and a missing quote at the end.
If you had checked for errors, you'd get something like this:
ERROR 1064 (42000): You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version for
the right syntax to use near '' WHERE speres = '...' at line 1

The quoting around the start of the WHERE clause looks odd:
UPDATE `...some table...` SET ...some query... 'WHERE speres = ' ... some criterion ...
Note the single quote placement. Maybe you want to remove the single quotes from inside the double quotes?

you query should look like
$mySQLQuery = 'update'. $fl['mysql_table'].'SET'. $fl['mysql_query'].'= <some value>' ' WHERE speres = '.mysql_real_escape_string($_POST['speres']);
$rs = #mysql_query($mySQLQuery);

Categories