i used `` for column name though im getting error...
my code is
$sql = "INSERT INTO order(`pcode`) VALUES ('$pcode')";
if(!mysql_query($sql,$con))
die('cant connect ' .mysql_error());
Order is a reserved word for the "ORDER BY" clause
try
"INSERT INTO `order`(pcode) VALUES ('$pcode')";
Note: Please ensure $pcode is being run through mysql_real_escape_string, or better yet look into the PDO extension and their prepared queries
if order is your table name and pcode is your column name then you can use this:
$sql = sprintf("INSERT INTO `order` (pcode) VALUES('%s')", $pcode);
Related
So, I have this code that returns into a syntax error. Can you please help me figure out what the problem is?
$query = mysql_query("INSERT INTO tablename (column)
VALUES('".$php_var."') WHERE cat = $php_var2") or die(mysql_error());
You cant use WHERE clause with INSERT. If you want to insert then the query will be -
"INSERT INTO tablename (column) VALUES('".$php_var."')"
Or if it is update then -
"UPDATE tablename SET column = '".$php_var."' WHERE cat = '" . $php_var2 . "'"
Try to avoid mysql. Use mysqli or PDO
You can't do INSERT with WHERE clause unless it's WHERE NOT EXISTS, so just do:
$query = mysql_query("INSERT INTO tablename (column) VALUES('$php_var')");
Maybe you needed to do UPDATE
$query = mysql_query("UPDATE tablename SET column='$php_var' WHERE cat = '$php_var2' ");
INSERT INTO syntax can't accept a WHERE.
The good syntax is:
INSERT INTO table_name
VALUES(...);
Or, if you prefer not to insert in all the table columns:
INSERT INTO table_name(column_name1, column_name2, ...)
VALUES(column1_value, column2_value, ...);
As a side note, in your request you don't insert your PHP variable, but some text.
Hi I have a table full of company names, the problem I am having is that it is full of duplicates.
To resolve this I am using the following piece of code to remove the data from one table and then insert it in to another using DISTINCT.
When i run the code, i keep getting the following error,
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's Group Holdings Ltd')' at line 4
If i remove the company name variable it inserts all of the ip address fine, but as soon as i try to insert a company name i get the above error.
$query = "SELECT DISTINCT ip_address, company_name, FROM companydetail1";
$result = mysql_query($query) or die(mysql_error());
while($row = mysql_fetch_array($result)){
$ip_address = $row['ip_address'];
$company_name = $row['company_name'] ;
mysql_real_escape_string($company_name);
mysql_real_escape_string($ip_address);
mysql_query("INSERT INTO companydetail30 (ip_address, company_name) VALUES ('$ip_address', '$company_name') ") or die(mysql_error());
}
Any suggestions would be appreciated.
Thanks
Not only does your code not work in its current state, it is also vulnerable to SQL injection because you are using mysql_real_escape_string incorrectly.
The mysql_real_escape_string function gives back the escaped string as its return value, so you need to assign it back to the variable to save the escaped string:
$company_name = mysql_real_escape_string($company_name);
$ip_address = mysql_real_escape_string($ip_address);
in your query with distinct there ia an error
$query = "SELECT DISTINCT ip_address, company_name, FROM companydetail1";
there is a "," after company_name it should not be
query should be like this
$query = "SELECT DISTINCT ip_address, company_name FROM companydetail1";
Secondly you should do like this.
$company_name = mysql_real_escape_string($company_name);
$ip_address = mysql_real_escape_string($ip_address);
I'm trying to turn this:
"SELECT username FROM $table WHERE username='$newName'"
Into this:
"SELECT $column FROM $table WHERE $column='$newName'"
But when I use or die() on it, I get an error saying that there is incorrect syntax near WHERE username='someNameHere'. What is the correct way to substitute the column name, assuming that's what's wrong?
Edit: Code is just this. The values should be correct as I don't see any mispellings in the error.
$sql = "SELECT $column FROM $table WHERE $column='$newName'";
$result = mysql_query($sql) or die( mysql_error());
Make your query like this
$sql = "SELECT ".$column." FROM ".$table." WHERE ".$column."='".$newName."'"
BTW this is SQLinjection vulnerable code. You should check the variables before using them in query. Also you should start using mysqli and prepared statements
"SELECT ".$column." FROM ".$table." WHERE ".$column."=".$newName;
Check to see if that works for you.
I have this query:
$FullName = mysql_real_escape_string($_REQUEST['name']);
$EmailAdd = mysql_real_escape_string($_REQUEST['email_address']);
$City = mysql_real_escape_string($_REQUEST['city']);
$State = mysql_real_escape_string($_REQUEST['state']);
$SqlEInsert= "INSERT INTO `td_email` VALUES ((SELECT ownerid FROM 'td_events' where event_id = '$EvID'),'$EmailAdd','$FullName', '$City' ,'$State')";
$RsEmail = mysql_query($SqlEInsert) or die('Error :' . mysql_error());
but I'm getting the following error when I run the application
Error :You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''td_events' where event_id = '394'),'email#hotmail.com','Full Name', 'Atl' at line 1
You don't need ' for the table name when you want to use quotes then you have to use `
$SqlEInsert= "INSERT INTO td_email VALUES ((SELECT ownerid FROM td_events WHERE event_id = '$EvID'),'$EmailAdd','$FullName', '$City' ,'$State')";
And please take a look at SQL Injections and Security
$SqlEInsert= "INSERT INTO td_email VALUES ((SELECT ownerid FROM td_events WHERE event_id = '".(int)$EvID."'),'".mysql_real_escape_string($EmailAdd)."','".mysql_real_escape_string($FullName)."', '".mysql_real_escape_string($City)."' ,'".mysql_real_escape_string($State)."')";
The td_event is a field name rather than a value. Escape it with an apostrophe.
$SqlEInsert= "INSERT INTO `td_email` VALUES ((SELECT ownerid FROM `td_events` where event_id = '$EvID'),'$EmailAdd','$FullName', '$City' ,'$State')";
Make sure your values are escaped. You can run them through: mysql_real_escape_string() to do so.
$con = mysql_connect("localhost","root","");
if (!$con) die('Could not connect: ' . mysql_error());
mysql_select_db("pilot", $con);
$sql = "INSERT INTO logs (id, userid, date, plane, from, to, blocksoff, takeoff,
landing, blockson, flighttime, traveltime, tachobefore, tachoafter, tacho,
hobbsbefore, hobbsafter, hobbs, landings) VALUES ('$nfid', '$nfuserid',
'$nfdate', '$nfplane', '$nffrom', '$nfto', '$nfblocksoff', '$nftakeoff',
'$nflanding', '$nfblockson', '$nfflighttime', '$nftraveltime', '$nftachobefore',
'$nftachoafter', '$nftacho', '$nfhobbsbefore', '$nfhobbsafter', '$nfhobbs',
'$nflandings')";
mysql_query($sql);
there ain't nothing wrong with the $sql, it seems like it just wont query.. :(
id|userid=int(11)
date=date
plane|from|to=text
blocksoff|takeoff|landing|blockson=time
flighttime|traveltime|tachobefore|tachoafter|tacho|hobbsbefore|hobbsafter|hobbs|landings=double
all of the $ variables come from a textbox (if it matters)
May be some of the column names are MySql reserved words (especially from and to). Please escape them.
INSERT INTO logs (`id`, userid, date, plane, `from`, `to` ...)
You should always be checking for errors:
$result = mysql_query($sql);
if (!$result) {
die('Invalid query: ' . mysql_error());
}
Kind of an open ended question....
Are any of your variables returning NULL values? If you are trying to insert NULL into the database, and the database column isn't set to accept NULL values, that could be causing an error.
You need to see what the query is actually doing. If you have any single quotes or other invalid character from the textbox, that could be screwing you up.
Also, for your own personal improvement, look up PDO. It helps you write much more secure queries through the use of prepared statements.
http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/