I am creating an App in php
in which i am getting an error on this line #
$sql="INSERT INTO table ( `rollnum`,'sessionid', `class`, `subject`, `theory`, `practical`, `type_of`, `term`) VALUES ('$students['rollnum']', '$session','$class','$subject['id']','$_REQUEST[$subject['id'].'_'.$students['rollnum'].'_th']','$_REQUEST[$subject['id'].'_'.$students['rollnum'].'_pr']', '$examtype', '$examsubtype')";
I dont knoe what's wrong with this line.
i even checked at an online platform.They said the same that there is error on Line #(above).
Anyone who can help me with this
Thanks
you likely need to surround the variables in a double quoted string with braces.
$string = "I want to use {$variable1} and {$variable['thisKey']}";
or the following, which is a little faster to run;
$string = 'I want to use'.$variable1.'and '.$variable['thisKey'];
So that should solve your immediate problem, however your query is very open to an injection which can be very bad, especially if your using $_REQUEST right in your query string. I'd recommend looking into preparing your query statements before running them and ensuring all the dangerous stuff is escaped.
I answered another question that includes a safe way of doing a query over here with this answer
If your PHP environment had had these settings: display_errors = On; error_reporting = E_ALL, you would have seen:
PHP Parse error: syntax error, unexpected '' (T_ENCAPSED_AND_WHITESPACE), expecting identifier (T_STRING) or variable (T_VARIABLE) or number (T_NUM_STRING)
Like in this example:
$array['value'] = 'test';
echo "$array['value']";
It should be like that:
echo "".$array['value']."";
echo "{$array['value']}";
Anyway, you can use numeric keys:
$array[0] = 'test';
echo "$array[0]";
You need to surround your variable names with braces inside the string:
$sql="INSERT INTO stdexamrecord ( `rollnum`,'sessionid', `class`, `subject`, `theory`, `practical`, `type_of`, `term`) VALUES (
'${students['rollnum']}',
'$session',
'$class',
'${subject['id']}',
' " . $_REQUEST[ $subject['id'] . '_' . $students['rollnum'] . '_th'] . "',
' " . $_REQUEST[ $subject['id'] . '_' . $students['rollnum'] . '_pr'] . "',
'$examtype',
'$examsubtype')";
try to use dreamweaver or net bean that might help you to find the error at the correct place
Related
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'SET =test WHERE =test' at line 1] in EXECUTE("UPDATE SET =test WHERE =test")
$sql = 'UPDATE ' . $this->recipientDbTable . ' SET ' . $this->recipientDbColumn['result_id'] . '=' . 'test' . ' WHERE ' . $this->recipientDbColumn . '=' . 'test';
It looks like $this->recipientDbColumn['result_id'] is null or empty. Look at your error log with error_reporting(E_ALL), it may have an Undefined index error.
Also, echo out the actual SQL query and post it here, it should be obvious what the problem is.
Also, use prepared statements.
$this->recipientDbColumn['result_id'] and $this->recipientDbColumn as the error suggests return empty string.
... right syntax to use near 'SET =test WHERE =test' at line 1] in EXECUTE("UPDATE SET =test WHERE =test")
As you could see, the call returned empty string. Check the code for where you missed it!
According to the error, it seems that your $this->recipientDbTable & other variables doesn't contains the values.
Try
echo $this->recipientDbColumn;
Check if it prints the values
I'm having hard time to figure out whats wrong in this code. I tried many variations but still getting error in this line:
$query= "INSERT INTO publish (name, email, title, content)" .
"VALUES ('$row['Name']','$row['Email']',$row['title'],$row['content'])";
What could be wrong?
here's the rest of the code:
<?php
// connect to the database
include('config2.php');
// check if the 'id' variable is set in URL, and check that it is valid
if (isset($_GET['id']) && is_numeric($_GET['id']))
{
// get id value
$id = $_GET['id'];
$dbc = mysqli_connect('localhost', 'x', 'x', 'x')
or die('Error');
$name = $row['Name'];
$email = $row['Email'];
$title = $row['title'];
$content = $row['content'];
$result = mysql_query("select *stories WHERE id=$id")
or die(mysql_error());
$row = mysql_fetch_array( $result );
$query= "INSERT INTO publish (name, email, title, content)" .
"VALUES ('$row['Name']','$row['Email']',$row['title'],$row['content'])";
or die('Error querying database.');
mysqli_close($dbc);
}
?>
Error message: "parse error expecting identifier (t_string) ' or variable (t_variable) ' or number (t_num_string) '"
You probably want to use complex string syntax to properly interpolate those variables. For example:
$query= "INSERT INTO publish (name, email, title, content)" .
"VALUES ('{$row['Name']}','{$row['Email']}',{$row['title']},{$row['content']})";
Though that will only fix one of the issues with the code.
Do note there are plenty of other ways to resolve this one too, such as concatenation instead of interpolation, or string replacements, etc etc.
It might also be worth reading the documentation on strings at some point.
You forgot the "." between your variables and your strings. Like so:
$query= "INSERT INTO publish (name, email, title, content)" .
"VALUES (".$row['Name'].','.$row['Email'].','.$row['title'].','.$row['content'].")";
However, it looks like you may have some additional issues going on there with the actual SQL query.
The best practice in PHP is to use single quote ' for strings. Cos PHP looks for variables inside double quoted strings and keeps on sniffing whether there is a variable (or multiple variables) inside the string.
So for example: "A very very long string... $var1 .. long string .. $var2 string" this will run slower compared to 'A very very long string... ' . $var1 . ' .. long string .. ' . $var2 . ' string'; cos when PHP sees single quote it won't sniff for variables inside it thus it's faster.
From my experience, in my early age I worked on a very large php script and used double quotes everywhere. After the above explanation from an expert I converted the whole script to single quote and the performance was much better.
So for your situation I'd suggest and request to use single quotes and it'll avoid confusions as well. Also using mysql_real_escape_string() is a good practice to avoid SQL Injection.
$query= 'INSERT INTO publish (name, email, title, content)
VALUES (
\'' . mysql_real_escape_string ($row['Name']) . '\',
\'' . mysql_real_escape_string ($row['Email']) . '\',
\'' . mysql_real_escape_string ($row['title']) . '\',
\'' . mysql_real_escape_string ($row['content']) . '\')';
I'm writing a generic function that will take a large number of fields from $_POST and build an SQL insert into a table. In this case, I have a number of Undefined indexes and from reading other posts on SO, I am using a ternary to test if the variable exists. This works perfectly when I use it in interactive php, especially since there are no $_POST variables defined.
But when I use it in my form, I seem to get a extra quote and a few returns but I cannot see where they are coming from. I've beaten about this in different ways but am hoping someone can help me see what I'm not seeing.
function SaveDonation($form) {
try {
$querystr = "INSERT INTO GeneralDonations(donationForm, firstName, startYear)"
. "VALUES(" . "'" . $form . "', "
. ((!isset($_POST['firstName']))
? "'', " : ("'" . mysql_real_escape_string($_POST['firstName'])."', "))
. ((isset($_POST['startDate']))
? ("'" . mysql_real_escape_string($_POST['startDate'])."' ") : "'' ")
.")";
echo "<pre>query = "; var_dump($querystr);die;
$donation = $this->db->insertRow($querystr);
$result = true;
} catch(MysqlException $e) {
$result = false;
$this->errorMsg = $e->getMessage();
}
return $result;
}
The startDate is the undefined index value. This is the browser output using var_dump. It appears that the x-debug output is showing instead of the variable. But all table, no useful data? Please help me see what's different here?
string 'INSERT INTO GeneralDonations(
donationForm, firstName, startYear)VALUES('buy-a-foot', 's',
'<br />\r\n<font size=\'1\'><table class=\'xdebug-error xe-notice\'
dir=\'ltr\' border=\'1\' cellspacing=\'0\' cellpadding=\'1\'>\r\n
<tr><th align=\'left\' bgcolor=\'#f57900\' colspan=' )' (length=284)
Your code has some problems:
Please use prepared statements (see below)!
The error message (which is not entirely shown) would continue with "Undefined index firstName", since there's an ! too much in (!isset($_POST['firstName'])).
The error message is incomplete because your xdebug shortens var_dump output. You can change this behaviour with the settings xdebug.overload_var_dump and xdebug.var_display_max_data. See xdebug documentation.
If you can't use prepared statements, consider using some sprintf() construction to improve readability.
// Prepared statements (untested)
$stmt = $db->prepare("
INSERT INTO GeneralDonations(donationForm, firstName, startYear)
VALUES (?, ?, ?)");
$stmt->execute(array(
$form,
isset($_POST['firstName']) ? $_POST['firstName'] : '',
isset($_POST['startDate']) ? $_POST['startDate'] : ''
));
What would be the proper way to concatenate this query?
$query2= "SELECT * FROM relationships WHERE user_1= '.$_SESSION['user_id'].'
AND user_2= '.$user_id.' ";
I keep getting this error:
Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING in C:\xampp\htdocs\beta\profile.php on line 32
What would be the proper way to concatenate this query?
To let your SQL library/client/server do it for you (while escaping special characters for free). Trying to build code by mashing strings together is relatively error prone and involves fiddly combinations of various quote characters that can become hard to maintain.
Use prepared statements and bound arguments instead.
You have an incorrect nesting of single and double quotes.
$query2= "SELECT * FROM relationships WHERE user_1= '" . $_SESSION['user_id'] . "' AND user_2= '" . $user_id . "'";
Either:
$query2 = "SELECT * FROM relationships WHERE user_1='" . $_SESSION['user_id'] . "'AND user_2='" . $user_id . "'";
Or:
$query2 = "SELECT * FROM relationships WHERE user_1='${_SESSION['user_id']}' AND user_2='$user_id'";
fixes your syntax error. However, forming queries through concatenation is a bad idea. At the very least, you should mysql_realescapestring all the arguments, if not move to using PDO.
define("QUERY","INSERT INTO rft_media_invention . " " (dbInventionFileType, dbStaffId, dbInventionFileName, dbInventionFileContent)" . "VALUES (?, ?, ?, ?)");
Its always giving me this error
Parse error: syntax error, unexpected T_CONSTANT_ENCAPSED_STRING in p3t\phpappfolder\public_php\cw\UC213.php on line 20
anyone knows if my query is fully correct?
Syntax errors:
define("QUERY","INSERT INTO rft_media_invention . " " (dbIn etc...
^^^^^
should probably be
define("QUERY","INSERT INTO rft_media_invention " . " (dbIn etc...
which also begs the question of why you're concatenating the strings to begin with.
it looks like you need to transpose the first period and the quote that follows it:
...rft_media_invention . " "
should be
...rft_media_invention " . "
Try this: Your comma after rtf_media_invention should go after the double quotes, not before.
define("QUERY","INSERT INTO rft_media_invention " . "(dbInventionFileType, dbStaffId, dbInventionFileName, dbInventionFileContent)"