This question is unlikely to help any future visitors; it is only relevant to a small geographic area, a specific moment in time, or an extraordinarily narrow situation that is not generally applicable to the worldwide audience of the internet. For help making this question more broadly applicable, visit the help center.
Closed 10 years ago.
I'm trying to run a PHP script, but I keep getting this error whenever I run it.
Error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''id', 'firstname', 'lastname', 'email', 'username', 'password', 'hash', 'active'' at line 1
PHP:
<?php
require('includes/connect.php');
if($_POST['submit'] == true) {
$firstname = mysql_real_escape_string($_POST['firstname']);
$lastname = mysql_real_escape_string($_POST['lastname']);
$email = mysql_real_escape_string($_POST['email']);
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
$hash = mysql_real_escape_string(md5(uniqid(rand(), true)));
$active = mysql_real_escape_string(0);
$query = mysql_query(" INSERT INTO users_main ( 'id', 'firstname', 'lastname', 'email', 'username', 'password', 'hash', 'active' ) VALUES ( '', '" . $firstname . "', '" . $lastname . "', '" . $email . "', '" . $username . "', '" . $password . "', '" . $hash . "', '" . $active . "' ) ") or die(mysql_error());
} else {
}
?>
Don't quote column names with single quotes. MySQL uses backticks for quoting column and table identifiers.
Some special keywords need to be quoted with backticks if used as an identifier, but you have not used any of those. None of your columns require quoting.
$query = mysql_query(" INSERT INTO users_main ( id, firstname, lastname, email, username, password, hash, active ) VALUES ( '', '" . $firstname . "', '" . $lastname . "', '" . $email . "', '" . $username . "', '" . $password . "', '" . $hash . "', '" . $active . "' ) ") or die(mysql_error());
Related
$sql = "UPDATE debtorsmaster SET name='" . $_POST['CustName'] . "',
address1='" . $_POST['Address1'] . "',
address2='" . $_POST['Address2'] . "',
address3='" . $_POST['Address3'] . "',
How to change this to update to all rows
Because you're not adding a WHERE statement all the rows will be updated. As noted in the above comments you have a trailing , which causes the query to be invalid.
Also it's adviced to use prepared statements to prevent SQL Injection.
$statement = $db->prepare("UPDATE `debtorsmaster` SET `name`=?, `address1`=?, `address2`=?, `address3`=?");
$statement->bind_param("ssss", $customerName, $address1, $address2, $address3);
$customerName = $_POST['CustName'];
$address1 = $_POST['Address1'];
$address2 = $_POST['Address2'];
$address3 = $_POST['Address3'];
$statement->execute();
EDIT: Above example is based on mysqli.
This question already has an answer here:
Syntax error due to using a reserved word as a table or column name in MySQL
(1 answer)
Closed 6 years ago.
I am trying save to database row. But I get always error.
My code is:
function save_activation_key($connection, $username, $key) {
$date = time();
$is_used = 0;
$query = "INSERT INTO account_activation_key ( key, date, is_used)
VALUES ( '" . $username . "',"
. " '" . $date . "',"
. " '" . $is_used . "')";
$retval = mysql_query($query, $connection);
echo $retval;
$retval = mysql_query( $query, $connection );
if(! $retval )
{
die('Could not enter data: ' . mysql_error());
}
}
In $connection is valid connection to database.
Database structure:
id : int
key: varcha(45)
date: date
is_used: tinyint(1)
When I call my code I get error:
Could not enter data: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'key, date, is_used) VALUES ( 'uzivatelsky_jmeno', '1459971829', '0')' at line 1
Where is a problem?
Thanks for help
key is a MYSQL reserved word and should not really be used as column names.
MYSQL Reserved Words List can be found here https://dev.mysql.com/doc/refman/5.7/en/keywords.html
However if you wrap these column names in backticks you can get away with it.
You can also simplify your query string concatenation like the following, which makes it a lot easier to debug.
function save_activation_key($connection, $username, $key) {
$date = time();
$is_used = 0;
$query = "INSERT INTO `account_activation_key`
( `key`, `date`, `is_used`)
VALUES ( '$username', '$date', '$is_used')";
$retval = mysql_query($query, $connection);
echo $retval;
$retval = mysql_query( $query, $connection );
if(! $retval )
{
die('Could not enter data: ' . mysql_error());
}
}
BIG NOTE
Please dont use the mysql_ database extension, it
is deprecated (gone for ever in PHP7) Which means this code will never run when all that is available is PHP7 or greater.
Especially if you are just learning PHP, spend your energies learning the PDO or mysqli_ database extensions,
and here is some help to decide which to use
probably your query contains an error at the place where you are giving integer as a string , like your string
'" . $username . "',"
. " '" . $date . "',"
. " '" . $is_used . "'
should be :
'" . $username . "',"." . $date . ","." . $is_used . "
the integers should'nt be with single qoutes " ' "
probably this is the mistake!
The password function in mysql works fine with me in inserting and updating such as here:
$query_insert = "INSERT INTO `account`(`Gender`, `Birth_date`, `Name`, `UserName`, `Password`, `Email`, `Type`) VALUES ('" . $gender . "' , '" . $birthdate . "' , '" . $name . "' , '" . $username . "' , password('" . $password . "') , '" . $email . "' , 'Member' ) ";
it insert the hashed password correctly
but when i try to retrieve it in log in code it doesn't work !
mysqli_query($con, "SELECT * FROM account where UserName = '" . $username . "' AND password = password('" . $password . "') ");
I tried to use
mysqli_set_charset($con, 'utf8');
but the result is same
I even tried to use it in PHPMyAdmin as a select query, and the same error !
UPDATE
I used MD5()
and it worked with me !
As documented under PASSWORD():
Note
The PASSWORD() function is used by the authentication system in MySQL Server; you should not use it in your own applications. For that purpose, consider MD5() or SHA2() instead. Also see RFC 2195, section 2 (Challenge-Response Authentication Mechanism (CRAM)), for more information about handling passwords and authentication securely in your applications.
Also, if you're rolling your own authentication system (which I'd strongly discourage), you really should read both The definitive guide to form based website authentication and Secure hash and salt for PHP passwords.
Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 8 years ago.
Improve this question
I have problem with update data to database - I'm getting 0000-00-00. To the input field I'm writing data as "2010-08-10". For insert it works correctly, only for update not.
In inserting it works properly also for dates like that, for update this dates also don't work.
Above codes the both queries:
$rec_query = mysql_query ("INSERT INTO `" . $tb_best_ps . "` (id, name, date, author, www, image) VALUES ('','" . mysql_escape_string ($_POST ["name"]) . "','" . $_POST ["date"] . "','" . mysql_escape_string ($_POST ["author"]) . "','" . mysql_escape_string ($_POST ["www"]) . "','" . mysql_escape_string ($_POST ["image"]) . "')");
$query1 = mysql_query ("UPDATE `" . $tb_best_ps . "`
SET `name` = '" . mysql_escape_string ($_POST ["name"]) . "',
`date` = " . $_POST ["date"] . ",
`author` = '" . mysql_escape_string ($_POST ["author"]) . "',
`www` = '" . mysql_escape_string ($_POST ["www"]) . "',
`image` = '" . mysql_escape_string ($_POST ["image"]) . "'
WHERE `id` = '" . $_POST ["edit"] . "'");
Output when I'm using echo on update query:
UPDATE `swt_best_ps` SET `name` = 'Best Paper Award at ADAPTIVE 2014 for Paper XYZ', `date` = 2010-08-10, `author` = 'David Bowie', `www` = 'http://thinkmind.org/', `image` = 'http://randomweb.com/iaria2014.png' WHERE `id` = '1'
You didn't quote your dates, so if you're getting something like 2014-04-08 in your $_POST value, you're actually doing
... date = 2014-04-08 ...
which will be seen as a math operation: two subtractions, and you end up doing
... date = 2002 ...
Since you haven't quoted your dates, nor escaped them, you're both inserting bad data, and vulnerable to SQL injection attacks. ANY external data going into a query string MUST be properly escaped and quoted.
The query building line should be
"`date` = '" . mysql_real_escape_string($_POST['date']) . "'"
^---note the added quote ^---note the added quote
This question is unlikely to help any future visitors; it is only relevant to a small geographic area, a specific moment in time, or an extraordinarily narrow situation that is not generally applicable to the worldwide audience of the internet. For help making this question more broadly applicable, visit the help center.
Closed 9 years ago.
I`m trying to have a form that writes to a mysql database using php and html. After submitting the form I get the error
MySQL error: You have an error in your SQL syntax; check the manual
that corresponds to your MySQL server version for the right syntax to
use near '', '1', '1362154007', '127.0.0.1'' at line 2
The code to the submission php file is
<?php
require 'connection.php';
$ip = $_SERVER['REMOTE_ADDR'];
$sql="INSERT INTO entries (summoner, role, level, time, ip)
VALUES ('" . mysql_real_escape_string($_POST['summoner']) . "', " . mysql_real_escape_string($_POST['role']) . "', '" . intval($_POST['level']) . "', '" . time() . "', '" . $ip . "'";
if (!mysql_query($sql)) die("MySQL error: " . mysql_error());
echo "1 record added";
?>
and the code to line two is
<?php
$con = mysql_connect("localhost", "ratchet132", "password", "lookingforq") or die(mysql_error());
mysql_select_db("lookingforq", $con) or die(mysql_error());
header("Content-Type: text/html; charset=utf-8");
mysql_set_charset("utf8");
mb_internal_encoding("UTF-8");
?>
The error only occurs with integers that are not submitted by the html form (although the level is submitted by it, but it seems to due to the same reason as the others, not the forms). I'm thinking this is probably an error with how I have my MYSQL table set up but I can't figure out what I've done wrong. Any help would be awesome.
there is an extra single quote in your integer value,
VALUES ('" . mysql_real_escape_string($_POST['summoner']) . "', " . mysql_real_escape_string($_POST['role']) . "', '" . intval($_POST['level']) . "', '" . time() . "', '" . $ip . "'";
^ HERE
My suggestion is to store the values in variable first so it is easy to debug the code, eg
$summoner = mysql_real_escape_string($_POST['summoner']);
$role = mysql_real_escape_string($_POST['role']);
$intV = intval($_POST['level']);
$sTime = time();
$ip = $_SERVER['REMOTE_ADDR'];
$sql="INSERT INTO entries (summoner, role, level, time, ip)
VALUES ('$summoner', $role, $intV, $sTime,'$ip' )')";
Use PDO or MySQLi extension so you can paramaterized the query. The link below talks about SQL Injection but it also shows there the usage of PDO and MySQLi Extension.
How to prevent SQL injection in PHP?
Why you wrap int value in quotes?
'" . intval($_POST['level']) . "'
You're missing a '. Try:
$sql="INSERT INTO entries (summoner, role, level, time, ip)
VALUES ('" . mysql_real_escape_string($_POST['summoner']) . "', '" . mysql_real_escape_string($_POST['role']) . "', '" . intval($_POST['level']) . "', " . time() . ", '" . $ip . "'";