This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 5 years ago.
Maybe a silly question, but I'm really struggling.
I've created a MySQL Database and Table and am trying to push data into it. The data in question is a unique ID and a load of Javascript.
Code is simple:
$sql = "INSERT INTO TableName (id, code)
VALUES ('$uniqueid', '$codeoutput')";
However, whilst I can get the ID in there, I can't get the DB to accept the Javascript (which is currently stored in the variable $codeoutput.
I get the error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax
I'm not that familiar with using MySQL, and I have played around with different data types in PhpMyAdmin, but sadly still no luck.
What am I doing wrong? Do I need to have a very specific setup on the column where I'm storing the code? I'm currently trying to store it as medium text.
Is it something to do with needing to escape special characters? Is there an easy solution to this?
simplest way to do it is
$sql = "INSERT INTO TableName ($uniqueid) VALUES ('id')";
$sql2 = "INSERT INTO TableName ($codeoutput) VALUES ('code')";
This question already has answers here:
How to deal with SQL column names that look like SQL keywords?
(17 answers)
Syntax error due to using a reserved word as a table or column name in MySQL
(1 answer)
Closed 6 years ago.
update cometchat set read='1' where id='18'
SQL Error 156:Incorrect syntax near the keyword 'read'.
Can you guys help me how do I do that?
Read is a reserved word. You need to escape it.
Also, if the values are integers, you should not use the single quotes around them.
If It's Sql Server (and it is, based on the error message), you need to use square brackets:
update cometchat set [read]=1 where id=18
In MySql, your query should look like this:
update cometchat set `read`=1 where id=18
You shouldn't put quotes around int values in your query as it converts them to type string.
Should I quote numbers in SQL?
UPDATE cometchat SET `read`=1 WHERE id=18
**Edit:
You're also using a reserved keyword, and need to escape it, see:
https://dev.mysql.com/doc/refman/5.5/en/keywords.html
Seriously...
UPDATE cometchat SET `read`=1...
"read" is a restricted keyword. It needs to be quoted.
I am using prepared statements to process incoming post data, clean the array, and insert into a MySQL database.
Here is the SQL statement just before it is submitted:
INSERT INTO LoggedCarts (Bill-Address1,Bill-Address2,Bill-City,Bill-Company,Bill-Country,Bill-Email,Bill-Firstname,Bill-Lastname,Bill-Name,Bill-Phone,Bill-State,Bill-Zip,Card-Expiry,Card-Name,Card-Number,Comments,Date,ID,IP,Item-Code-1,Item-Count,Item-Description-1,Item-Id-1,Item-Quantity-1,Item-Taxable-1,Item-Thumb-1,Item-Unit-Price-1,Item-Url-1,Numeric-Time,Ship-Address1,Ship-Address2,Ship-City,Ship-Company,Ship-Country,Ship-Email,Ship-Firstname,Ship-Lastname,Ship-Name,Ship-Phone,Ship-State,Ship-Zip,Shipping,Space-Id,Store-Id,Store-Name,Tax-Charge,Total) VALUES ("Pineapple Highway","","Orange","","US United States","casedilla#hotmail.com","Bob","Dole","Bob Dole","9075554509","CA","97056","","Check","NumberTemporarilyUnavailable","","Tue Dec 10 16:55:11 2013 GMT","yhst-130408242826480-485","50.78.241.193","TERRALUX-TT-5","1","Terralux TT-5 LED Tactical Flashlight 650 Lumens Uses 2 x CR123 or 1 x 18650","terralux-tt-5","3","YES","","112.49","http://www.batteryjunction.com/terralux-tt-5.html","1386694511","Pineapple Highway","","Orange","","US United States","casedilla#hotmail.com","Bob","Dole","Bob Dole","9075554509","CA","97056","Air (3-5 days)","","yhst-130408242826480","BatteryJunction.com","0.00","337.47")
Question is, what is wrong with the syntax? The same code is also used for a different table that holds abandoned carts and it writes fine.
Note: As has been pointed out below, the use of hyphens in column names is frowned on, as it requires special preparation prior to submitting the query. In this instance, I am matching the column names to the incoming post data key array. I could have gone through and cleaned the key array, removing the hyphens, which would have been an alternative solution.
All in all, as suggested below, the correct solution to the question of why this SQL statement is failing is the use of special characters(hyphen) in the column name, resulting in the required use of a backtick around the column name(backtick = ` where as apostrophe = ') allowing the column name to be read unbroken.
Observing where the break occurred by testing the original statement in PHPMyAdmin:
#1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-Address1,Bill-Address2,Bill-City,Bill-Company,Bill-Country,Bill-Email,Bill-Firs' at line 1
did give a clue as to why the statement was failing.
Thanks for the help guys!
You need to escape column names with special characters with backticks. - is a special character. Use
INSERT INTO LoggedCarts (`Bill-Address1`, ...
If those field names really include minus signs, then they need to be enclosed in backticks:
`Bill-Address1`
Try inserting string values with single quotes instead.
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Syntax error due to using a reserved word as a table or column name in MySQL
(1 answer)
Closed 8 years ago.
I have this following sql code:
$sql = "INSERT INTO data (Artist, Name) VALUES ('TF2', 'you're right behind me')";
The code itself looks normal but for some reason mysql doesn't want to allow me to save it. I get the following error:
"#1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 're right behind me')' at line 1"
What I know the problem is because of the word "right" being reserved in mysql but I need to save it so how should my code look like. All help is appreciated
As #Fred and #JunM have already commented, you have two issues. The first is that Name is a reserved word. The second is that you have a single quote inside your single quoted string. Change your SQL to this:
$sql = "INSERT INTO data (`Artist`, `Name`) VALUES ('TF2', 'you\'re right behind me')";
Your problem is because you have an ' in the work you're. So your string is terminating to early in your sentence. Use you\'re instead to escape the character '
$sql = "INSERT INTO data ('Artist', 'Name') VALUES ('TF2', 'you\'re right behind me')";
My experience with MySQL is limited, but I use SQL Server extensively. To me it seems that the problem is in the apostrophy used in the "you're right behind me". In SQL server, I'd have to use a double apostrophy, so the sql instruction would be something like this (notice the double apostrophy in the you''re):
$sql = "INSERT INTO data (Artist, Name) VALUES ('TF2', 'you''re right behind me')";
Hope this helps.
Regards
This question already has an answer here:
Syntax error due to using a reserved word as a table or column name in MySQL
(1 answer)
Closed 8 years ago.
I have tried so many different soloutions but cannot get this to work
Here is my code:
$to = $_POST['to'];
$query = "SELECT to FROM to WHERE to='$to' "
$result = mysql_query($query) or die(mysql_error());
while ($row = mysql_fetch_array($result)){
I get a whole load of different errors every time i modify it. At the moment I'm getting
You have an error in your SQL syntax near to='Name'
When I modify it to fix this I get
mysql_fetch_array() not valid
It seems when using variables it messes up
can anyone help?
Thanks!
to is a reserved word in mySQL.
You would have to wrap each mention of the table or column name into backticks
SELECT `to` from `to`
but it would be vastly better to use a different name.
To is a Reserved keyword try escaping it by using "``" symbol
Check this Link
Reserved Keywords MYSQL
Consider changing the names of your field and table (Edit: Definitely change the names or at least escape them.) Also, all you are doing is selecting the variable you already have.