I want to insert a few certain values from a php file, to my MySQL database, using a query.
I use the following code snippet:
mysql_query("INSERT INTO `text` VALUES ('', '$user_id', '$text', '"$categories"')");
but I get an error saying the following:
Parse error: syntax error, unexpected T_VARIABLE in
C:\xampp\htdocs\Project\Func\idea.func.php on line 10
Does anyone know what I'm doing wrong?
I have stated both variables, earlier, by making them into real escape strings. My MySQL table structure is as follows:
idea_id (auto)
user_id
text
categories
timestamp
You need to use string concatenation:
mysql_query("INSERT INTO `text` VALUES ('', '$user_id', '$text', '" . $categories . "')");
or get rid of the double quotes surrounding $categories:
mysql_query("INSERT INTO `text` VALUES ('', '$user_id', '$text', '$categories')");
I would prefer
mysql_query(sprintf(
"INSERT INTO `text` VALUES ('', '%s', '%s', '%s')",
mysql_real_escape_string($user_id),
mysql_real_escape_string($text),
mysql_real_escape_string($categories))
);
Change '"$categories"')") to '" . $categories . "')".
You need to put fullstops between the variables to tell PHP that you want to concatenate (join) all of it together as a string.
Point is very important in this case it serves to separate the two variables in this case. If there is no point return error
Related
I am having error and I am not able to identify the problem. I will really appreciate help.
$sql = "INSERT INTO scrapeddata (Id,Store, ImageURL, ShortDescription, CashPercentage, ShoppingPoints, LongDescription, Contact, Information)
VALUES ($ID, $name, $ImageUrl, $ShortDecription, $CashBack, $SallingPoints, $LongtDecription, $Contact, $Information)";
Structure of my Table is :
Update :
Following image illustrate the actual error, php variable is resolved dynamically to retreive the string , but "with in the string" it contains single quotes ' according to me these quotes are causing error . Help !!
Put quotations on string variables.
And escape all ur variables before inserting in query.
mysql-escape-string
$name = mysql_escape_string($name);
$sql = "INSERT INTO scrapeddata (Id,Store, ImageURL, ShortDescription, CashPercentage, ShoppingPoints, LongDescription, Contact, Information)
VALUES ('$ID', '$name', '$ImageUrl', '$ShortDecription', '$CashBack', '$SallingPoints', '$LongtDecription', '$Contact', '$Information')";
$bzSendMail = mysqli_query($Connection, "INSERT INTO messages_inbox (from, towho, subject, text, rcvdat) VALUES ('$MyID', '$SenderID', '$subject', '$text' ,'$sentat')");
I'm trying to make this query works, but it keeps showing me the following error!
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'from, towho, subject, text, rcvdat) VALUES ('1', '2', 'd', 'd' ,'2014-09-07 17:0' at line 1
Anyone can help me?
you are using
FROM
as a column name in your table. You can use '' to specify the column name but it is always better not to use that kind of names as your column names.
$bzSendMail = mysqli_query($Connection, "INSERT INTO messages_inbox (`from`, `towho`, `subject`, `text`, `rcvdat`) VALUES ('$MyID', '$SenderID', '$subject', '$text' ,'$sentat')");
From is a key word in Mysql use backward quotes to skip this as follows
$bzSendMail = mysqli_query($Connection, "INSERT INTO messages_inbox (`from`, `towho`, `subject`, `text`, `rcvdat`) VALUES ('$MyID', '$SenderID', '$subject', '$text' ,'$sentat')");
from is a reserved word in sql. Make backticks around it.
I need a little help with this, I am trying to insert some data into a MYSQL table which includes the now values for date & time for orders.
Code:
$query= "INSERT INTO ordertable
VALUES ('".$listauthor."','".$ordernumber.",'"NOW()"','"NOW()"')";
Error:
Parse error: syntax error, unexpected T_STRING in C:\xampp\htdocs\createbasket.php on line 15
How can I fix this?
Remove the quotes from around NOW() ... it's a MySQL function ... not a string.
You don't want to encapsulate NOW() with quotes. You'd need to do:
$query= "INSERT INTO ordertable
VALUES ('".$listauthor."','".$ordernumber."',NOW(),NOW())";
$query= "INSERT INTO ordertable VALUES ('".$listauthor."','".$ordernumber.",'"NOW()"','"NOW()"')";
Shouldn't be quotes around NOW
$query = "INSERT INTO ordertable VALUES ('".$listauthur."','".$ordernumber."', NOW(), NOW())";
Now() is a mysql function so don't need to put it inside single/double quotes.When you put inside quotes then it will treat it as variable.Just write as follows :
$query= "INSERT INTO ordertable VALUES ('".$listauthor."','".$ordernumber.",NOW(),NOW())";
There's gotta be something small I keep missing here, but I can't find it for the life of me.
$insert = mysql_query("INSERT INTO USERS
(`FBID`, `FIRST_NAME`, `LAST_NAME`, `GENDER`)
VALUES ('$fbid', '$firstName', '$lastName', '$gender')");
The error is:
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1' at line 1
Any ideas?
You are not having variables correctly escaped. Use mysql_real_escape_string and code like this:
$insert = mysql_query("INSERT INTO USERS (`FBID`, `FIRST_NAME`, `LAST_NAME`, `GENDER`)
VALUES (
'".mysql_real_escape_string($fbid)."',
'".mysql_real_escape_string($firstName)."',
'".mysql_real_escape_string($lastName)."',
'".mysql_real_escape_string($gender)."'
)");
If the variables contain any quotes, they create the problem if you don't properly escape them.
Do any of your names contain single quotes?
Try writing out the value of the query to log/console/debug to ensure that it's what you expect.
Try wrapping your variables in {}.
'{$fbid}', '{$firstName}', '{$lastName}', '{$gender}'
Otherwise you are going to have to use string concatenation.
'".$fbid."','".$firstName."','"...
I'm assuming your variables already contain proper escaped data.
Try doing it like this:
$sql = <<EOL
INSERT INTO USERS (`FBID`, `FIRST_NAME`, `LAST_NAME`, `GENDER`)
VALUES ('$fbid', '$firstName', '$lastName', '$gender')
EOL;
$stmt = mysql_query($sql) or die("MySQL error: " . mysql_error());
This will preserve the query for you in $sql so you can echo it out elsewhere and see what was actually produced.
I have this query running in my PHP script:
$insertQuery = "INSERT INTO blog_articles
VALUES '$title', $tags', '$category', '$blog', '$author', '$date'";
I then run this script:
if ($result = $connector->query($insertQuery)){
// It worked, give confirmation
echo '<center><b>Article added to the database</b></center><br>';
}else{
// It hasn't worked so stop. Better error handling code would be good here!
die (mysql_error());
}
}
I get this error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Title Number 1, General, Blogging, Kayaking, General, Tgis is blog number spelli' at line 2
But I cannot tell what the error is.
You have a single quote missing before $tags.
Your query should be more like this
INSERT INTO blog_articles (`title`, `tags`, `category`, `blog`, `author`, `date`)
VALUES ('$title', '$tags', '$category', '$blog', '$author', '$date')
You should also look into sanitizing your query. Perhaps this way (but i don't know your exact setup, so results might vary)
$sql = sprintf("INSERT INTO blog_articles (`title`, `tags`, `category`,
`blog`, `author`, `date`) VALUES ('%s', '%s', '%s', '%s', '%s', '%s')",
mysql_real_escape_string($title), mysql_real_escape_string($tags),
mysql_real_escape_string($category), mysql_real_escape_string($blog),
mysql_real_escape_string($author), mysql_real_escape_string($date));
This uses the sprintf() function, the php documentation has some great examples.
You need to add the names of the fields you are inserting to
INSERT INTO blog_articles ('title', 'tags', 'category', 'blog', 'author', 'date') VALUES ('$title', '$tags', '$category', '$blog', '$author', '$date')
Also you should add some code to escape double or single quote in your text that could break the SQL query.
use the PHP function mysql_real_escape_string()
mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.
For more details:
http://uk.php.net/mysql_real_escape_string
As aknock says, you are missing a ' before $tags.
However, you really need to be using mysql_escape_string to protect against SQL injection attacks. Using mysql_escape_string for your SQL query parameters is a good habit to get into.
Using a DB wrapper like PEAR can make escaping parameters much less painful. Your code above could be written like:
$insertQuery = "INSERT INTO blog_articles \
(`title`, `tags`, `category`, `blog`, `author`, `date`) \
VALUES (?, ?, ?, ?, ?, ?)";
$data = array($title, $tags, $category, $blog, $author, $date);
if ($result = $connector->query($insertQuery, $data)) {
// It worked, give confirmation
echo '<center><b>Article added to the database</b></center><br>';
}else{
// It hasn't worked so stop. Better error handling code would be good here!
die (mysql_error());
}
(assuming $connector is a PEAR DB object)
Explicitly giving the names and order of the columns that you're inserting makes your code much more maintainable and readable. If you change the database schema later, you will be protected from inserting values into the wrong column, or into columns that don't exist any more.