PHP Wrong Parameters - php

I'm trying to make a registration page but PHP is telling me that I have the wrong parameters, which doesn't make sense unless I need to add a parameter for the auto-incremental primary ID key.
Here's my SQL query call:
mysql_query("INSERT INTO Users (username, password, fname, lname, email) VALUES ('%s', '%s', '%s', '%s, '%s')",
mysql_real_escape_string($username),
mysql_real_escape_string($password),
mysql_real_escape_string($first),
mysql_real_escape_string($last),
mysql_real_escape_string($email)) or die(mysql_error());
It gives me the wrong paramater count on the last line in this code block. Any ideas? I copied and pasted the row-names straight from my database.
my table is as follows:
id - int(11) - auto-incrementing
username - varchar(20)
password - varchar(20)
fname - varchar(35)
lname - varchar(35)
email - varchar(254)

You have formatted the SQL query as a sprintf() call, but don't call sprintf()
mysql_query(sprintf("INSERT INTO Users (username, password, fname, lname, email) VALUES ('%s', '%s', '%s', '%s', '%s')",
mysql_real_escape_string($username),
mysql_real_escape_string($password),
mysql_real_escape_string($first),
mysql_real_escape_string($last),
mysql_real_escape_string($email))) or die(mysql_error());
// also note some parentheses out of place ^^^^^^^^^^^^^^^^^^^^^^^^

It's PHP that's telling you off about parameters, not MySQL.
You've tried to use mysql_query like sprintf, which it is not. mysql_query accepts an optional database resource identifier, and the query string. Two parameters. That is all.
If you do want to use sprintf, then go for it:
mysql_query(
sprintf(
"INSERT INTO Users (username, password, fname, lname, email) VALUES ('%s', '%s', '%s', '%s, '%s')",
mysql_real_escape_string($username),
mysql_real_escape_string($password),
mysql_real_escape_string($first),
mysql_real_escape_string($last),
mysql_real_escape_string($email)
)
) or die(mysql_error());
But remember that the first argument to mysql_query is just a string. No magic.

mysql_query(
sprintf("INSERT INTO Users (username, password, fname, lname, email) VALUES ('%s', '%s', '%s', '%s, '%s')",
mysql_real_escape_string($username),
mysql_real_escape_string($password),
mysql_real_escape_string($first),
mysql_real_escape_string($last),
mysql_real_escape_string($email)))
or die(mysql_error()); // sprintf to build a final string of your query by given format and "or die statement" is outside the mysql_query function call.

Related

SQL syntax error MariaDB server version for the right syntax to use near ('$fname', '$lname')

require('config.php');
$sql = sprintf(
"INSERT INTO users (fname,lname,email,contact,pwd,isTeacher ) VALUES ('%s', '%s', '%s', '%s', '%s', '%s')",
$conn->real_escape_string($fname),
$conn->real_escape_string($lname),
$conn->real_escape_string($email),
$conn->real_escape_string($contact),
$conn->real_escape_string($pwd),
$isTeacher );
$conn->query($sql);
// $sql = "INSERT INTO users (fname, lname, email, contact, pwd, isTeacher) VALUES ('$fname, '$lname', '$email', '$contact, '$pwd', '$isTeacher')";
// $conn->query($sql);
if($conn=='true') { echo "Registered successfully";}
else{ echo "Issue entereing data" . $conn->error; }
}
I am trying to add data in users table. if I add data using sprintf, it works and adds just fine. but when I add using commented out syntax, it says check MariaDb syntax to use near '$fname'. What am I doing wrong in the second syntax. why do i have to use sprintf always.

PHP PDO Prepared Statement INSERT INTO SQLSTATE[21S01] [duplicate]

I'm getting this error:
Column count doesn't match value count at row 1
From the following code:
$name = $_GET['name'];
$description = $_GET['description'];
$shortDescription = $_GET['shortDescription'];
$ingredients = $_GET['ingredients'];
$method = $_GET['method'];
//$image = $_GET['image'];
$username = $_GET['username'];
$length = $_GET['length'];
$dateAdded = uk_date();
$conn = mysql_connect('localhost', 'dbname', 'pass');
mysql_select_db('dbname');
$query = sprintf("INSERT INTO dbname (id, Name, Description, shortDescription, Ingredients, Method, Length, dateAdded, Username) VALUES ('', '%s', '%s', '%s', '%s', '%s', '%s', '%s')",
mysql_real_escape_string($name),
mysql_real_escape_string($description),
mysql_real_escape_string($shortDescription),
mysql_real_escape_string($ingredients),
//mysql_real_escape_string($image),
mysql_real_escape_string($length),
mysql_real_escape_string($dateAdded),
mysql_real_escape_string($username));
$result = mysql_query($query) or die(mysql_error());
What does the error mean?
You have 9 fields listed, but only 8 values. Try adding the method.
The number of column parameters in your insert query is 9, but you've only provided 8 values.
INSERT INTO dbname (id, Name, Description, shortDescription, Ingredients, Method, Length, dateAdded, Username) VALUES ('', '%s', '%s', '%s', '%s', '%s', '%s', '%s')
The query should omit the "id" parameter, because it is auto-generated (or should be anyway):
INSERT INTO dbname (Name, Description, shortDescription, Ingredients, Method, Length, dateAdded, Username) VALUES ('', '%s', '%s', '%s', '%s', '%s', '%s', '%s')
Your query has 8 or possibly even 9 variables, ie. Name, Description etc. But the values, these things ---> '', '%s', '%s', '%s', '%s', '%s', '%s', '%s')", only total 7, the number of variables have to be the same as the values.
I had the same problem but I figured it out. Hopefully it will also work for you.

PHP and SQLite Connection Issue

I'm trying to insert into an SQLite database file using PHP. I have an existing database file that I can verify is working with SQLite Database Browser. This is the error I get:
Warning: sqlite_query() [function.sqlite-query]: no such table: players in
C:\wamp\www\espnapi\getPlayers.php on line 17
if ($db = sqlite_open("nhl.db", 0666, $sqliteerror)) {
$sql = sprintf("INSERT INTO players (url, team, number, firstname,
lastname, position)
VALUES ('%s', '%s', '%s', '%s', '%s', '%s')", $aTempPlyr[0],
$aTempPlyr[1], $aTempPlyr[2], $aTempPlyr[3], $aTempPlyr[4], $aTempPlyr[5]);
sqlite_query($db, $sql);
}

PHP, MySQL error: Column count doesn't match value count at row 1

I'm getting this error:
Column count doesn't match value count at row 1
From the following code:
$name = $_GET['name'];
$description = $_GET['description'];
$shortDescription = $_GET['shortDescription'];
$ingredients = $_GET['ingredients'];
$method = $_GET['method'];
//$image = $_GET['image'];
$username = $_GET['username'];
$length = $_GET['length'];
$dateAdded = uk_date();
$conn = mysql_connect('localhost', 'dbname', 'pass');
mysql_select_db('dbname');
$query = sprintf("INSERT INTO dbname (id, Name, Description, shortDescription, Ingredients, Method, Length, dateAdded, Username) VALUES ('', '%s', '%s', '%s', '%s', '%s', '%s', '%s')",
mysql_real_escape_string($name),
mysql_real_escape_string($description),
mysql_real_escape_string($shortDescription),
mysql_real_escape_string($ingredients),
//mysql_real_escape_string($image),
mysql_real_escape_string($length),
mysql_real_escape_string($dateAdded),
mysql_real_escape_string($username));
$result = mysql_query($query) or die(mysql_error());
What does the error mean?
You have 9 fields listed, but only 8 values. Try adding the method.
The number of column parameters in your insert query is 9, but you've only provided 8 values.
INSERT INTO dbname (id, Name, Description, shortDescription, Ingredients, Method, Length, dateAdded, Username) VALUES ('', '%s', '%s', '%s', '%s', '%s', '%s', '%s')
The query should omit the "id" parameter, because it is auto-generated (or should be anyway):
INSERT INTO dbname (Name, Description, shortDescription, Ingredients, Method, Length, dateAdded, Username) VALUES ('', '%s', '%s', '%s', '%s', '%s', '%s', '%s')
Your query has 8 or possibly even 9 variables, ie. Name, Description etc. But the values, these things ---> '', '%s', '%s', '%s', '%s', '%s', '%s', '%s')", only total 7, the number of variables have to be the same as the values.
I had the same problem but I figured it out. Hopefully it will also work for you.

MySQL Insert error

Ok, when trying to insert into the database I'm getting this error
"You have an error in your SQL syntax;
check the manual that corresponds to
your MySQL server version for the
right syntax to use near '#email.com,
UT, 84505, NOW(), 69.169.186.192)' at
line 1"
I can't figure out the problem. Here is the code for my insert statement.
$insert_query = sprintf("INSERT INTO contacts (first_name, last_name, email, state, zip, date, ip) VALUES (%s, %s, %s, %s, %s, NOW(), %s)",
$fname,
$lname,
$email,
$state,
$zip,
$ip);
$result = mysql_query($insert_query, $connection) or die(mysql_error());
My table has the following structure:
id int(11)
first_name varchar(100)
last_name varchar(100)
email varchar(100)
state varchar(3)
zip int(10)
date datetime
ip varchar(255)
You need to quote all the string-type columns in the insert statement. Replace %s with '%s' in the sprintf format.
Please read about SQL Injection if you haven't done so already.
This may help you..
$insert_query = "INSERT INTO contacts set first_name = '$fname', last_name = '$lname', email = '$email', state = '$state', zip = '$zip', date = ". time() .", ip = '$ip')";
$result = mysql_query($insert_query, $connection) or die(mysql_error());
if you want to check query
echo $insert_query;
It would help if you could echo out the $insert_query, but it looks like you're not putting quotes around the parameters that are varchars.
$insert_query = sprintf("INSERT INTO contacts (first_name, last_name, email, state, zip, date, ip) VALUES ('%s', '%s', '%s', '%s', '%s', NOW(), '%s')",
$fname,
$lname,
$email,
$state,
$zip,
$ip);
By the way, you have an extra column in your insert - NOW doesn't appear related to a column.
I'm assuming ZIP is a varchar column, not a number, by the way.

Categories