<?php
ob_start();
$id=$_REQUEST['req-id'];
// #header("location:feed.php?tumblr_id=$id");
echo "aaaa";
include_once('../config/config.php');
echo $name=$_REQUEST['req-name'];
echo $id=$_REQUEST['req-id'];
echo $mobile=$_REQUEST['req-mobile'];
echo $Email=$_REQUEST['req-email'];
echo $select=$_REQUEST['image'];
echo $img=$_REQUEST['img'];
echo $audio=$_REQUEST['audio'];
echo $ado=$_REQUEST['ado'];
echo $regular=$_REQUEST['regular'];
echo $reg=$_REQUEST['reg'];
echo $video=$_REQUEST['video'];
echo $vdo=$_REQUEST['vdo'];
echo $link=$_REQUEST['link'];
echo $lnk=$_REQUEST['lnk'];
echo $quote=$_REQUEST['quote'];
echo $qte=$_REQUEST['qte'];
echo $fbPid=$_REQUEST['fbPid'];
$sql="update tumblr set (tumblr_name,tumblr_id,mobile_no,Email,img_post,link_post,ado_post,vdo_post,reg_post,qte_post) values('$name','$id','$mobile','$Email','$img','$lnk','$ado','$vdo','$reg','$qte')";
$res=mysql_query($sql) or die(mysql_error());
?>
I am getting error: - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '(tumblr_name,tumblr_id,mobile_no,Email,img_post,link_post,ado_post,vdo_post,reg_' at line 1
UPDATE tumblr
SET tumblr_name = '$name',
tumblr_id = '$id',
mobile_no = '$mobile',
Email = '$Email',
img_post = '$img',
link_post = '$lnk',
ado_post = '$ado',
vdo_post = '$vdo',
reg_post = '$reg',
qte_post = '$qte'
You are trying to execute an update query based on an insert's format. Check the update query format.
In addition, your code is HIGHLY insecure. At least use mysql_real_escape_string(), e.g. $name=mysql_real_escape_string($_REQUEST['req-name']); to protect against SQL injection.
You are confusing the insert syntax with the update syntax. The update syntax is detailed here: http://dev.mysql.com/doc/refman/5.0/en/update.html
Example:
UPDATE table
SET
col1 = value1,
col2 = value2
WHERE
...
You are using INSERT syntax in an UPDATE statement.
Update looks like this:
UPDATE tableone SET fieldone='one' WHERE id=2;
For example.
UPDATE syntax is
UPDATE `tablename` SET `column`=value, `column`=value, ... WHERE conditions
u use INSERT syntax.
And what have you done to diagnose the problem?
Showing us all those echo statements doesn't really help - it might have done if you'd told us what the values were. You're not escaping any of the values you are putting in your SQL statement. You seem to be quoting values which may be numeric. You've included an ob_start() statement which is also entirely irrelevant but there's no mysql_connect here.
But the reason your code is failing is because there is no 'UPDATE....VALUES...' statement in SQL. Use 'INSERT INTO...VALUES....ON DUPLICATE KEY UPDATE'.
Related
I've been using wampserver for a php project, but DML queries are not working for me. Here is some test code I've been using
$query='insert into register(first_name) values("swagmaster")';
echo($query);
$query = mysqli_real_escape_string($connection,$query);
echo"<br>$query";
if(mysqli_real_query($connection,"'".$query."'")===TRUE)
{
echo"woohoo!";
}
else
{
echo"query failed";
}
echo(mysqli_error($connection));
I get the following output when i run this:
insert into register(first_name) values("swagmaster")
insert into register(first_name) values(\"swagmaster\") query failed
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''insert into register(first_name) values(\"swagmaster\")'' at line 1
However, a select statement works fine. I suspect the issue is in mysql settings. Any suggestions?
UPDATE:
Using a combination of your tips, the query is now working. Thank you all!
Please try this query
$query = "INSERT INTO `register` SET `fieldname`='{$vaue}',`field2`='{$value2}'";
Change the query from
$query='insert into register(first_name) values("swagmaster")';
to
$query="insert into register(first_name) values('swagmaster')";
Also as Fred-ii said you dont need to add ' here
if(mysqli_real_query($connection,"'".$query."'")===TRUE)
change to
if(mysqli_real_query($connection,$query)===TRUE)
You used
$query = mysqli_real_escape_string($connection,$query);
But this escaped all quotes in query. This is incorrect. For protected fro SQL injection you should use escape function only to value instead query.
For your example you not need this string.
But if you use variables then you should use it
$value = "swagmaster";
$value = mysqli_real_escape_string($value);
$query='insert into register(first_name) values("' . $value . '")';
In $query is already correct query. And add quotes is incorrect. Just use
if(mysqli_real_query($connection, $query)===TRUE)
I'm trying to insert some data into my mysql database. The connection is working fine but im having a problem with sending the query correctly to the database. Below you can find the code in my php file. I also post what for type of fields they are in the Database.
Fields in the mysql database:
Reservaties_id = int
Materialen_id = int
aantal = int
effectief_gebruikt = tinyint
opmerking = Varchar2
datum_van = date
datum_tot = date
$resID = $_REQUEST['resID'];
$materialen_id = $_REQUEST['materialen_id'];
$aantal = $_REQUEST['aantal'];
$effectief_gebruikt = $_REQUEST['effectief_gebruikt'];
$opmerking = $_REQUEST['opmerking'];
$datum_van = date('YYYY-MM-DD',$_REQUEST['datum_van']);
$datum_tot = date('YYYY-MM-DD',$_REQUEST['datum_tot']);
$string = "INSERT INTO `materialen_per_reservatie`(`reservaties_id`, `materialen_id`, `aantal`, `effectief_gebruikt`, `opmerking`, `datum_van`, `datum_tot`) VALUES ($resID, $materialen_id, $aantal, $effectief_gebruikt, '$opmerking', $datum_van, $datum_tot)";
mysql_query($string);
you have to include single quotes for the date fields '$dataum_van'
$string = "INSERT INTO `materialen_per_reservatie`(reservaties_id, materialen_id, aantal, effectief_gebruikt, opmerking, datum_van, datum_tot) VALUES ($resID, $materialen_id, $aantal, $effectief_gebruikt, '$opmerking', '$datum_van', '$datum_tot')";
and this is only a example query, while implementing don't forget to sanitize your inputs
Your code has some serious problems that you should fix. For one, it is not doing any error checking, so it's no surprise the query breaks silently when it fails. Check for errors and it will tell you what goes wrong - how to do it is outlined in the manual on mysql_query() or in this reference question.. Example:
$result = mysql_query($string);
// Bail out on error
if (!$result)
{
trigger_error("Database error: ".mysql_error(), E_USER_ERROR);
die();
}
In this specific case, I'm fairly sure it's because you are not putting your values into quotes after the VALUES keyword.
Also, the code you show is vulnerable to SQL injection. You need to escape every value you use like so:
$resID = mysql_real_escape_string($_REQUEST['resID']);
for this to work, you need to put every value in your query into quotes.
try this
$string = "INSERT INTO `materialen_per_reservatie`(`reservaties_id`) VALUES ('".$resID."')";
I have the following codes:
$query = "INSERT INTO main_table (id, matric_no, session, semester,
course_name, test, exam,practical)
VALUES (NULL, '$_POST[matric_no]', '$_SESSION[session]',
'$_SESSION[semester]', '$_SESSION[course_name]', '$_POST[test]',
'$_POST[exam]', '$_POST[practical]')";
mysql_query($query) or
die (mysql_error());
Then I tried:
echo "$_POST[semester]";
echo "$_POST[course_name]" ;
and they echoed out what I was expecting but not INSERTing INTO the database.. Only those two.
Thanks.
As pointed out in the comments, the problem was a column type mismatch that wasn't visible in the original question.
However, it is a very bad idea to insert POST or other values directly - always run mysql_real_escape_string() (or whatever sanitation function your database library provides) on them. More on SQL injections here.
This code should give you a syntax error...
echo "$_POST[semester]";
echo "$_POST[course_name]" ;
Try this
echo "{$_POST['semester']}";
echo "{$_POST['course_name']}" ;
or this:
echo "xxx".$_POST['semester']."xxx";
echo "xxx".$_POST['course_name']."xxx;
More information here:
http://php.net/manual/en/language.types.string.php
Mind that $_POST[xxx] is note the proper syntax !!! Read docs above!
$db = mysql_connect("localhost","root","123");
mysql_select_db("website_categorization") or die("\n error selecting database" );
$keyword_array = preg_split('/[\s,]+/', $tag);
foreach($keyword_array as $tag1)
{
mysql_query("INSERT INTO category_keyword(ID_Category, Keyword) VALUES(2,$tag1)");
}
echo "\nAffected rows are ".mysql_affected_rows()."\n";
mysql_close($db);
Can u tell me what is the problem with this code??...I intend to insert rows into the category_keyword table from an array $keyword_array. I get errors "Affected rows are -1" and insertion does not work
You should quote and escape string values.
You should also handle errors, to be notified of them.
You should also write distinct statements, to be able to read your code later (as well as let others to read it).
$tag1 = mysql_real_escape_string($tag1);
$sql = "INSERT INTO category_keyword(ID_Category, Keyword) VALUES(2,'$tag1')";
mysql_query($sql) or trigger_error(mysql_error()." in ".$sql);
insert multiple rows via a php array into mysql
You need to encapsulte the string $tag in a query, otherwise mysql will think its a column name
mysql_query("INSERT INTO category_keyword(ID_Category, Keyword) VALUES(2,'".mysql_real_escape_string($tag1)."')");
You should quote and escape your string columns
$tag1 =
mysql_real_escape_string($tag1);
mysql_query("INSERT INTO
category_keyword(ID_Category, Keyword)
VALUES(2,'$tag1')");
You should also handle the mysql query errors to know why the query get failed. With the current code you never know why it is failing.It is better to handle mysql errors.
mysql_query('Your query') or trigger_error(mysql_error());
You can use this:
mysql_query("INSERT INTO category_keyword SET ID_Category=2, Keyword=".$tag1.");
Better syntax to understand :)
i have the following error
insert into staff_service(customer_id,workorder_no,service_date,current_date) values('1','414','2011-03-14',CURDATE()) 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'current_date) values('1','414','2011-03-14',CURDATE())' at line 1
<?php
session_start();
include "common/config.php";
$file=file("Template/staffservice_management.html");
$filecontent=join("",$file);
include("user.php");
/*$sql = "SELECT id,customer_name FROM customer "."ORDER BY customer_name";
$rs = mysql_query($sql);
while($row = mysql_fetch_array($rs))
{
echo "<option value=\"".$row['id']."\">".$row['customer_name']."</option>";
echo "<option value=\"".$row['id']."\">".$row['customer_name']."</option>";
echo "<option value=\"".$row['id']."\">".$row['customer_name']."</option>";
}*/
$sql="select * from customer";
$res=mysql_query($sql);
while($row=mysql_fetch_array($res))
{
$list_option.="<option value='".$row['id']."'>".$row['customer_name']."</option>";
}
$cust=$_POST['cname'];
$work=$_POST['won'];
$date=$_POST['startdate'];
if($_REQUEST['submit']=='submit')
{
$sqle=("insert into staff_service(customer_id,workorder_no,service_date,current_date) values('$cust','$work','$date',CURDATE())");
$Insertprocess=$db->insert_data_id($sqle);
echo "<script>alert(' Details Successfully created');</script>;";
echo "<script>location.href='staffservice_management.php';</script>;";
}
$filecontent=preg_replace("/{{(.*?)}}/e","$$1",$filecontent);
echo $filecontent;
?>
Don't interpolate variables straight into your SQL, you're asking for SQL injection attacks. Take a look at http://www.bobby-tables.com/
As for the error, there's no space after the table name, that's the likely culprit; it's being treated as a call to an unknown function, staff_service().
insert into staff_service (customer_id,workorder_no,service_date,current_date) values('$cust','$work','$date',CURDATE())
leave space after table name
I guess you need an space between
staff_service
and
(customer_id,workorder_no,service_date,current_date)
Try with:
$sqle=("insert into staff_service (customer_id,workorder_no,service_date,current_date) values('$cust','$work','$date',CURDATE())");
HTH!
INSERT INTO staff_service
(customer_id,workorder_no,service_date,current_date)
VALUES ('1','414','2011-03-14',CURDATE())
There are a couple of questions about Data Types:
What is the data type of customer_id?
if it is a INT data type, no need for the single quotes around the value 1
EXAMPLE: VALUES (1,'414','2011-03-14',CURDATE())
What is the data type of workorder_no?
if it is a INT data type, no need for the single quotes around the value 414
EXAMPLE: VALUES ('1',414,'2011-03-14',CURDATE())
What is the data type of service_date?
If it's a date/time type are you submitting the correct format?
Other formats
What is the data type of current_date?
If it's a date/time type are you submitting the correct format?
Other formats
You might want to end you SQL statement with a semicolon as well, like this:
INSERT INTO staff_service
(customer_id,workorder_no,service_date,current_date)
VALUES ('1','414','2011-03-14',CURDATE());
My suggestions are to make sure you are passing the data in the correct format
You do not need to use " ' " for numbers/ids:
insert into staff_service(customer_id,workorder_no, service_date,current_date) values(1,414,'2011-03-14',CURDATE())
Add a semicolon at the end of the SQL query.