This question already has answers here:
Closed 11 years ago.
Possible Duplicate:
Best way to stop SQL Injection in PHP
I am trying to insert ' sign and " in a mysql table using php. But the content has this two signs I get a mysql error.
$comment="I like '''' it so ""much"" Jaan";
mysql_query("INSERT INTO `comments` (`id` ,`name` ,`date` ,`comment`) VALUES ('', '$name', '$date', '$comment')");
above one is an example. Whenever an user insert ' or " in his comment the problem begins. I know about mysql_real_escape_string() but i dont want to use this. Bcz My comments are already filtered. Please tell me how I can Insert comment with those syntax. every suggestions are welcome.
Escape every string variable with mysql_real_escape_string().
Related
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 4 years ago.
i have this JSON string, which i want to insert into table. Here is my insert query:
$insert_sql = 'INSERT INTO yun_postmeta (post_id, meta_key, meta_value)
VALUES (5054, "_wc_free_gift_coupon_free_shipping", "a:1:{i:6;a:3:{s:10:"product_id";i:6;s:12:"variation_id";i:0;s:8:"quantity";i:1;}}");';
Of course, the query breaks because of the quotes ("). When i add backslash () in front of them, to escape, the query works and string gets inserted into the table, but for some reason my system doesn't work properly.
However, if i copy the JSON string and insert it manually into table, using phpmyadmin, system works normally.
Any idea what could be the problem here?
This sounds like encoding problem, but i don't have a clue what to do to solve it.
Thank you!
The SQL query should only use single quotes around values ie:
VALUES (5054, '_wc_free_gift_coupon_free_shipping', ...
So in PHP the string should be defined in double quotes to limit the amount of escaping you do as well as allowing variables to be added:
$insert_sql = "INSERT INTO yun_postmeta (post_id, meta_key, meta_value)
VALUES (5054, '_wc_free_gift_coupon_free_shipping', ... )";
As far as your values you should use mysqli_real_escape_string to handle escaping the double quotes:
http://php.net/manual/en/mysqli.real-escape-string.php
$escaped_json = mysqli_real_escape_string($con, 'a:1:{i:6;a:3:{s:10:"product_id";i:6;s:12:"variation_id";i:0;s:8:"quantity";i:1;}}');
$insert_sql = "INSERT INTO ... VALUES ( 5054, '_wc_free_gift_coupon_free_shipping', $escaped_json ...
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 5 years ago.
Maybe a silly question, but I'm really struggling.
I've created a MySQL Database and Table and am trying to push data into it. The data in question is a unique ID and a load of Javascript.
Code is simple:
$sql = "INSERT INTO TableName (id, code)
VALUES ('$uniqueid', '$codeoutput')";
However, whilst I can get the ID in there, I can't get the DB to accept the Javascript (which is currently stored in the variable $codeoutput.
I get the error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax
I'm not that familiar with using MySQL, and I have played around with different data types in PhpMyAdmin, but sadly still no luck.
What am I doing wrong? Do I need to have a very specific setup on the column where I'm storing the code? I'm currently trying to store it as medium text.
Is it something to do with needing to escape special characters? Is there an easy solution to this?
simplest way to do it is
$sql = "INSERT INTO TableName ($uniqueid) VALUES ('id')";
$sql2 = "INSERT INTO TableName ($codeoutput) VALUES ('code')";
This question already has answers here:
How to insert utf-8 mb4 character(emoji in ios5) in mysql?
(2 answers)
Closed 6 years ago.
So I use the following line of code to insert a chat message into my MySQL database:
$this->db->query("INSERT INTO group_messages (group_message_text,group_message_group_id,group_message_user_id) VALUES ('$message','$group_id','$user_id');");
This works great until the users tries to use characters like ' or emoji's. How do I handle that properly?
To store emoji's in your database you have to store it in utf8mb4. See this answer.
You should also escape your text bevor storing it into the database. See this answer as well.
Might be the Syntax error:
Please try using
$this->db->query("INSERT INTO group_messages (group_message_text,group_message_group_id,group_message_user_id) VALUES ('".$message."','".$group_id."','".$user_id."');");
Hope this will help :)
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Syntax error due to using a reserved word as a table or column name in MySQL
(1 answer)
Closed 8 years ago.
I have this following sql code:
$sql = "INSERT INTO data (Artist, Name) VALUES ('TF2', 'you're right behind me')";
The code itself looks normal but for some reason mysql doesn't want to allow me to save it. I get the following error:
"#1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 're right behind me')' at line 1"
What I know the problem is because of the word "right" being reserved in mysql but I need to save it so how should my code look like. All help is appreciated
As #Fred and #JunM have already commented, you have two issues. The first is that Name is a reserved word. The second is that you have a single quote inside your single quoted string. Change your SQL to this:
$sql = "INSERT INTO data (`Artist`, `Name`) VALUES ('TF2', 'you\'re right behind me')";
Your problem is because you have an ' in the work you're. So your string is terminating to early in your sentence. Use you\'re instead to escape the character '
$sql = "INSERT INTO data ('Artist', 'Name') VALUES ('TF2', 'you\'re right behind me')";
My experience with MySQL is limited, but I use SQL Server extensively. To me it seems that the problem is in the apostrophy used in the "you're right behind me". In SQL server, I'd have to use a double apostrophy, so the sql instruction would be something like this (notice the double apostrophy in the you''re):
$sql = "INSERT INTO data (Artist, Name) VALUES ('TF2', 'you''re right behind me')";
Hope this helps.
Regards
This question already has an answer here:
Syntax error due to using a reserved word as a table or column name in MySQL
(1 answer)
Closed 8 years ago.
When I remove '$user' and by this works perfectly
$query = $db -> query("INSERT INTO posts (title, body, tags, published, date, by) VALUES
('$title', '$body', '$tags', '$published', '$date', '$user')");
User is varchar(11)
when I print_r $user I get the value I want
I am not sure what is going on, by is at the end of the table.
Sorry if this question is stupid.
peace
Because BY is a Reserved keyword and happens to be the name of the column. In order to avoid syntax error, you need to escape it using backtick,
INSERT INTO posts (title, body, tags, published, date, `by`) VALUES (...)
MySQL Reserved Keywords List
I rather change the column name to avoid problem from getting back again :D
As a sidenote, the query is vulnerable with SQL Injection if the value(s) of the variables came from the outside. Please take a look at the article below to learn how to prevent from it. By using PreparedStatements you can get rid of using single quotes around values.
How to prevent SQL injection in PHP?
And addition, you can also put a backtick on the "date" column since it is also a reserved word..
INSERT INTO posts (title, body, tags, published, `date`, `by`) VALUES (...)
Well in my case I really don't prefer using backtick but it's really helpful in avoiding syntax errors..