i have the following error
insert into staff_service(customer_id,workorder_no,service_date,current_date) values('1','414','2011-03-14',CURDATE()) 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'current_date) values('1','414','2011-03-14',CURDATE())' at line 1
<?php
session_start();
include "common/config.php";
$file=file("Template/staffservice_management.html");
$filecontent=join("",$file);
include("user.php");
/*$sql = "SELECT id,customer_name FROM customer "."ORDER BY customer_name";
$rs = mysql_query($sql);
while($row = mysql_fetch_array($rs))
{
echo "<option value=\"".$row['id']."\">".$row['customer_name']."</option>";
echo "<option value=\"".$row['id']."\">".$row['customer_name']."</option>";
echo "<option value=\"".$row['id']."\">".$row['customer_name']."</option>";
}*/
$sql="select * from customer";
$res=mysql_query($sql);
while($row=mysql_fetch_array($res))
{
$list_option.="<option value='".$row['id']."'>".$row['customer_name']."</option>";
}
$cust=$_POST['cname'];
$work=$_POST['won'];
$date=$_POST['startdate'];
if($_REQUEST['submit']=='submit')
{
$sqle=("insert into staff_service(customer_id,workorder_no,service_date,current_date) values('$cust','$work','$date',CURDATE())");
$Insertprocess=$db->insert_data_id($sqle);
echo "<script>alert(' Details Successfully created');</script>;";
echo "<script>location.href='staffservice_management.php';</script>;";
}
$filecontent=preg_replace("/{{(.*?)}}/e","$$1",$filecontent);
echo $filecontent;
?>
Don't interpolate variables straight into your SQL, you're asking for SQL injection attacks. Take a look at http://www.bobby-tables.com/
As for the error, there's no space after the table name, that's the likely culprit; it's being treated as a call to an unknown function, staff_service().
insert into staff_service (customer_id,workorder_no,service_date,current_date) values('$cust','$work','$date',CURDATE())
leave space after table name
I guess you need an space between
staff_service
and
(customer_id,workorder_no,service_date,current_date)
Try with:
$sqle=("insert into staff_service (customer_id,workorder_no,service_date,current_date) values('$cust','$work','$date',CURDATE())");
HTH!
INSERT INTO staff_service
(customer_id,workorder_no,service_date,current_date)
VALUES ('1','414','2011-03-14',CURDATE())
There are a couple of questions about Data Types:
What is the data type of customer_id?
if it is a INT data type, no need for the single quotes around the value 1
EXAMPLE: VALUES (1,'414','2011-03-14',CURDATE())
What is the data type of workorder_no?
if it is a INT data type, no need for the single quotes around the value 414
EXAMPLE: VALUES ('1',414,'2011-03-14',CURDATE())
What is the data type of service_date?
If it's a date/time type are you submitting the correct format?
Other formats
What is the data type of current_date?
If it's a date/time type are you submitting the correct format?
Other formats
You might want to end you SQL statement with a semicolon as well, like this:
INSERT INTO staff_service
(customer_id,workorder_no,service_date,current_date)
VALUES ('1','414','2011-03-14',CURDATE());
My suggestions are to make sure you are passing the data in the correct format
You do not need to use " ' " for numbers/ids:
insert into staff_service(customer_id,workorder_no, service_date,current_date) values(1,414,'2011-03-14',CURDATE())
Add a semicolon at the end of the SQL query.
Related
From a PHP code,I am trying to insert a new row to a DB2 table where I have the column names but not the corresponding data types.
Insert into <table_name> (column1,column2,column3,.....) values ('value1','value2','value3',....)
So, if any column is of date or timestamp data type, the single quotes around 'value' makes db2_exec function to throw an error:
Warning: db2_exec(): Statement Execute Failed in C:\Program Files (x86)\insight_db.php on line 68
[IBM][CLI Driver][DB2/NT64] SQL0180N The syntax of the string representation of a datetime value is incorrect. SQLSTATE=22007 SQLCODE=-180
to avoid placing '' around such values, I need to get the data type of each column of the table and thereby checking a condition whether to place the quotes or not.
You can query the catalog view SYSCAT.COLUMNS to obtain the information:
select
colname, typename
from
syscat.columns
where
tabschema = 'YOURSCHEMA' and
tabname = 'YOURTABLE'
However, your approach is not going to work, because datetime literals must be enclosed in single quotes, and removing them will render your insert statement invalid. To avoid the SQL0180N error you can supply datetime values in the ISO format, e.g. YYYY-MM-DD-HH.MM.SS for TIMESTAMP.
To get the datatype of the columns you can try this :
$result = mysql_query("SHOW COLUMNS FROM sometable");
if ($result)
{
if (mysql_num_rows($result) > 0)
{
while ($row = mysql_fetch_assoc($result))
{
print_r($row['Field']);
print_r($row['Type']);
}
}
}
then this will print the Field Name and Data Type of the field.
I hope you will find it little helpful.
We have a table vehicle and a simple php form. Before inserting data I do check if the vehicle registration number exist but some client pc could enter duplicate entries. Below is the code snippet. What else could be causing this ?
$vehicleRegistrationNumber=$_POST['vehicleRegistrationNumber'];
$selectQuery1 ="Select vehicleRegistrationNumber From Vehicle Where vehicleRegistrationNumber='".$vehicleRegistrationNumber."'";
$result1 = mysqli_query($link,$selectQuery1);
$row1 = mysqli_fetch_array($result1, MYSQL_ASSOC);
$n1 = mysqli_num_rows($result1);
if($n1 > 0) {
$status="<span class=\"statusFailed\">: Vehicle ".$vehicleRegistrationNumber." Already Exist.</span>";
}
else {
//insert codes
}
First of all your code is vulnerable to SQL injection. This check can be bypassed by submitting something like XYZ0001' AND 1='0 or even more malicious values. To prevent this, use prepared statements and param binding instead of string concatenation.
Other possibility is simply user mistake, for example trailing space ("XYZ001" != "XYZ0001 ") that is hard to spot on the first glance ad records in DB. Before checking its existence in DB you should check with PHP if submitted value includes only allowed chars and is free from common mistakes.
try this with group by
$selectQuery1 ="Select vehicleRegistrationNumber From Vehicle Where vehicleRegistrationNumber='".$vehicleRegistrationNumber."' GROUP BY vehicleRegistrationNumber";
The best way is to handle it on the SQL side. Just define the field as UNIQUE INDEX.
Now when trying to insert a duplicate index an error will be thrown and you can catch it like this:
if (!mysqli_query($con,$sql))
{
die('Error: ' . mysqli_error($con));
}
Like this you can avoid the select query before every insert query. Just handle the error as you want.
I have the following codes:
$query = "INSERT INTO main_table (id, matric_no, session, semester,
course_name, test, exam,practical)
VALUES (NULL, '$_POST[matric_no]', '$_SESSION[session]',
'$_SESSION[semester]', '$_SESSION[course_name]', '$_POST[test]',
'$_POST[exam]', '$_POST[practical]')";
mysql_query($query) or
die (mysql_error());
Then I tried:
echo "$_POST[semester]";
echo "$_POST[course_name]" ;
and they echoed out what I was expecting but not INSERTing INTO the database.. Only those two.
Thanks.
As pointed out in the comments, the problem was a column type mismatch that wasn't visible in the original question.
However, it is a very bad idea to insert POST or other values directly - always run mysql_real_escape_string() (or whatever sanitation function your database library provides) on them. More on SQL injections here.
This code should give you a syntax error...
echo "$_POST[semester]";
echo "$_POST[course_name]" ;
Try this
echo "{$_POST['semester']}";
echo "{$_POST['course_name']}" ;
or this:
echo "xxx".$_POST['semester']."xxx";
echo "xxx".$_POST['course_name']."xxx;
More information here:
http://php.net/manual/en/language.types.string.php
Mind that $_POST[xxx] is note the proper syntax !!! Read docs above!
<?php
ob_start();
$id=$_REQUEST['req-id'];
// #header("location:feed.php?tumblr_id=$id");
echo "aaaa";
include_once('../config/config.php');
echo $name=$_REQUEST['req-name'];
echo $id=$_REQUEST['req-id'];
echo $mobile=$_REQUEST['req-mobile'];
echo $Email=$_REQUEST['req-email'];
echo $select=$_REQUEST['image'];
echo $img=$_REQUEST['img'];
echo $audio=$_REQUEST['audio'];
echo $ado=$_REQUEST['ado'];
echo $regular=$_REQUEST['regular'];
echo $reg=$_REQUEST['reg'];
echo $video=$_REQUEST['video'];
echo $vdo=$_REQUEST['vdo'];
echo $link=$_REQUEST['link'];
echo $lnk=$_REQUEST['lnk'];
echo $quote=$_REQUEST['quote'];
echo $qte=$_REQUEST['qte'];
echo $fbPid=$_REQUEST['fbPid'];
$sql="update tumblr set (tumblr_name,tumblr_id,mobile_no,Email,img_post,link_post,ado_post,vdo_post,reg_post,qte_post) values('$name','$id','$mobile','$Email','$img','$lnk','$ado','$vdo','$reg','$qte')";
$res=mysql_query($sql) or die(mysql_error());
?>
I am getting error: - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '(tumblr_name,tumblr_id,mobile_no,Email,img_post,link_post,ado_post,vdo_post,reg_' at line 1
UPDATE tumblr
SET tumblr_name = '$name',
tumblr_id = '$id',
mobile_no = '$mobile',
Email = '$Email',
img_post = '$img',
link_post = '$lnk',
ado_post = '$ado',
vdo_post = '$vdo',
reg_post = '$reg',
qte_post = '$qte'
You are trying to execute an update query based on an insert's format. Check the update query format.
In addition, your code is HIGHLY insecure. At least use mysql_real_escape_string(), e.g. $name=mysql_real_escape_string($_REQUEST['req-name']); to protect against SQL injection.
You are confusing the insert syntax with the update syntax. The update syntax is detailed here: http://dev.mysql.com/doc/refman/5.0/en/update.html
Example:
UPDATE table
SET
col1 = value1,
col2 = value2
WHERE
...
You are using INSERT syntax in an UPDATE statement.
Update looks like this:
UPDATE tableone SET fieldone='one' WHERE id=2;
For example.
UPDATE syntax is
UPDATE `tablename` SET `column`=value, `column`=value, ... WHERE conditions
u use INSERT syntax.
And what have you done to diagnose the problem?
Showing us all those echo statements doesn't really help - it might have done if you'd told us what the values were. You're not escaping any of the values you are putting in your SQL statement. You seem to be quoting values which may be numeric. You've included an ob_start() statement which is also entirely irrelevant but there's no mysql_connect here.
But the reason your code is failing is because there is no 'UPDATE....VALUES...' statement in SQL. Use 'INSERT INTO...VALUES....ON DUPLICATE KEY UPDATE'.
$db = mysql_connect("localhost","root","123");
mysql_select_db("website_categorization") or die("\n error selecting database" );
$keyword_array = preg_split('/[\s,]+/', $tag);
foreach($keyword_array as $tag1)
{
mysql_query("INSERT INTO category_keyword(ID_Category, Keyword) VALUES(2,$tag1)");
}
echo "\nAffected rows are ".mysql_affected_rows()."\n";
mysql_close($db);
Can u tell me what is the problem with this code??...I intend to insert rows into the category_keyword table from an array $keyword_array. I get errors "Affected rows are -1" and insertion does not work
You should quote and escape string values.
You should also handle errors, to be notified of them.
You should also write distinct statements, to be able to read your code later (as well as let others to read it).
$tag1 = mysql_real_escape_string($tag1);
$sql = "INSERT INTO category_keyword(ID_Category, Keyword) VALUES(2,'$tag1')";
mysql_query($sql) or trigger_error(mysql_error()." in ".$sql);
insert multiple rows via a php array into mysql
You need to encapsulte the string $tag in a query, otherwise mysql will think its a column name
mysql_query("INSERT INTO category_keyword(ID_Category, Keyword) VALUES(2,'".mysql_real_escape_string($tag1)."')");
You should quote and escape your string columns
$tag1 =
mysql_real_escape_string($tag1);
mysql_query("INSERT INTO
category_keyword(ID_Category, Keyword)
VALUES(2,'$tag1')");
You should also handle the mysql query errors to know why the query get failed. With the current code you never know why it is failing.It is better to handle mysql errors.
mysql_query('Your query') or trigger_error(mysql_error());
You can use this:
mysql_query("INSERT INTO category_keyword SET ID_Category=2, Keyword=".$tag1.");
Better syntax to understand :)