$author = $_SESSION['username'];
$subject = $_POST['subject'];
$body = $_POST['body'];
$branched = $_POST['branched'];
$time = time();
$branchedFrom = $_POST['parent'];
$id = $_POST['parent'];
$next = 0;
$previous = 0;
$branchedTo = 0;
mysql_query(
"INSERT INTO offtopic
VALUES(
'',
'$author',
'$subject',
'$body',
'$time',
'$next',
'$previous',
'$branchedFrom',
'$branchedTo'
");
I've tried it lots of times, even tried changing some stuff, but it doesn't save the info into the database.
The blank space at the begining is where the index is in the database.
The SESSION and POST stuff I'm pretty sure gets passed properly.
"INSERT INTO offtopic VALUES('', '$author', '$subject', '$body', '$time', '$next', '$previous', '$branchedFrom', '$branchedTo'"
Missing closing ‘)’ inside the string. Pick up the error message using mysql_error() and simple syntax errors like this should be obvious.
Also you have SQL injection security holes you could drive a bus through. You need to be calling mysql_real_escape_string() over each string value you concatenate into the string, or use mysqli parameterised queries.
Maybe it is because that your query missing which fields to insert
"INSERT INTO offtopic(field1, field2, etc....) VALUES('', '$author', '$subject', '$body', '$time', '$next', '$previous', '$branchedFrom', '$branchedTo'");
Related
I'm having some trouble where I'm pulling values from both a session and a form - for a ticketing system - and when someone uses an apostrophe, it breaks the code.
See below where I receive the data:
$name = $_POST["name"];
$topic = $_POST["topic"];
$urgency = $_POST["urgency"];
$subject = $_POST["subject"];
$details = $_POST["details"];
$username = $_SESSION["username"];
$imgloc = $_SESSION["imgloc"];
$isit = $_SESSION["isit"];
I later insert it into my MSQL database here:
$sql = "INSERT INTO tickets (id, ticketname, urgency, topic, submitted, subject, details, isticketimage, imgloc) VALUES ('', '$name', '$urgency', '$topic', '$userno', '$subject', '$details', '$isit', '$imgloc')";
How would I amend this code to avoid apostrophe's breaking my mysql command?
You can use PDO from php, it will avoid sql injections.
You can do something like this
$pdo = new PDO('mysql:host=localhost;dbname=test', $user, $pass);
$sql = "INSERT INTO tickets (ticketname, urgency, topic, submitted, subject, details, isticketimage, imgloc) VALUES (?,?,?,?,?,?,?,?)";
$stmt = $pdo->prepare($sql);
$stmt->execute([$name, $urgency, $topic, $userno, $subject, $details, $isit, $imgloc]);
More info : https://www.php.net/manual/en/pdo.prepared-statements.php
mysqli_real_escape_string($dbConnection, $variable)
should do the trick.
I am having an issue where it seems my insert code is wrong but i do not know how to fix it.
It keeps resorting to my page being blank with no error_log and error reporting is not working either, below is the code
<?php
$connect = mysqli_connect("localhost","dfhdfhd","dfhdfh","fhgdfh");
$url = 'url';
$banner = 'banner';
$title = 'title';
$date = 'date';
$time = 'time';
$description = 'description';
$region = 'region';
$sponsors = 'sponsors';
mysqli_query($connect,"INSERT INTO information (url, banner, title, date, time, description, region, sponsors)
VALUES ('$url', '$banner', '$title', '$date' '$time', '$description', '$region', '$sponsors')";
?>
There's a few things wrong here.
First, a missing comma after '$date' and a missing bracket for your opening $connect,
Here:
mysqli_query($connect,"INSERT INTO information (url, banner, title, date, time, description, region, sponsors)
VALUES ('$url', '$banner', '$title', '$date', '$time', '$description', '$region', '$sponsors')");
Having checked for errors, it would have told you about those errors.
Consult these following links http://php.net/manual/en/mysqli.error.php and http://php.net/manual/en/function.error-reporting.php
Your present code is open to SQL injection. Use prepared statements, or PDO with prepared statements.
you should add error_reporting and show mysqli error if a query for some reason doesn't work:
<?php
error_reporting(-1);
$connect = mysqli_connect("localhost","dfhdfhd","dfhdfh","fhgdfh");
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
$url = 'url';
$banner = 'banner';
$title = 'title';
$date = 'date';
$time = 'time';
$description = 'description';
$region = 'region';
$sponsors = 'sponsors';
$result = mysqli_query($connect,"INSERT INTO information (url, banner, title, date, time, description, region, sponsors)
VALUES ('$url', '$banner', '$title', '$date', '$time', '$description', '$region', '$sponsors')");
if (!result)
{
echo("Error description: " . mysqli_error($connect));
}
?>
See for more information: http://www.w3schools.com/php/func_mysqli_error.asp
Also make sure that the php is not executed somewhere, where errors would be echoed but not visible because they are outside html or hidden by css.
You also forgot a comma inbetween '$data' and '$time' and closing the mysqli_query function.
What's wrong in this SQL query ?!
if(isset($_POST['submit'])){
$name = $_POST['name'];
$author = $_POST['author'];
$pub = $_POST['pub'];
$sibn = $_POST['sibn'];
$year = $_POST['year'];
$version = $_POST['version'];
$desc = $_POST['desc'];
$selected_db = mysql_select_db("bookstore",$con);
$query = "INSERT INTO introducebook (name, author, pub, sibn, year, version, desc) VALUES ('{$name}', '{$author}', '{$pub}', '{$sibn}', {$year}, {$version}, '{$desc}');" ;
$result = mysql_query($query,$con);
if(!$result){die('could not perform query'.mysql_error());}
echo mysql_affected_rows();
}
?>
the error is (I pass all inputs test):
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'desc) VALUES ('test', 'test', 'test', 'test', test, test, 'test')' at line 1
You need to escape reserved words in MySQL like desc with backticks
INSERT INTO introducebook (name, ..., `desc`) VALUES ...
to pass plain text you need brackets, this will be correct
INSERT INTO introducebook (`name`, `author`, `pub`, `sibn`, `year`, `version`, `desc`) VALUES ('{$name}', '{$author}', '{$pub}', '{$sibn}', '{$year}', '{$version}', '{$desc}')
and yes, you also need backticks.
I acces my page passing some parameters through the URL:
www.mypage.com/page.php?aID=4091cdcd-773d-4ca5-bab2-41e1188870a9&sID=1_MX4yMjI1MTgxMn4xMjcuMC4wLjF-V2VkIERlYyAyNiAwOTo1MDoyNiBQU1QgMjAxMn4wLjg1MjA4MTF-&nam=Gab&tel=7777777777
then in my PHP code I have:
if(isset($_GET['sID'])) {
$sID = $_GET['sID'];
}
if(isset($_GET['aID'])) {
$aID = $_GET['aID'];
}
if(isset($_GET['nam'])) {
$nam = $_GET['nam'];
}
if(isset($_GET['tel'])) {
$tel = $_GET['tel'];
}
I have no problem retrieving $nam and $tel, but $aID and $sID always get an empty string. I have tried using double quotes (isset($_GET["aID"])) , but it has not made any difference.
Are there illegal characters on the string or a limit in size of a variable you can pass through the URL? How can I GET variables $aID and $sID?
$query = "INSERT INTO myTable (ArchiveID, SessionID, Name, Tel) VALUES ('$aiD', '$siD', '$nam', '$tel' )";
echo $query;
Echo $query's output is:
INSERT INTO myTable (ArchiveID, SessionID, Name, Tel) VALUES ('', '', 'Gab', '7777777777' )
Testing your URL, I get the following result:
Array
(
[aID] => 4091cdcd-773d-4ca5-bab2-41e1188870a9
[sID] => 1_MX4yMjI1MTgxMn4xMjcuMC4wLjF-V2VkIERlYyAyNiAwOTo1MDoyNiBQU1QgMjAxMn4wLjg1MjA4MTF-
[nam] => Gab
[tel] => 7777777777
)
Therefore, I'm not sure what you mean by you're getting an empty string. You did have a typo in your code, where $tel references $_GET['aID']. I would advise you verify your code.
I would recommend that you also use $_SERVER['REQUEST_METHOD'] to verify that your script is using GET.
Update
Per your updated query, it seems as though your case is incorrect. The variable name is case-sensitive.
$query = "INSERT INTO ... VALUES ('$aiD', '$siD', '$nam', '$tel' )";
^ ^
Should be:
$query = "INSERT INTO ... VALUES ('$aID', '$sID', '$nam', '$tel' )";
You have to enable error reporting and logging to the highest level when you develop PHP.
You have to check return values of methods you call to see if they did what you thought they did. You have to look for more error information if something failed.
You have to look into prepared statements to prevent SQL injection.
And yes, mysql_* functions are deprecated. Do not use it for new code.
You notice in your sql statement you are not calling the variables you defined:
$query = "INSERT INTO myTable (ArchiveID, SessionID, Name, Tel) VALUES ('$aiD', '$siD', '$nam', '$tel' )";
should be:
$query = "INSERT INTO myTable (ArchiveID, SessionID, Name, Tel) VALUES ('$aID', '$sID', '$nam', '$tel' )";
and looks like njk updated his answer to reflect this so he should be credited for the answer.
I'm repeatedly getting a syntax error when inserting in to mysql, normally this works fine but I can't seem to get it to work. I can echo out the variables no problem but for some reason I can't insert them.
variables (the session vars are brought over from another page)
session_start();
$name=$_SESSION['bName'];
$email=$_SESSION['email'];
$ship_address = $_SESSION['sAddress'];
$voucher=$_SESSION['voucher'];
$sku=$_SESSION['sku'];
$credit_card=$_POST['credit_card'];
$security_code=$_POST['security_code'];
$payment_type=$_POST['payment_type'];
$cc_number=substr($credit_card, 0, 4) . str_repeat('x', (strlen($credit_card) - 4)) . substr($credit_card, -4, 4);
$phone=$_SESSION['billPhone'];
$status="Redeemed";
$date = date('Y/m/d');
$tracking ="";
insert query
//Insert Queries
$sqlInsert = "INSERT INTO `customers`(`name`, `email`, `address`, `phone`, `sku`, `creditcard`, `securitycode`, `paymenttype`, `voucher`, `purchase_id`, `tracking`, `status`, `date_recieved`)
VALUES( $name, $email, $ship_address, $phone, $sku, $credit_card, $security_code, $payment_type, $voucher, $purchase_id, $tracking, $status, $date)";
mysql_query($sqlInsert) or die ('Error Inserting into database' . mysql_error());
I've also tried
VALUES( '$name', '$email', '$ship_address', '$phone', '$sku', '$credit_card', '$security_code', '$payment_type', '$voucher', '$purchase_id', '$tracking', '$status', '$date')
but it doesn't work. The error I get is
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'lastname, fahad#semail.com, 22 toronto ont l6a0l4, 416-123-4567, 1001234, 1234567' at line 1
Any ideas?
Thanks
all string values must be quoted.
VALUES("'.$name.'", "'.$email.'" ...
Do it like this, so the fields are delimited:
VALUES( '$name', '$email', ...
check your error message to see what kind of garbage you are currently generating.
You could use PDO to create prepared statements instead. Then you won't have to worry about escaping your values like drdwilcox's example 'Jerry''s'. It also helps as a counter measure against SQL Injection attacks.
I would almost guarantee that you have a single-quote in your name field. If you want to place a single quote into a string field in SQL, you must double it: 'Jerry''s'
And you need the '$name' version.