I am trying to enter registration info into a mysql db through php, but the sql statement seems wrong. Can anyone please tell me what am I doing wrong?
INSERT INTO user(id,username,password,email,security_question,security_answer,face_photo,body_photo,user_salutation,user_firstname,user_middlename,user_lastname,parent_salutation,parent_firstname,parent_middlename,parent_lastname,gender,date_of_birth,address1,address2,country,state,city,pincode,country_code1,area_code1,phone1,country_code2,area_code2,phone2,alt_email,website,travel_within,passport,travel_companion,formal_education,other_qualification,known_languages,hobbies,about_you) VALUES('',some username,abcabc,abc#test.com,What is your first pet\'s name?,I don\'t know,'','',Mr.,sam,,fisher,Mr.,,,,Male,05/12/2009,test address1,,10,1073,16713,000000,00,00,00000000,,,,bcd#test.com,bcd#test.com,Within Country,on,on,none,none,spanish,none,none )
You don't have quotes around any of your string values:
..... ) VALUES('', 'some username', 'abcabc', 'abc#test.com'..... etc...
Related
I am trying to insert into my database, and the only problem I can find is the sql not being correct somehow. I tried searching up the errors, but they are confusing at to what they are.
$pdo = new PDO("mysql:host=$dbhost;dbname=$dbvideos;", $dbusername, $dbpassword);
$sql = "INSERT INTO Video ('Channel ID', 'Name', 'VideoDescription', 'VideoLocation') VALUES (:chanID, :vidName, :vDesc, :vLoc)";
$stmt = $pdo->prepare($sql);
$stmt->execute(array(":chanID"=>$_POST['selectedChannel'], ":vidName"=>$_POST['videoName'], ":vDesc"=>$_POST['viddesc'], ":vLoc"=> $VideoLocation));
print_r($stmt->errorInfo());
With error output:
Array ( [0] => 42000 [1] => 1064 [2] => You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'ID, Name, VideoDescription,VideoLocation) VALUES ('1', 'Testing Video', 'This is' at line 1 )
I pre-checked the variables (types match database, and they exist and with validation on previous page). The connection works fine. So SQL is the only error I can find.
I understand having no space in names- that one slipped my mind (I am usually on top of that, even when saving files). Some how removing the space and removing ' quotes made it work. (I originally used ' quoted because I saw some people use it so I though it would fix the problem).
Thank You Ryan Vincent.
I just bought a Kobo eReader which forces me to register at their website before the eReader functions. Seeing that I'm quite a privacy fundamentalist I refuse to register to read a couple books, so I went searching for an alternative. This brought me to this blogpost, which suggests to open the SQLite DB on the eReader and manually inserting a user with the following insert (formatted for readability):
INSERT INTO user (
UserID
,UserKey
,UserDisplayName
,UserEmail
,___DeviceID
,HasMadePurchase
)
VALUES (
‘5b8b0d65-b50f-4460-b6df-aca5e64f4882’
,’626d73ed-8382-4c1d-9750-cfe741c6e773’
,’a_name’
,’an_email_address’
,’01:23:45:67:89:ab’
,’TRUE’
);
So I found the sqlite database and I ran the query, but I get the following error message
SQLiteManager: Likely SQL syntax error: INSERT INTO user(UserID,UserKey,UserDisplayName,UserEmail,___DeviceID,HasMadePurchase) VALUES(‘5b8b0d65-b50f-4460-b6df-aca5e64f4882’,’626d73ed-8382-4c1d-9750-cfe741c6e773’,’a_name’,’an_email_address’,’01:23:45:67:89:ab’,’TRUE’);
[ unrecognized token: "4c1d" ]
Exception Name: NS_ERROR_FAILURE
Exception Message: Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [mozIStorageConnection.createStatement]
I looked at the structure of the user table, which is (as you can see below), slightly different from the the query.
CREATE TABLE user (
UserID TEXT NOT NULL
,UserKey TEXT NOT NULL
,UserDisplayName TEXT
,UserEmail TEXT
,___DeviceID TEXT
,FacebookAuthToken TEXT <= missing from query
,HasMadePurchase BIT DEFAULT FALSE
,IsOneStoreAccount BIT DEFAULT FALSE <= missing from query
,IsChildAccount BIT DEFAULT FALSE <= missing from query
,PRIMARY KEY (UserID)
)
As you can see there are three columns in the db which are not in the query. I don't think that this is the source of the error though.
Does anybody know what the error means and how I can solve the error? All tips are welcome!
Change the single quotes on the VALUES section to double quotes - the error references the middle portion of your string.
In addition to that, surround the column values in backticks and then everything works.
I use db.insert() to insert data to database, the code is something like this,
db.insert('categories', name=cate_name, description=desc, _test=True)
but it doesn't work, the data can't not be found in table 'categories' after the code is execute, and no exceptions by the way.
Anybody know why this happened?
_Test variable stands for debug purposes.
It lets you get SQL statement instead of executing one.
It means that your command
result = db.insert('categories', name=cate_name, description=desc, _test=True)
will not execute anything on your DB. It will only return a string:
"INSERT INTO categories (name, description) VALUES ('cate_name value', 'desc value')"
If you want to make a real query, you need to remove it:
db.insert('categories', name=cate_name, description=desc)
It should work.
remove _test=True or set _test=False
Here's a very easy question for someone :)
Trying to update an SQL column with the following:
UPDATE [NameOfTable]
SET [HtmlContent] = 'a href="/sell-your-boat/"'
WHERE HtmlID = 123456
But am getting the following error message: Incorrect syntax near '/'.
I know it's because I need to escape the / character but hitting my head against the wall trying to find the answer because I am aware it's probably very simple!
Thank you
You don't need to escape slashes in a string in SQL. The only chracter that you need to escape is apostrophe (').
There is nothing wrong with the query that you are showing, so the only explanation is that the code that you are actually running does not look like that.
It doesn't make sense to have HTML-encoded quotation marks around a href attribute, so my guess is that the HTML code actually looks something like this:
<a href='/sell-your-boat/'>
Any apostrophes in the text would have to be encoded as double apostrophes when you put it in a string literal in the SQL code.
I don't know where the query is executed from, but a parameterised query would be preferrable if possible, as then you don't have to escape the text yourself, you just assign the text to the property value.
Like all the comments above, youd don't need to escape the /
I just did a quick sql test in sql server 2005 and didn't get an error message (see below)
We'll probably need more information than what you provided. Are you running this in Management studio, or is this sql being called in a .NET application, etc...
create table test (htmlid int, htmlcontent varchar(516))
insert into test select 123456 as htmlid, 'test' as htmlcontent
update test
set htmlcontent = 'a href="/sell-your-boat/"'
where htmlid = 123456
select * from test where htmlid = 123456
drop table test
my output
123456 a href="/sell-your-boat/"
I'm getting the following error whenever I try to post something with an apostrophe in it:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near...
For example when I'm trying to post/using INSERT something like "I'm working hard".It's getting me an error. If I write "I am working hard" everything is fiine.
The code is:
$sql="INSERT INTO tb_table (`postcontent`, `userid`, `posttime`) VALUES ('".$_POST[content]."', '".$user_id."', '".time()."')";
Any ideas how to fix it?
That's because you are using apostrophes to show MySQL where each value for the field starts and ends. If you put an apostrophe in the middle of the string, suddenly the database thinks that you're trying to put in four values in three table fields, or some such thing.
It looks like you're using PHP to insert data in the database so I'll give you a couple of examples of dealing with this with the means that PHP provides.
A quick way to fix it to use mysql_real_escape_string():
$sql="INSERT INTO tb_table (`postcontent`, `userid`, `posttime`)
VALUES ('" . mysql_real_escape_string($_POST['content']) . "',
'" . mysql_real_escape_string($user_id) . "',
".time().")";
A better approach would be to use prepared statements:
$db = // your mysqli() connection
$sql="INSERT INTO tb_table (`postcontent`, `userid`, `posttime`)
VALUES (?, ?, ?)";
if ($stmt = $db->prepare($sql))
{
$stmt->bind_param("ssi", $_POST['content'], $user_id, time());
$stmt->execute();
$stmt->close();
}
P.S. You don't need single quotes around time() - this is a number, it's safe to insert as is.
The quotes in the value being inserted are closing the quotes that surround the value in the INSERT statement because you're using dynamically generated SQL.
Best solution is to use parameterised SQL which will prevent this problem and be safer (guard against SQL injection). Otherwise, you need to parse/make safe the supplied values - e.g. escape all single quotes so they don't break the statement.
If this is in any way accessible to the public, take it down NOW, then go and read up on SQL injection attacks. The best fix is to use parameterised queries, but you must use some kind of escaping mechanism, because the quotes in your text are being interpreted as part of the SQL command, not as part of the text.
Consider what would happen if you submitted the comment:
', 'No-one', time()); DROP TABLE tb_table; //
Your SQL:
$sql="INSERT INTO tb_table (`postcontent`, `userid`, `posttime`) VALUES ('".$_POST[content]."', '".$user_id."', '".time()."')"
Then expands to the string:
INSERT INTO tb_table (`postcontent`, `userid`, `posttime`) VALUES ('', 'No-one', now()); DROP TABLE tb_table; //', 'user', 'time')"