Click here to Skip to main content
15,881,380 members
Search within:


Fix my insert into mysqk
Please Sign up or sign in to vote.
1.44/5 (2 votes)
See more:
PHP
INSERT INTO `liceo1`(`rut`, `admin`, `lname`, `fname`, `password`, `email`, `work`, `profesion`, `ciudad`, `phone`, `yearin`, `cursoin`, `profein`, `yearout`, `cursoout`, `profeout`, `comments`, `created`) VALUES (208090801,0,Sepda,Lautaro,Qwert123,ivan.sepdagmail.com,estudent, chief,nunoa,940429390,1950,4toB,ssss, 1960,6F,zaqw,ivanismeagain, 23/01/18 )
#1054 - Unknown column 'Sepda' in 'field list' using PHPADMIN

I fixed the email with no @ and eliminated all spaces and then it didn't like my lname...
Executing my PHP I get 
Fatal error: Uncaught mysqli_sql_exception: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '@gmail.com,estudent, chief,nunoa,940429390...' at line 4 in C:\xampp\htdocs\liceo1\include\liceoFuncs.php:118 Stack trace: #0 C:\xampp\htdocs\liceo1\include\liceoFuncs.php(118): mysqli_query(Object(mysqli), 'INSERT INTO `li...') #1 C:\xampp\htdocs\liceo1\reglogcontact.php(21): register_exalumno(Object(mysqli)) #2 {main} thrown in C:\xampp\htdocs\liceo1\include\liceoFuncs.php on line 118


What I have tried:

I fixed the email with no @ and eliminated all spaces in between columns variablesand then it didn't like my lname..
Posted
Updated 18-Jan-23 3:12am
Add a Solution
Comments
Member 15627495 18-Jan-23 9:11am    
you have to surround all the String Type with escape double quotes
... values (\"" .$string_1. "\" , \"" .$string_2. "\",\"" .$string_3. "\" , ". $integer_1 .",.... ) ;

1 solution

It's saying that that "Sepda" is a column name - which it is, because it's not delimited by the quotes that indicate it's a string value.

But your problem is worse than that: Never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Always use Parameterized queries instead.

When you concatenate strings, you cause problems because SQL receives commands like:
SQL
SELECT * FROM MyTable WHERE StreetAddress = 'Baker's Wood'
The quote the user added terminates the string as far as SQL is concerned and you get problems. But it could be worse. If I come along and type this instead: "x';DROP TABLE MyTable;--" Then SQL receives a very different command:
SQL
SELECT * FROM MyTable WHERE StreetAddress = 'x';DROP TABLE MyTable;--'
Which SQL sees as three separate commands:
SQL
SELECT * FROM MyTable WHERE StreetAddress = 'x';
A perfectly valid SELECT
SQL
DROP TABLE MyTable;
A perfectly valid "delete the table" command
SQL
--'
And everything else is a comment.
So it does: selects any matching rows, deletes the table from the DB, and ignores anything else.

So ALWAYS use parameterized queries! Or be prepared to restore your DB from backup frequently. You do take backups regularly, don't you?

Change the whole query in your PHP to use parameters (and do every other query in your app at the same time) and the problem will disappear.
 
Share this answer
 
Posted
Comments
Ivan Sepulveda 18-Jan-23 10:44am    
I use variables for my Inserts/updates...I previouly sent the contents of the variables: $sql="INSERT INTO `liceo1`(`rut`, `admin`, `lname`, `fname`, `password`, `email`, `work`,
`profesion`, `ciudad`, `phone`, `yearin`, `cursoin`, `profein`,
`yearout`, `cursoout`, `profeout`, `comments`, `created`)
VALUES ($rutv,$admin,$lname,$fname,$pwd,$email,$work,
$grado,$ciudad,$phone,$yin,$cursoin,$profein,
$yout,$cursoout,$profeout,$story, $date )";
$date=$date = date('y/m/d h:i:s');
echo INSERT INTO `liceo1`(`rut`, `admin`, `lname`, `fname`, `password`, `email`, `work`, `profesion`, `ciudad`, `phone`, `yearin`, `cursoin`, `profein`, `yearout`, `cursoout`, `profeout`, `comments`, `created`) VALUES (208090801,0,Sepulveda,Lautaro,Qwert1234,test@gmail.com,baby, chief,nunoa,940429390,2016,4toB,ssss, 2022,6 F,ssss,test, 23/01/18 04:39:35 )
Richard Deeming 19-Jan-23 6:28am    
Read the solution again. By inserting the variables directly into the query, your code is vulnerable to SQL Injection[^]. NEVER use string concatenation/interpolation to build a SQL query. ALWAYS use a parameterized query.

PHP: SQL Injection - Manual[^]
Ivan Sepulveda 18-Jan-23 10:46am    
PHPADMIN: MySQL said: Documentation

#1064 - You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '@gmail.com,baby, chief,nunoa,940429390,2016,4toB,ssss, 2022,6 F,ssss,test, 23...' at line 1
Ivan Sepulveda 18-Jan-23 10:50am    
I added double quotes for my date and now complains in #1064 - You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '@gmail.com,baby, chief,nunoa,940429390,2016,4toB,ssss, 2022,6 F,ssss,test, "2...' at line 1
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month
Related Questions
How to fix these errors
How to fix listbox insert into database
C# insert into from select [FIXED]
How do I fix this problem
How to fix that problem
Fix SQL file to upload in phpmyadmin
How to fix the type-errors and attribute-errors that are associated with the hashmap
Fix drop-down list back transition
How to insert gridview Header on Fixed when Scrolling in WebApplication?
How to fix "? idparam not found in collection" in mysql insert stored proc

Advertise
Privacy
Cookies
Terms of Use
Last Updated 18 Jan 2023
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web01 2.8:2024-04-02:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900