INSERT query has an infuriating error

I run a query on my mysql database and get,

image1920×1040 44.4 KB

image1920×1040 37.3 KB

Here is a query that woks

INSERT INTO devices ( rack_id, beginning_slot, ending_slot, device, width, beginning_x) VALUES ( 5, 16, 23, 'DELL OPTIPLEX 7010<br>Server 1', 15, 45);

difference?

Here is my query in PHP

print_r($_POST);

$width = isset($_POST['width']) ? $_POST['width'] : NULL;

$beginning_x = isset($_POST['beginning_x']) ? $_POST['beginning_x'] : NULL;
	  // Attempt insert query execution
$sql = "INSERT INTO devices (rack_id,back,beginning_slot,ending_slot,device,width,beginning_x) VALUES (
".$_POST[rack_id].",".$_POST[back].",".$_POST[beginning_slot].",".$_POST[ending_slot].",'".$_POST[device]."',".$width.",".$beginning_x.")";

Are the 2 variables even being set to NULL since they aren’t being set also?

oh, think I see (I added back)

that isn’t right, cause

image1920×1040 91.6 KB

image1920×1040 46.4 KB

$width = isset($_POST['width']) ? $_POST['width'] : NULL;

$beginning_x = isset($_POST['beginning_x']) ? $_POST['beginning_x'] : NULL;
	  // Attempt insert query execution
$sql = "INSERT INTO devices (rack_id,back,beginning_slot,ending_slot,device,width,beginning_x) VALUES (
".$_POST[rack_id].",".$_POST[back].",".$_POST[beginning_slot].",".$_POST[ending_slot].",'".$_POST[device]."',".$width.",".$beginning_x.")";

You realize you’re going to get a deluge of people hammering you about NEVER inserting unsanitized data into your query, right? PDO and parameterized queries are much safer and you should REALLY look into getting into the habit of using those methods all the time.

That being said, the quick and dirty answer would be to not reference those fields if they’re null

$fieldSQL = " rack_id,back,beginning_slot,ending_slot,device";
$valueSQL = $_POST[rack_id].",".$_POST[back].",".$_POST[beginning_slot].",".$_POST[ending_slot].",'".$_POST[device]."'";
if (isset($_POST['width'])) {
    $fieldSQL = $fieldSQL . ", width"
    $valueSQL = $valueSQL . "," . $_POST['width'];
}
if (isset($_POST['beginning_c'])) {
    $fieldSQL = $fieldSQL . ", beginning_x"
    $valueSQL = $valueSQL . "," . $_POST['beginning_x'];
}
$sql = "INSERT INTO devices (" . $fieldSQL . ") VALUES (" . $valueSQL . ")";

dude… look at where the error message tells you to look

you have two successive commas before the closing parenthesis

also, in future, PLEASE don’t post screenshots – just text, okay?

oh, I thought a , would just mean that value is nothing.

will do

when I run he query, I use

if(mysqli_query($conn, $sql)){

Does that help?

use NULL

maybe in the php forum, yeah, but not for me here

oh, ok thanks

I just did the quick & dirty way and got

Array
(
    [beginning_slot] => 0
    [ending_slot] => 6
    [beginning_x] => 
    [width] => 
    [orientation] => 1
    [device] => 4u
    [rack_id] => 43
)
ERROR: Could not execute INSERT INTO devices ( rack_id,orientation,beginning_slot,ending_slot,device, width, beginning_x) VALUES (43,1,0,6,'4u',,). You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ')' at line 1

using

echo "<pre>";print_r($_POST);echo "</pre>";
$fieldSQL = " rack_id,orientation,beginning_slot,ending_slot,device";
$valueSQL = $_POST[rack_id].",".$_POST[orientation].",".$_POST[beginning_slot].",".$_POST[ending_slot].",'".$_POST[device]."'";
if (isset($_POST['width'])) {
    $fieldSQL = $fieldSQL . ", width";
    $valueSQL = $valueSQL . "," . $_POST['width'];
}
if (isset($_POST['beginning_x'])) {
    $fieldSQL = $fieldSQL . ", beginning_x";
    $valueSQL = $valueSQL . "," . $_POST['beginning_x'];
}
$sql = "INSERT INTO devices (" . $fieldSQL . ") VALUES (" . $valueSQL . ")";

I thought those if statements would get rid of the last 2 fields and values since they are no set so I wouldn’t have them in the query?
If I need to put a value in there, how do I put in NULL instead of nothing?

as far as security goes, I’ve been using

which I thought was as secure as PDO, is it not

Then the values ARE set. You’ll need to check for a value in the field…

VALUES (43,1,0,6,'4u',,).

there’s your error right there

It’s not the extension that you use that determines if something is secure or not, it’s how you use that extension. It’s just as wasy to make code this vulnerable in PDO as well.
Prepared statements may be used in either mysqli or PDO. Using placeholders may even fix the issue with blank values (*though I’m not certain of that).

I’m sorry, but this concept is a little hard for me to wrap my head around,
When I do

echo "<pre>";print_r($_POST);echo "</pre>";
$fieldSQL = " rack_id,orientation,beginning_slot,ending_slot,device";
$valueSQL = $_POST[rack_id].",".$_POST[orientation].",".$_POST[beginning_slot].",".$_POST[ending_slot].",'".$_POST[device]."'";
if (empty($_POST['width'])) {
    $fieldSQL = $fieldSQL . ", width";
    $valueSQL = $valueSQL . "," . $_POST['width'];
}
if (empty($_POST['beginning_x'])) {
    $fieldSQL = $fieldSQL . ", beginning_x";
    $valueSQL = $valueSQL . "," . $_POST['beginning_x'];
}
$sql = "INSERT INTO devices (" . $fieldSQL . ") VALUES (" . $valueSQL . ")";

it results in

Array
(
    [beginning_slot] => 4
    [ending_slot] => 7
    [beginning_x] => 
    [width] => 
    [orientation] => 1
    [device] => D Panel
    [rack_id] => 44
)
ERROR: Could not execute INSERT INTO devices ( rack_id,orientation,beginning_slot,ending_slot,device, width, beginning_x) VALUES (44,1,4,7,'D Panel',,). You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ')' at line 1

since both the width and beginning_x values have nothing in them, shouldn’t both if statements change both variables in the INSERT to get rid of , width, beginning_x in he field part and those two ,s in the values part? Isn’t that what empty() tests for?

Your code adds those if the field is empty rather than if they are not empty or should I say !empty()

oh duh, thanks.

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.