0

I want to insert arabic values, so i used this syntax :

$sql = "
    insert into sdka_creation (creation_time, sdka_for, creator_ip)
    values ('$creation_time',N\'$name\', '$creator_ip')
";

// or N"$name"

this gives me this error :

Fatal error: Uncaught TypeError: sqlsrv_rows_affected(): Argument #1 ($stmt) must be of type resource, bool given in C:\xampp\htdocs\quran\go.php:443 Stack trace: #0 C:\xampp\htdocs\quran\go.php(443): sqlsrv_rows_affected(false) #1 {main} thrown in C:\xampp\htdocs\quran\go.php on line 443

and other time :

$fnmae = N'$name';
$sql = "
    insert into sdka_creation (creation_time, sdka_for, creator_ip)
    values ('$creation_time','$fname', '$creator_ip')
";

this gives me synatx error :

Syntax error: unexpected token ''$name''

how could be solved ?

Note : db type is nvarchar

summary (all of these errors) :

 $sql = "
     insert into sdka_creation (creation_time, sdka_for, creator_ip)
     values ('$creation_time',N\'$name\', '$creator_ip')
 ";

and :

$fnmae = N'$name';
Zhorov
  • 28,486
  • 6
  • 27
  • 52
Ahmed Khaled El-Dakhly
  • 3
  • 4
  • 1
    Why are you injecting and not parametrising? That is the *real* problem. – Thom A Feb 09 '23 at 10:29
  • Not that it's the solution, because the solution is to parametrise, but this is great proof of why spelling your object/variable names correctly is important. It's *name* not *nmae*, and therefore `$fnmae` <> `$fname`. – Thom A Feb 09 '23 at 10:31
  • i corrected it .. same error appears – Ahmed Khaled El-Dakhly Feb 09 '23 at 10:32
  • Again, *parametrise*. [Why do we always prefer using parameters in SQL statements?](//stackoverflow.com/q/7505808) – Thom A Feb 09 '23 at 10:34
  • what excatly should be parametrized .. my code work successfully when delete N' ' .. POV is this .. every parameters and spellngs is ok – Ahmed Khaled El-Dakhly Feb 09 '23 at 10:35
  • 2
    *"what excatly should be parametrized"* Your variables. `values ('$creation_time','$fname'`, for example, is **injecting** the values from your PHP variables `$creation_time` and `$fname`; this is a **dangerous** and *fatal* security flaw. – Thom A Feb 09 '23 at 10:37
  • how to be solved ? – Ahmed Khaled El-Dakhly Feb 09 '23 at 10:43
  • It's solved by **using parameters**. See https://stackoverflow.com/questions/57313946/how-to-add-parameters-to-my-query-using-sqlsrv-in-php as well as the PHP manual https://www.php.net/manual/en/function.sqlsrv-query.php . This can help with syntax problems, encoding problems, and also means you are not vulnerable to [SQL Injection](http://bobby-tables.com) attacks – ADyson Feb 09 '23 at 13:02
  • 1
    Does this answer your question? [Why do we always prefer using parameters in SQL statements?](https://stackoverflow.com/questions/7505808/why-do-we-always-prefer-using-parameters-in-sql-statements) – Nico Haase Jun 23 '23 at 12:34

0 Answers0