When I run this code:
string MySQL = "Select * From RegisterDatabase Where uName = '" + Request.Form["username"] +"'";
It didn't work for me, so I tried to see what the problem was and it turns out there's a comma in MySQL.
Select * From RegisterDatabase Where uName = 'Test,'
How do I fix this?
Your code is prone to SQL Injection attack.
You want to parameterized query like this -
string query = "Select * From RegisterDatabase Where uName = #username";
// Remove "," from username
string username = Request.Form["username"].ToString().Replace(",", "");
MySqlCommand command = new MySqlCommand(query);
command.Parameters.AddWithValue("#username", username);
Or some use ?username instead of #username.
Use following
Request.Form["username"].ToString().Replace(',',' ').Trim();
Related
I got this message, and I couldn't find any error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'where id ='null'' at line 1
I assumed this code was wrong, but it turned out it isn't.
ResultSet rs = stmt.executeQuery("select password" +
"from userinfo where id = '" + id + "';");
This is full code of error file.
private boolean checkLoginInfo(String id, String password) throws ServletException
{
Connection conn = null;
Statement stmt = null;
try
{
Class.forName("com.mysql.jdbc.Driver");
conn = DriverManager.getConnection(
"jdbc:mysql://localhost:3306/webdb", "root", "1234");
if (conn == null)
throw new Exception("can't connect to database.<BR>");
stmt = conn.createStatement();
ResultSet rs = stmt.executeQuery("select password" +
" from userinfo where id = '" + id + "';");
if (!rs.next())
return false;
String correctPassword = rs.getString("password");
if (password.equals(correctPassword))
return true;
else
return false;
}
There is a missing space between password and from:
select password" + "from userinfo where id = '" + id + "';"
Try this:
"SELECT password FROM `userinfo` WHERE id = '"+id+"'"
You should furthermore read about:
Escaping SQL queries
Authentication/Authorization (why do you select the password only?)
Code formatting
Edit 1:
The error messages tells us, you are setting the id to 'null' (String, because of ''), not NULL. If your id is expecting an Integer, but you are providing a String, it will break.
MySqlCommand command = new MySqlCommand(selectCmd, myConnection);
command.CommandText = "SELECT idtolistsubsoorten FROM `vogelsoort` WHERE id= MAX (id)and vogelsoort.naam =#vogelsoortnam";
command.Parameters.Add("#vogelsoortnaam", MySqlDbType.VarChar).Value = vogel.Soortnaam;
reader = command.ExecuteReader();
reader.Read();
while (reader.Read())
{
string idpape = reader.;
subid = Convert.ToInt64(idpape);
}
the reader keeps returning an null value
Your SQL query has a mistake: There are two FROM commands:
SELECT idtolistsubsoorten
FROM `vogelsoort`
WHERE id= MAX (id)
FROM `vogelsoort`
and vogelsoort.naam = #vogelsoortnam
Try using this one instead:
SELECT idtolistsubsoorten
FROM `vogelsoort`
WHERE id= MAX (id)
and vogelsoort.naam = #vogelsoortnam
Also, you can try executing the query in your dbms before running it in PHP, this way you will have an error message with more verbose.
are you mistaking in query you should write single or double quotas when you use string
command.CommandText = "SELECT idtolistsubsoorten FROM `vogelsoort` WHERE id= MAX (id) and vogelsoort.naam =#vogelsoortnam";
I created a 8 column table in SQL Server 2008. I entered data into 1st 2 column of the table and remaining columns I left allow nulls.
I am trying to add data to remaining 6 columns based on the data entered in 1st 2 columns, but I'm not able to add the data. Was leaving another 6 columns into "Allow nulls" caused this problem.
If yes, is there any solution for this?
Thanks.
string str = (#"Data Source=.\;AttachDbFilename=|DataDirectory|\Database.mdf;Integrated Security=True;User Instance=True;");
try
{
String sql = "(insert into usn (firstname, lastname, password, address, bloodgrp, contactnum, email) values (#st1, #st2, #st3, #st4, #st5, #st6, #st7) WHERE usn = '" + omd + "' )";
SqlConnection conn = new SqlConnection(str);
conn.Open();
SqlCommand cmd = new SqlCommand(sql, conn);
{
cmd.Parameters.AddWithValue("#st1", TextBox1.Text);
cmd.Parameters.AddWithValue("#st2", TextBox2.Text);
cmd.Parameters.AddWithValue("#st3", TextBox3.Text);
cmd.Parameters.AddWithValue("#st4", TextBox10.Text);
cmd.Parameters.AddWithValue("#st5", TextBox6.Text);
cmd.Parameters.AddWithValue("#st6", TextBox7.Text);
cmd.Parameters.AddWithValue("#st7", TextBox8.Text);
cmd.ExecuteNonQuery();
Response.Redirect("accountcreated.aspx");
conn.Close();
}
If you already have records in your table, you need to use UPDATE, not INSERT.
So, your query should be something like
UPDATE usn
SET firstname = #st1,
lastname = #st2,
password = #st3,
address = #st4,
bloodgrp = #st5,
contactnum = #st6,
email = #st7
WHERE usn = ...
You can't INSERT into a column, you use INSERT only to put data into a table (creating a record).
So, your sql String should look something like this.
String sql = "(UPDATE usn SET firstname = #st1, lastname = #st2, password = #st3, address = #st4, bloodgrp = #st5, contactnum = #st6, email = #st7 WHERE usn = '" + omd + "' )";
$query = "SELECT username, email, password, salt
FROM tbl_memembers
WHERE (username = $resetuser) OR (email = $resetuser)";
This keeps returning that there is nothing in the database, when I know for a fact that there is matching those details entered ($resetuser = $_POST from previous page)
Try with this query
$query = "SELECT username, email, password, salt
FROM tbl_memembers
WHERE username = '$resetuser' email = '$resetuser' ";
Is there a table namned 'tbl_memembers' or should it be 'tbl_members'? As #Abhik Chakraborty points out - the parameters should be surrounded by ''. Then again - shouldn't '' just declare $resetuser as a string, not the parameter name? I'm a .NET-developer and have no experience of PHP but in .NET any parameter must be surrounded by username = '" & parametername & "'.
I have an error updating my database because of variables. This is my code:
UPDATE `payment` SET `paid`=1 AND `amoun`=$amountpaid WHERE `paid`=0 AND `userid`=$uid
$amountpaid is the amount of the bill that the user paid and $uid is user id. It seems like using $ in front of variable names is forbidden. How can I use variables in SQL?
Where are your variables coming from? You probably want something like this if you're using JDBC:
int setPaid = 1;
int amountPaid = x; // put $amountpaid here
int wherePaid = 0;
int userId = y; // put $uid here
String updateQuery = "UPDATE payment SET paid = ?, amoun = ?"
+ " WHERE paid = ? AND userid = ?";
PreparedStatement ps = con.prepareStatement(updateQuery);
ps.setInt(1, setPaid);
ps.setInt(2, amountPaid);
ps.setInt(3, wherePaid);
ps.setInt(4, userId);
ps.executeUpdate();
I got the solution by using String.
I converted the ArrayList to a String and then sent the data as string. The data got updated but I don't know what will happen next if I want to view the data in the client tier...