I have a very simple MySQL query
$name = 'Long's Jewelers';
The query is,
$query = "SELECT callDetails.* , clients.* FROM callDetails JOIN clients ON clients.id = callDetails.userId WHERE storeName LIKE '%".$name."%'";
When i run this query i get error at
Long's JewelersYou have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's Jewelers%'' at line 1
What is wrong with this query? How can I fix the problem?
Solution using PDO
$query = $con->prepare("SELECT callDetails.* , clients.* FROM callDetails JOIN clients ON clients.id = callDetails.userId WHERE storeName LIKE :name");
$query->bindValue(':name',"%$name%",PDO::PARAM_STR);
$query>execute();
where $con is your connection
Solution using mysqli
mysqli_real_escape_string($con,$name);
Mysql is deprecated (if you are still using it)
mysql_real_escape_string($name);
In case of mysql/mysqli escape the string before $query. It will help you avoid sql injection
Write your variable like
$name = 'Long''s Jewelers';
and it'll work.
Try :
$name = 'Long''s Jewelers';
you can also use :
'Long\'s Jewelers';
you could use php function mysql_real_escape_string :
then try :
$name = "Long's Jewelers";
$name = mysql_real_escape_string($name);
see this document.
Related
I can't tell what is wrong here, i have tried replacing WHERE Id = '$id' and still not working. removing WHERE CLAUSE makes it works fine. Id variable does not have any problem it has it's value. can someone help me figure this out? thanks
$id = $_GET['id'];
$status = $con->exec("UPDATE wine SET ConfirmStatus = 'confirmed' WHERE Id = '".$id."' ");
Try it without enclosing the $id- value within ' ':
$status = $con->exec("UPDATE wine SET ConfirmStatus = 'confirmed' WHERE Id = ".$id);
If it then works, please still consider Gordon's comment regarding using parameters...
I have tried a million different solutions and cannot seem to figure this one out. I am (right now) just trying to pull all instances from the DB that the email and key match and display them but I keep getting
"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Key = abaa937f092451741dfe172e51f68f69 AND Email= test#test.com'"
Not sure where I am going wrong but it is likely a simple solution.
//check if the key is in the database
$check_key = mysqli_query($con, "SELECT * FROM confirm WHERE Key = '$key' AND Email= '$email'")
or die(mysqli_error($con));
while($row = mysqli_fetch_array($check_key)) {
echo $row['Email'] . " " . $row['Key'];
echo "<br>";
}
key is a reserved word in MySQL. Either use backticks to escape it or use another name.
SELECT * FROM confirm
WHERE `Key` = '$key' ...
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
Best way to prevent SQL Injection in PHP
What is the best way to escape strings when making a query?
mysql_real_escape_string() seems good but I do not exactly know how to use it in properly.
Does this code do the job properly?
<?php
/* Let's say that the user types "'#""#''"\{(})#&/\€ in a textfield */
$newStr = mysql_real_escape_string($str);
$query = "INSERT INTO table username VALUES ($str)";
mysql_query($query);
?>
EDIT:
Now I have this code:
$email = $_POST['email'];
$displayName = $_POST['displayName'];
$pass = $_POST['pass1'];
$email = mysqli_real_escape_string($link, $email);
$displayName = mysqli_real_escape_string($link, $displayName);
$pass = mysqli_real_escape_string($link, $pass);
$insert = "INSERT INTO profiles (email, displayName, password)
VALUES ('$email', '$displayName', md5('$pass'))";
mysqli_query($link, $insert)
or die(mysqli_error($link));
But I get this error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '!"#!#^!"#!"#!"#^'''''' at line 1
If the user enters:
'**!"#!#^!"#!"*#!"#^''''
The best way is not to escape the string at all, but instead use a parameterized query, which does it for you behind the scenes.
Using mysql_real_escape_string like that will work, but you need to:
Add quotes around the value.
Use the result $newStr, not the original value $str.
Change the tablename to a name that isn't a reserved keyword.
Add parentheses around the column list.
Try this:
$query = "INSERT INTO yourtable (username) VALUES ('$newStr')";
I also suggest that you check the result of mysql_query($query) and if there is an error, you can examine the error message:
if (!mysql_query($query))
{
trigger_error(mysql_error());
}
You should also consider using one of the newer interfaces to MySQL. The old mysql_* functions are deprecated and should not be used in new code.
I am trying to query some tables in my database using a simple dropdown in which the name of the tables are listed. the query has only one record result showing the name and age of the youngest institute registered in the database!
$table = $_GET['table'];
$query = "select max('$table'.est_year) as 'establish_year' from '$table' ";
I need to send the name of the table as variable to the querier php file. no matter the method is GET or POST in both ways when I put the variable name in the query statement, it gives the error:
"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '.order) as 'last' from 'customers'' "
You are wrapping the table name in single quotes, which is not valid SQL (that's the syntax for strings, not table names). You should either not wrap the name at all or else wrap it in backticks (on the american keyboard layout, that's the key above TAB).
You should also not quote the alias established_year:
select max(`$table`.est_year) as establish_year from `$table`
Also, your code is vulnerable to SQL injection. Fix this immediately!
Update (sql injection defense):
In this case the most appropriate action would likely be to validate the table name against a whitelist:
if (!in_array($table, array('allowed_table_1', '...'))) {
die("Invalid table name");
}
single quote ('), in mysql, it represents string value.
SELECT *, 'table' FROM `table`;
Demo
So your query should be
$table = $_GET['table'];
$query = "select max($table.est_year) as 'establish_year' from $table ";
Also read old post, phpmyadmin sql apostrophe not working.
Also your code is vulnerable to SQL Injection. You can use something like this
//Function to sanitize values received from the form. Prevents SQL injection
function clean($str) {
$str = #trim($str);
if(get_magic_quotes_gpc()) {
$str = stripslashes($str);
}
return mysql_real_escape_string($str);
}
$firstName = clean($_POST['firstName']);
$lastName = clean($_POST['lastName']);
.
.
.
I'm new to CodeIgniter and I get an error I cannot understand.
This is the code that give the error:
$data = array('adr' => $address);
$this->db->where('id', $id);
$this->db->update('domains', $data);
The error is:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '://www.example.com WHERE id = '10'' at line 1
This is the query:
UPDATE `domains` SET `adr` = http://www.example.com WHERE `id` = '10'
If I change this to
UPDATE `domains` SET `adr` = 'http://www.example.com' WHERE `id` = '10'
it works. Why is CodeIgniter creating this erroneous query?
Try escaping the single quotes in the $address variable before you call the update method.
Generally the CodeIgniter will automatically surround the value of $address with a single quote. I do not know why did you get this error message?
Curious, see if it works when you escape the string use $this->db->escape()
$data = array('adr' => $this->db->escape($address));
$this->db->where('id', $id);
$this->db->update('domains', $data);
I have the same problem and codeigniter do not add single qoutes to where clause.
When you enter integer value, sql do not give error but when you put string value (as a variable) to where clause, it gives error. But when you add single quotes to query and run it on phpmyadmin, it works.
So the solution is adding (string) statement to your variable: as in this (string)$id
I wrote before to add single quotes to variable as '$id', but this will not going to work (I'm new to codeigniter&php, thanks to commenter Mitchell McKenna, I checked out what I wrote before)