I have a search function on my site which uses GET. I have been trying to code something that would take words out of the GET post and then search in using SQL. This is what I been able to do:
$id = $_GET["search"];
$searchTerms = explode(' ', $id);
$searchTermBits = array();
foreach ($searchTerms as $term) {
$term = trim($term);
if (!empty($term)) {
$searchTermBits[] = "Name LIKE '%$term%'"
}
}
$lol = mysql_query("SELECT * FROM database WHERE .implode(' AND ', $searchTermBits).")
I don't know what I'm doing wrong. I get the following error:
You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server
version for the right syntax to use near '(' AND ', Array).' at line 1
$lol = mysql_query("SELECT * FROM database WHERE .implode(' AND ', $searchTermBits).")
should be
$lol = mysql_query("SELECT * FROM database WHERE ". implode(' AND ', $searchTermBits). "")
implode is just a part of the string in your case, you need to take it out from quotes:
mysql_query("SELECT * FROM database WHERE ".implode(' AND ', $searchTermBits))
you are using php implode function inside the double quote.place it outside the double quotes like this.
mysql_query("SELECT * FROM database WHERE ".implode(' AND ', $searchTermBits))
Related
I have a very simple MySQL query
$name = 'Long's Jewelers';
The query is,
$query = "SELECT callDetails.* , clients.* FROM callDetails JOIN clients ON clients.id = callDetails.userId WHERE storeName LIKE '%".$name."%'";
When i run this query i get error at
Long's JewelersYou have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's Jewelers%'' at line 1
What is wrong with this query? How can I fix the problem?
Solution using PDO
$query = $con->prepare("SELECT callDetails.* , clients.* FROM callDetails JOIN clients ON clients.id = callDetails.userId WHERE storeName LIKE :name");
$query->bindValue(':name',"%$name%",PDO::PARAM_STR);
$query>execute();
where $con is your connection
Solution using mysqli
mysqli_real_escape_string($con,$name);
Mysql is deprecated (if you are still using it)
mysql_real_escape_string($name);
In case of mysql/mysqli escape the string before $query. It will help you avoid sql injection
Write your variable like
$name = 'Long''s Jewelers';
and it'll work.
Try :
$name = 'Long''s Jewelers';
you can also use :
'Long\'s Jewelers';
you could use php function mysql_real_escape_string :
then try :
$name = "Long's Jewelers";
$name = mysql_real_escape_string($name);
see this document.
I have tried a million different solutions and cannot seem to figure this one out. I am (right now) just trying to pull all instances from the DB that the email and key match and display them but I keep getting
"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Key = abaa937f092451741dfe172e51f68f69 AND Email= test#test.com'"
Not sure where I am going wrong but it is likely a simple solution.
//check if the key is in the database
$check_key = mysqli_query($con, "SELECT * FROM confirm WHERE Key = '$key' AND Email= '$email'")
or die(mysqli_error($con));
while($row = mysqli_fetch_array($check_key)) {
echo $row['Email'] . " " . $row['Key'];
echo "<br>";
}
key is a reserved word in MySQL. Either use backticks to escape it or use another name.
SELECT * FROM confirm
WHERE `Key` = '$key' ...
I am currently attempting to update a specific record in my database however although I have checked the syntax thoroughly chrome is telling me that I have it wrong somewhere.
Any advise would be greatly appreciated
$title = $_POST["title"];
$alttext = $_POST["alttext"];
$description = $_POST["description"];
$price = $_POST["price"];
$id = $_POST["ID"];
$insertQuery = "UPDATE cmsproducts SET Title = '$title', Alt_Text = '$alttext', Source = '$target_path', Description = '$description', Price = $price WHERE ID = $id";
// Save the form data into the database
if ($result = $connector->query($insertQuery)){
// It worked, give confirmation
echo '<center><b><span style="color: #FF0000;">Product added to the database</span></b></center><br /><br />';
}else{
// It hasn't worked so stop. Better error handling code would be good here!
echo('<center>Sorry, there was an error saving to the database</center>');
echo "<center><b>File Name:</b> ".$target_path."<br/>";
die(mysql_error());
}
I have tried the query without the variables to check if it was a problem there but it still screamed error at me:
Sorry, there was an error saving to the database
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'of test, Source=../images/Pictures/, Description=This is a test image of test ' at line 1
Always escape user input (mysql_real_escape_string) or use PDO and assign parameters. It seems that $alttext variable has quote or other special character in it. For example,
$title = mysql_real_escape_string($_POST["title"]);
$alttext = mysql_real_escape_string($_POST["alttext"]);
$description = mysql_real_escape_string($_POST["description"]);
$price = mysql_real_escape_string($_POST["price"]);
$id = mysql_real_escape_string($_POST["ID"]);
$insertQuery = "UPDATE cmsproducts SET Title = '$title',
Alt_Text = '$alttext', Source = '$target_path',
Description = '$description', Price = '$price' WHERE ID = '$id'";
It seems you're not escaping quotes as your column Description must have a single quote inside. Use mysql_real_escape_string to escape quotes.
I'm working on a training course for PHP and I think the mysql syntax is outdated. This is the function
function get_subject_by_id($subject_id) {
global $connection;
$query = "SELECT * ";
$query .= "FROM subjects ";
$query .= "WHERE id=" . $subject_id ." ";
$query .= "LIMIT 1";
$result_set = mysql_query($query, $connection);
confirm_query($result_set);
if ($subject = mysql_fetch_array($result_set)) {
return $subject;
} else {
return NULL;
}
}
and I'm getting back this error:
Database query failed: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'LIMIT 1' at line 1
I'm not sure what I'm doing wrong here. Any help from someone who knows what might have changed in the syntax would be greatly appreciated.
$query = "SELECT *
FROM subjects
WHERE id = $subject_id
LIMIT 1";
Query fails because $subject_id is empty.
SELECT * FROM subjects WHERE id= LIMIT 1
apparently the $subject_id is causing the trouble, check if the value is passed correctly.
Two wild guesses:
You did not quote / escape $subject_id which contains a string or something non-integer (such as FALSE, NULL or the empty string).
Even if this is not the cause, it makes your script vulnerable to SQL injection.
You are using a Mac for coding and have erroneously inserted a non-breakable space
If I type
'
into my search bar I get a mysql error as the "sting" has not been escaped- it think.
But the reason why I cant escape it is because I dont think it currently is a string.
the search box generates search results dynamically with ajax it is as I type and it finds the results that I get the error:
You have an error in your SQL syntax; check the manual that corresponds to
your MySQL server version for the right syntax to use near '%' OR Location
LIKE '%'%' OR Map LIKE '%'%' LIMIT 0, 16' at line 2
This is the mysql query:
<?php
if($_POST['q']!=""){
include $_SERVER['DOCUMENT_ROOT'] . "/include/datebasecon.php";
$result = mysql_query("
SELECT id, Name, Location, Map
FROM Accommodation WHERE Name LIKE '%".$_POST['q']."%' OR Location LIKE '%".$_POST['q']."%' OR Map LIKE '%".$_POST['q']."%' LIMIT 0, 16")
or die(mysql_error());
$output = "";
while($row = mysql_fetch_array($result)){
$N = preg_replace("/(".$_POST['q'].")/i","<span>$1</span>",$row['Name']);
$L = preg_replace("/(".$_POST['q'].")/i","<span>$1</span>",$row['Location']);
$M = preg_replace("/(".$_POST['q'].")/i","<span>$1</span>",$row['Map']);
$output .= "<p>".$N." - ".$L."</p>";
}
print $output;
}
?>
Is there anyway i can fix this after its post the query maybe?
When magic_quotes_gpc is off (as it should be!), $_POST['q'] is simply the string ', as just one character. That's why it's appearing in your SQL code like this:
%' OR Location LIKE '%'%' OR Map LIKE '%'%' LIMIT 0, 16
The error takes place at '%'%' because the LIKE string is being prematurely terminated.
You can just use mysql_real_escape_string() on $_POST['q'] and it'll be escaped:
$q = mysql_real_escape_string($_POST['q']);
$result = mysql_query("
SELECT id, Name, Location, Map
FROM Accommodation WHERE Name LIKE '%".$q."%' OR Location LIKE '%".$q."%' OR Map LIKE '%".$q."%' LIMIT 0, 16")
or die(mysql_error());
You wrote "I dont think it currently is a string"... it is a string. You can pass it to mysql_real_escape_string() and use the result to make your query secure and reliable. Everything your script receives by the $_POST, $_GET, $_REQUEST and $_COOKIE params can be used as string, except it is an array.
To make you understand.
Look at your query:
LIKE '%search string%'
note apostrophes you have used to delimit search string.
These apostrophes does mean that data inside IS a string.
Everything you put in quotes into query is a string.
Everything you put in quotes into query must be escaped.
No need to think, consider or estimate. The rule is simple and unambiguous: quoted text should be always escaped.