can anyone tell me the correct query to delete values from mysql db table,in my case the table name and id are accepted from the user and the row is deleted based on id.This is my query
sprintf(Query,"DELETE FROM ('%s') where id = (%d)",tb1,idt1) ;
/*table name is in form of string and id is int */
mysql_query(conn,Query);
You should remove parentheses around the table name:
sprintf(Query,"DELETE FROM '%s' where id = (%d)",tb1,idt1) ;
MySQL considers queries like this syntax errors:
delete from (mytable) where id=2;
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '(mytable) where id=2' at line 1
(I'll assume that you know everything about SQL injection attacks, and that neither tb1 nor idt1 are constructed from user input in any shape or form).
Related
Im trying to update a longtext type field called 'comment' using a simple sql query in mysql client like this :
Update mytable set comment='Test' where id = 1;
But i'm getting this error
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'comment='Test' where id = 1' at line 1
Am i missing something ?, thanks in advance.
comment is a reserved word, if you want to have a table/field with that name, you have to quote it (or use the table.fieldname syntax, in case of a field). default in mysql is the backtick for that, so:
update mytable set `comment`='Test' where id = 1;
Found it, it gets solved with this:
update mytable as a set a.comment='Test' where id = 1;
How can I select a MySQL table when the table name is in the URL format?
SELECT hash FROM 'http://www.mittelbayerische.de' WHERE time = '1465132682'
This will output following error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''http://www.mittelbayerische.de' WHERE time = '1465132682'' at line 1
Are you sure that's a table name?
Anyway assuming it is, you should be able to use backticks to quote the table name.
SELECT hash FROM `http://www.mittelbayerische.de` WHERE time = '1465132682'
I have a Chef recipe for creating Unix user IDs and deploying them across multiple nodes, to guarantee uniqueness and prevent devs from having to track them themselves. They merely name the application and it is granted a unique ID if an ID for that application doesn't already exist. If one does, it is simply returned to the script and user accounts are created on the webservers with the appropriate value.
I have a mysql database with a single table, called application_id_table which has two columns, id and application_name. id is autoincrementing and application name cannot be null (and must be unique).
Removing the Ruby from my script and making a couple of substitutions, my sql looks like this:
INSERT INTO application_id_table(application_name) VALUES('andy_test')
WHERE NOT EXISTS (select 1 from application_id_table WHERE
application_name = 'andy_test');
when run, I receive the syntax parsing error:
ERROR 1064 (42000): You have an error in your SQL syntax; check the
manual that corresponds to your MySQL server version for the right
syntax to use near 'WHERE NOT EXISTS (select 1 from
application_id_table WHERE application_name = 'a'
I recall seeing that the values statement does not allow a where clause but I don't wish to use a select statement to populate the values as I'm populating them from variables supplied from within Ruby/Chef. Anyone have an idea how to accomplish this?
You want to use insert . . . select:
INSERT INTO application_id_table(application_name)
SELECT aname
FROM (SELECT 'andy_test' as aname) t
WHERE NOT EXISTS (select 1 from application_id_table ait WHERE ait.application_name = t.aname);
You should be able to plug your variable directly into the select statement, the same you would would with the VALUES statement.
Try this:
INSERT INTO application_id_table(application_name)
select 'andy_test'
WHERE NOT EXISTS (select 1 from application_id_table WHERE application_name = 'andy_test');
The following select query works fine:
SELECT * FROM JBPM_JOB job WHERE job.ACTION_ IN (SELECT ID_ from JBPM_ACTION WHERE ACTIONEXPRESSION_ LIKE '%#{reminderAction.addAsyncProcessReminder%warning%');
However, when I try to delete the rows retrieved here, it fails
DELETE FROM JBPM_JOB job WHERE job.ACTION_ IN (SELECT ID_ from JBPM_ACTION WHERE ACTIONEXPRESSION_ LIKE '%#{reminderAction.addAsyncProcessReminder%warning%');
What is wrong here?
The error message is:
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'job WHERE job.ACTION_ IN (SELECT ID_ from JBPM_ACTION WHERE ACTIONEXPRESSION_ LI' at line 1
You need to specify you are deleting from the alias table, so use:
DELETE job FROM JBPM_JOB job WHERE job.ACTION_ IN (SELECT ID_ from JBPM_ACTION WHERE ACTIONEXPRESSION_ LIKE '%#{reminderAction.addAsyncProcessReminder%warning%');
i have tested the query in sql server. works fine but there is possible that the values you are deleting have some relationship with other table like PK and FK.
if they have then you have to delete the records from those tables too..........
Let's take the following vulnerable query ($id not being escaped):
SELECT * FROM table WHERE id = $id
Would it be possible in MySQL 5.x to modify some data through an UPDATE statement which would appear inside the hacked SELECT statement?
I thought about something using benchmark() function:
SELECT * FROM table WHERE id = id OR benchmark(1, (UPDATE ...))
But it doesn't seem to work:
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UPDATE ...
Any other possibilities not using stored procedure?
Edit: and nor using multiple queries of course...
Depending on the driver this may pass:
SELECT * FROM table WHERE id = id; UPDATE table ...
Multiple queries.