error in update database - sql-server-2008

error ::
System.Data.SqlClient.SqlException:
Incorrect syntax near '='.
source code :
cn.Open();
Line 27: cmd = new SqlCommand("updat product set status ='" + s + "'", cn);
Line 28: cmd.ExecuteNonQuery();
Line 29: cn.Close();
Line 30: }

You realize you spelled update wrong?
Does s possibly have any apostrophe's in it's value? If so, you need to escape them, i.e., s.Replace("'", "''") (or better yet, use parameterized queries)
You have a possible SQL Injection vulnerability.
Are you sure you intend to update all of the products in the entire table?

Related

Python MySQL INSERT unicode

I'm trying to insert JSON data into an MySQL database:
def mapClients():
for d in devices:
clientMap = d['dot11.device']['dot11.device.associated_client_map'].keys()
for item in clientMap:
clientList = kr.device_by_mac(item)
times = kr.device_summary_since()
for c in clientList:
sqlMac = c['kismet.device.base.macaddr'],
sqlType = c['kismet.device.base.type'],
sqlManuf = c['kismet.device.base.manuf'],
ktime = c['kismet.device.base.last_time'],
for t in ktime:
sqlTime = time.strftime('%Y-%m-%d %H:%M:%S', time.localtime(t))
cur.execute("INSERT INTO devices(apID,mac,type,manuf,last_seen) VALUES(1,'" + str(sqlMac) + "','" + str(sqlType) + "','" + str(sqlManuf) + "','" + sqlTime + "');")
conn.commit()
mapClients()
This returns the following error:
pymysql.err.ProgrammingError: (1064, u"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'VALUES(1,'(u'58:E2:8F:CF:20:B3',)','(u'Wi-Fi Client',)','(u'Apple',)','20-10-201' at line 1")
I can see from the error that the various values are being suffixed with a 'u'. I understand through a lot of searching and learning that (I think) this means the data is unicode.
What I want to do is find a way of converting/decoding the data so the INSERT statements work. Some of the variables are tuples, some strings. Any help much appreciated.
You are inserting tuples, not strings; remove the trailing commas:
sqlMac = c['kismet.device.base.macaddr']
sqlType = c['kismet.device.base.type']
sqlManuf = c['kismet.device.base.manuf']
ktime = c['kismet.device.base.last_time']
sqlTime = time.strftime('%Y-%m-%d %H:%M:%S', time.localtime(ktime))
It’s the trailing comma that turns those expressions into tuples, and str() on a tuple gives you the container Unicode string as the u'....' representation that then clashes with the ' quoting you are adding.
Note that removes the need to loop over ktime!
Next, you really want to use SQL parameters, not string concatenation. Use placeholders instead of '" + str(...) + "', and leave handling of quoting to the database adapter:
cur.execute("""
INSERT INTO devices (apID, mac, type, manuf, last_seen)
VALUES (1, %s, %s, %s, %s)
""", (sqlMac, sqlType, sqlManuf, sqlTime))
The %s are the placeholders; depending on your exact MySQL Python library, you may need to use ? questionmarks instead.
Not only would this let you avoid having to think about quoting, it also removes a serious security issue: the JSON you load could contain a SQL injection attack and SQL parameters are the best way to neutralise that attack vector.
For the error message you posted, you have forgotten to place the closing parentheses before the VALUES in your SQL Query. The query should be like:
cur.execute("INSERT INTO devices(apID,mac,type,manuf,last_seen) VALUES(1,'" + str(sqlMac) + "','" + str(sqlType) + "','" + str(sqlManuf) + "','" + str(sqlTime) + "');")

Mysql error Invalid parameter number: parameter was not defined

This is my code. I'm unable to execute it.
This is the error message I get on the $db->execute(); line:
SQLSTATE[HY093]: Invalid parameter number: parameter was not defined'
$query = "UPDATE gateway_devices "
."SET coin_lat=:coin_lat, coin_lng=:coin_lng"
."WHERE nick_name=:nick_name AND gateway_id=:g_id AND device_id=:d_id";
$db->query($query);
$db->bind(':coin_lat', $coin_lat);
$db->bind(':coin_lng', $coin_lng);
$db->bind(':nick_name', $nick_name);
$db->bind(':g_id', $g_id);
$db->bind(':d_id', $d_id);
$db->execute();
all i had to do was add a space on line 2 before closing the double quote.
this is how the query looks like before and after adding the whitespace.
before - "UPDATE gateway_devices SET coin_lat=:coin_lat, coin_lng=:coin_lngWHERE nick_name=:nick_name AND gateway_id=:g_id AND device_id=:d_id"
after - "UPDATE gateway_devices SET coin_lat=:coin_lat, coin_lng=:coin_lng WHERE nick_name=:nick_name AND gateway_id=:g_id AND device_id=:d_id"

Syntax error in sql statement?

I am getting a syntax error in the following lines. I am not familiar with mysql so any pointers will be helpfull
ps = con.prepareStatement("INSERT INTO order(status,ordered_on,total_price,user_id) "
+ " VALUES(?,?,?,?)");
ps.setString(1,"pending");
ps.setTimestamp(2,date);
ps.setDouble(3,total_price);
ps.setInt(4,ID);
The error was
MySQL server version for the right syntax to use near 'order(status,ordered_on,total_price,user_id) VALUES('pending','2017-03-22 04:08' at line 1
The problemis that order is a reserved keyword for mysql ; so you have two solutions at your disposal
1 : if you are required some raison to use that work in case you case use backtick escapes `order`
2 : you can use plural for the tables name like orders
ps = con.prepareStatement("INSERT INTO `order`(status,ordered_on,total_price,user_id) "
+ " VALUES(?,?,?,?)");
ps.setString(1,"pending");
ps.setTimestamp(2,date);
ps.setDouble(3,total_price);
ps.setInt(4,ID);
This is q link to the mysal reserved keywords

Load Data Infile errors

In the syntax of load infile data i saw that the fields and line clauses are optional. So I used only character set clause for utf8
Here my sql:
cmd = new MySqlCommand("LOAD DATA INFILE " + filename + " INTO TABLE " + tblname + " CHARACTER SET 'UTF8'", conn);
filename is the addresse it's format is: "E:\Macdata\20131228\atelier.sql"
table name is directly taken from database is as : "atelier"
But I get the error : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'E:\Macdata\20131228\atelier.sql INTO TABLE atelier CHARACTER SET 'UTF8'' at line 1
What is the mistake in my query command ?
MYSQLversion is 5.0.10 with XAMPP
After changing the query I begin to receive fatal error number 0 (enclosed filename with ')
cmd = new MySqlCommand("LOAD DATA LOCAL INFILE '" + filename + "' IGNORE INTO TABLE " + tblname + " CHARACTER SET UTF8", conn);
My data file has this form which works on phpmyadmin
INSERT INTO `atelier` VALUES(1, 'Chateau Carbonnieux -1', '2013-12-26', 23, 10, 0, '4 macarons differents', 'mamie', '2013-12-15 11:09:14', 'sabrina', '2013-12-18 05:29:26');
As the error says, your statements is wrong. Quotes are missing in your first statement (see second statement). Check the syntax here:
http://dev.mysql.com/doc/refman/5.6/en/load-data.html
Some sparse notes:
0 is not a fatal error, it's the code for success.
IGNORE handles duplicate rows, not syntax errors.

mysql.connector.ProgrammingError in Python when insert data to table

I am writing a script to read data from a file by lines and insert each line into MySQL database. I use mysql.connector to do this. Here is a piece of script.
def insert_query(data):
return ("INSERT INTO " + tblname + " (`log`) " + "VALUES " + "(" + "'" + data + "'" + ")")
with open('data.txt', 'r') as f:
lines = f.readlines()
for line in lines:
add_line = insert_query(line)
cursor.execute(add_line)
cursor.commit()
File data.txt has size is 5Mbyte, but it has about 10000 lines.
tblname has 2 field: ID - INT (11) (auto-increment) , log - TEXT
When i run this script, it add to database about 100 lines and crashed. It report a error:
mysql.connector.errors.ProgrammingError: 1064 (42000): You have an
error in your SQL syntax; check the manual that corresponds to your
MySQL server version for ')'
MySQL version : 5.5.27
How to solve this problem ? Thanks.
Your insert statement is incorrect: 'tblname' is undefined in your function, hence the syntax error. However, there are bigger issues with how you solve it: what if a line in the log has quotes and brackets?
The following code show how to read data from a file and insert it line by line:
stmt = "INSERT INTO {table} (c1) VALUES (%s)".format(table=table_name)
with open('data.txt', 'r') as fp:
for line in fp:
data = (line.strip(),)
cur.execute(stmt, (line.strip(),))
cnx.commit()
Or using executemany(), which would be faster:
with open('data.txt', 'r') as fp:
cur.executemany(stmt, [(line.strip(),) for line in fp])
cnx.commit()