I am currently attempting to update a specific record in my database however although I have checked the syntax thoroughly chrome is telling me that I have it wrong somewhere.
Any advise would be greatly appreciated
$title = $_POST["title"];
$alttext = $_POST["alttext"];
$description = $_POST["description"];
$price = $_POST["price"];
$id = $_POST["ID"];
$insertQuery = "UPDATE cmsproducts SET Title = '$title', Alt_Text = '$alttext', Source = '$target_path', Description = '$description', Price = $price WHERE ID = $id";
// Save the form data into the database
if ($result = $connector->query($insertQuery)){
// It worked, give confirmation
echo '<center><b><span style="color: #FF0000;">Product added to the database</span></b></center><br /><br />';
}else{
// It hasn't worked so stop. Better error handling code would be good here!
echo('<center>Sorry, there was an error saving to the database</center>');
echo "<center><b>File Name:</b> ".$target_path."<br/>";
die(mysql_error());
}
I have tried the query without the variables to check if it was a problem there but it still screamed error at me:
Sorry, there was an error saving to the database
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'of test, Source=../images/Pictures/, Description=This is a test image of test ' at line 1
Always escape user input (mysql_real_escape_string) or use PDO and assign parameters. It seems that $alttext variable has quote or other special character in it. For example,
$title = mysql_real_escape_string($_POST["title"]);
$alttext = mysql_real_escape_string($_POST["alttext"]);
$description = mysql_real_escape_string($_POST["description"]);
$price = mysql_real_escape_string($_POST["price"]);
$id = mysql_real_escape_string($_POST["ID"]);
$insertQuery = "UPDATE cmsproducts SET Title = '$title',
Alt_Text = '$alttext', Source = '$target_path',
Description = '$description', Price = '$price' WHERE ID = '$id'";
It seems you're not escaping quotes as your column Description must have a single quote inside. Use mysql_real_escape_string to escape quotes.
Related
I can't tell what is wrong here, i have tried replacing WHERE Id = '$id' and still not working. removing WHERE CLAUSE makes it works fine. Id variable does not have any problem it has it's value. can someone help me figure this out? thanks
$id = $_GET['id'];
$status = $con->exec("UPDATE wine SET ConfirmStatus = 'confirmed' WHERE Id = '".$id."' ");
Try it without enclosing the $id- value within ' ':
$status = $con->exec("UPDATE wine SET ConfirmStatus = 'confirmed' WHERE Id = ".$id);
If it then works, please still consider Gordon's comment regarding using parameters...
I am trying to execute a script to update a database:
my $sql_hash_update = 'UPDATE user SET hash = $hash , updated = 1 WHERE id = $row[0]';
my $sth_hash_update = $dbh->prepare($sql_hash_update);
$sth_hash_update->execute();
I get the error that this is not proper syntax, but this works within SQL itself.
DBD::mysql::st execute failed: You have an error in your SQL syntax;
check the manual that corresponds to your MariaDB server version for
the right syntax to use near '[0]' at line 1 at conexion.pl line 32.
Any ideas what am I doing wrong?
You are using single quotes, so this statement
my $sql_hash_update = 'UPDATE user SET hash = $hash , updated = 1 WHERE id = $row[0]'
will not interpolate the values of $hash and $row[0] into the SQL statement. Instead they will be left as they are, and so the statement isn't valid SQL
You could simply switch to double quotes, which do interpolate, but it is best to use placeholders like this
my $sql_hash_update = 'UPDATE user SET hash = ?, updated = ? WHERE id = ?';
my $sth_hash_update = $dbh->prepare($sql_hash_update);
$sth_hash_update->execute( $hash, 1, $row[0] );
That way you avoid the risk of code injection, and you need to prepare only once for many different execute calls
Placeholders are valid wherever an expression is allowed in the SQL syntax. That means, for instance, you cannot provide a placeholder for a table name, because you couldn't put an expression there in an ordinary SQL statement
Perl does not interpolate single quotes so $row[0] is not being expanded.
You want double quotes.
However, you should also pass $row[0] as a bind parameter.
Something like:
my $sql_hash_update = 'UPDATE user SET hash = ? , updated = 1 WHERE id = ?';
my $sth_hash_update = $dbh->prepare($sql_hash_update);
$sth_hash_update->execute($hash, $row[0]);
Use double quotes instead of single quote
my $sql_hash_update = "UPDATE user SET hash = $hash , updated = 1 WHERE id = $row[0]";
I have tried a million different solutions and cannot seem to figure this one out. I am (right now) just trying to pull all instances from the DB that the email and key match and display them but I keep getting
"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Key = abaa937f092451741dfe172e51f68f69 AND Email= test#test.com'"
Not sure where I am going wrong but it is likely a simple solution.
//check if the key is in the database
$check_key = mysqli_query($con, "SELECT * FROM confirm WHERE Key = '$key' AND Email= '$email'")
or die(mysqli_error($con));
while($row = mysqli_fetch_array($check_key)) {
echo $row['Email'] . " " . $row['Key'];
echo "<br>";
}
key is a reserved word in MySQL. Either use backticks to escape it or use another name.
SELECT * FROM confirm
WHERE `Key` = '$key' ...
I've read almost every single thread around the net about the Unknown column 'dfsd' in 'where clause
the dfsd is the string that I entered through a html form using the post method..
the php file(where the forms data are being sent) just checks if the line above is an existing user name.
function authCheck($usr,$psw){
print $usr;
mysql_real_escape_string($usr);
$sql = "select usrNameMarket from marketusr where usrNameMarket=$usr";
$result = mysql_query($sql) or die(mysql_error());
$records=mysql_num_rows($result); //elenxw gia eggrafes
if($records){
$queryData=mysql_fetch_array($result);
if($queryData['usrNameMarket']==$usr){
$usrNameChk="ok";
}
else{
$usrNameChk=null;
}
}
else{
$usrNameChk=null;
}
rest of the file ....
I get the error from MySQL telling me the column doesn't exist (although the value has been passed correctly, that's why I used the print function just to double check it)...
I add the single quotes:
$sql = "select usrNameMarket from marketusr where usrNameMarket='$usr'";
Then I get a syntax error when mysql_query executes...
Then I tried
$sql = "select usrNameMarket from marketusr where usrNameMarket='".$usr."'";
Still I get the same syntax error.
I don't know what is wrong I've tried everything...
Is it possible that I get that error because of the database structure or scheme or the data type of that field(which is varchar)?
Use marketusr.usrNameMarket instead of just usrNameMarket
try with:
$sql = "select usrNameMarket from marketusr where usrNameMarket='$usr'";
I'm working on a training course for PHP and I think the mysql syntax is outdated. This is the function
function get_subject_by_id($subject_id) {
global $connection;
$query = "SELECT * ";
$query .= "FROM subjects ";
$query .= "WHERE id=" . $subject_id ." ";
$query .= "LIMIT 1";
$result_set = mysql_query($query, $connection);
confirm_query($result_set);
if ($subject = mysql_fetch_array($result_set)) {
return $subject;
} else {
return NULL;
}
}
and I'm getting back this error:
Database query failed: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'LIMIT 1' at line 1
I'm not sure what I'm doing wrong here. Any help from someone who knows what might have changed in the syntax would be greatly appreciated.
$query = "SELECT *
FROM subjects
WHERE id = $subject_id
LIMIT 1";
Query fails because $subject_id is empty.
SELECT * FROM subjects WHERE id= LIMIT 1
apparently the $subject_id is causing the trouble, check if the value is passed correctly.
Two wild guesses:
You did not quote / escape $subject_id which contains a string or something non-integer (such as FALSE, NULL or the empty string).
Even if this is not the cause, it makes your script vulnerable to SQL injection.
You are using a Mac for coding and have erroneously inserted a non-breakable space