I'm working on a training course for PHP and I think the mysql syntax is outdated. This is the function
function get_subject_by_id($subject_id) {
global $connection;
$query = "SELECT * ";
$query .= "FROM subjects ";
$query .= "WHERE id=" . $subject_id ." ";
$query .= "LIMIT 1";
$result_set = mysql_query($query, $connection);
confirm_query($result_set);
if ($subject = mysql_fetch_array($result_set)) {
return $subject;
} else {
return NULL;
}
}
and I'm getting back this error:
Database query failed: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'LIMIT 1' at line 1
I'm not sure what I'm doing wrong here. Any help from someone who knows what might have changed in the syntax would be greatly appreciated.
$query = "SELECT *
FROM subjects
WHERE id = $subject_id
LIMIT 1";
Query fails because $subject_id is empty.
SELECT * FROM subjects WHERE id= LIMIT 1
apparently the $subject_id is causing the trouble, check if the value is passed correctly.
Two wild guesses:
You did not quote / escape $subject_id which contains a string or something non-integer (such as FALSE, NULL or the empty string).
Even if this is not the cause, it makes your script vulnerable to SQL injection.
You are using a Mac for coding and have erroneously inserted a non-breakable space
Related
I have tried a million different solutions and cannot seem to figure this one out. I am (right now) just trying to pull all instances from the DB that the email and key match and display them but I keep getting
"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Key = abaa937f092451741dfe172e51f68f69 AND Email= test#test.com'"
Not sure where I am going wrong but it is likely a simple solution.
//check if the key is in the database
$check_key = mysqli_query($con, "SELECT * FROM confirm WHERE Key = '$key' AND Email= '$email'")
or die(mysqli_error($con));
while($row = mysqli_fetch_array($check_key)) {
echo $row['Email'] . " " . $row['Key'];
echo "<br>";
}
key is a reserved word in MySQL. Either use backticks to escape it or use another name.
SELECT * FROM confirm
WHERE `Key` = '$key' ...
I have a search function on my site which uses GET. I have been trying to code something that would take words out of the GET post and then search in using SQL. This is what I been able to do:
$id = $_GET["search"];
$searchTerms = explode(' ', $id);
$searchTermBits = array();
foreach ($searchTerms as $term) {
$term = trim($term);
if (!empty($term)) {
$searchTermBits[] = "Name LIKE '%$term%'"
}
}
$lol = mysql_query("SELECT * FROM database WHERE .implode(' AND ', $searchTermBits).")
I don't know what I'm doing wrong. I get the following error:
You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server
version for the right syntax to use near '(' AND ', Array).' at line 1
$lol = mysql_query("SELECT * FROM database WHERE .implode(' AND ', $searchTermBits).")
should be
$lol = mysql_query("SELECT * FROM database WHERE ". implode(' AND ', $searchTermBits). "")
implode is just a part of the string in your case, you need to take it out from quotes:
mysql_query("SELECT * FROM database WHERE ".implode(' AND ', $searchTermBits))
you are using php implode function inside the double quote.place it outside the double quotes like this.
mysql_query("SELECT * FROM database WHERE ".implode(' AND ', $searchTermBits))
I've read almost every single thread around the net about the Unknown column 'dfsd' in 'where clause
the dfsd is the string that I entered through a html form using the post method..
the php file(where the forms data are being sent) just checks if the line above is an existing user name.
function authCheck($usr,$psw){
print $usr;
mysql_real_escape_string($usr);
$sql = "select usrNameMarket from marketusr where usrNameMarket=$usr";
$result = mysql_query($sql) or die(mysql_error());
$records=mysql_num_rows($result); //elenxw gia eggrafes
if($records){
$queryData=mysql_fetch_array($result);
if($queryData['usrNameMarket']==$usr){
$usrNameChk="ok";
}
else{
$usrNameChk=null;
}
}
else{
$usrNameChk=null;
}
rest of the file ....
I get the error from MySQL telling me the column doesn't exist (although the value has been passed correctly, that's why I used the print function just to double check it)...
I add the single quotes:
$sql = "select usrNameMarket from marketusr where usrNameMarket='$usr'";
Then I get a syntax error when mysql_query executes...
Then I tried
$sql = "select usrNameMarket from marketusr where usrNameMarket='".$usr."'";
Still I get the same syntax error.
I don't know what is wrong I've tried everything...
Is it possible that I get that error because of the database structure or scheme or the data type of that field(which is varchar)?
Use marketusr.usrNameMarket instead of just usrNameMarket
try with:
$sql = "select usrNameMarket from marketusr where usrNameMarket='$usr'";
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
Best way to prevent SQL Injection in PHP
What is the best way to escape strings when making a query?
mysql_real_escape_string() seems good but I do not exactly know how to use it in properly.
Does this code do the job properly?
<?php
/* Let's say that the user types "'#""#''"\{(})#&/\€ in a textfield */
$newStr = mysql_real_escape_string($str);
$query = "INSERT INTO table username VALUES ($str)";
mysql_query($query);
?>
EDIT:
Now I have this code:
$email = $_POST['email'];
$displayName = $_POST['displayName'];
$pass = $_POST['pass1'];
$email = mysqli_real_escape_string($link, $email);
$displayName = mysqli_real_escape_string($link, $displayName);
$pass = mysqli_real_escape_string($link, $pass);
$insert = "INSERT INTO profiles (email, displayName, password)
VALUES ('$email', '$displayName', md5('$pass'))";
mysqli_query($link, $insert)
or die(mysqli_error($link));
But I get this error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '!"#!#^!"#!"#!"#^'''''' at line 1
If the user enters:
'**!"#!#^!"#!"*#!"#^''''
The best way is not to escape the string at all, but instead use a parameterized query, which does it for you behind the scenes.
Using mysql_real_escape_string like that will work, but you need to:
Add quotes around the value.
Use the result $newStr, not the original value $str.
Change the tablename to a name that isn't a reserved keyword.
Add parentheses around the column list.
Try this:
$query = "INSERT INTO yourtable (username) VALUES ('$newStr')";
I also suggest that you check the result of mysql_query($query) and if there is an error, you can examine the error message:
if (!mysql_query($query))
{
trigger_error(mysql_error());
}
You should also consider using one of the newer interfaces to MySQL. The old mysql_* functions are deprecated and should not be used in new code.
I am currently attempting to update a specific record in my database however although I have checked the syntax thoroughly chrome is telling me that I have it wrong somewhere.
Any advise would be greatly appreciated
$title = $_POST["title"];
$alttext = $_POST["alttext"];
$description = $_POST["description"];
$price = $_POST["price"];
$id = $_POST["ID"];
$insertQuery = "UPDATE cmsproducts SET Title = '$title', Alt_Text = '$alttext', Source = '$target_path', Description = '$description', Price = $price WHERE ID = $id";
// Save the form data into the database
if ($result = $connector->query($insertQuery)){
// It worked, give confirmation
echo '<center><b><span style="color: #FF0000;">Product added to the database</span></b></center><br /><br />';
}else{
// It hasn't worked so stop. Better error handling code would be good here!
echo('<center>Sorry, there was an error saving to the database</center>');
echo "<center><b>File Name:</b> ".$target_path."<br/>";
die(mysql_error());
}
I have tried the query without the variables to check if it was a problem there but it still screamed error at me:
Sorry, there was an error saving to the database
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'of test, Source=../images/Pictures/, Description=This is a test image of test ' at line 1
Always escape user input (mysql_real_escape_string) or use PDO and assign parameters. It seems that $alttext variable has quote or other special character in it. For example,
$title = mysql_real_escape_string($_POST["title"]);
$alttext = mysql_real_escape_string($_POST["alttext"]);
$description = mysql_real_escape_string($_POST["description"]);
$price = mysql_real_escape_string($_POST["price"]);
$id = mysql_real_escape_string($_POST["ID"]);
$insertQuery = "UPDATE cmsproducts SET Title = '$title',
Alt_Text = '$alttext', Source = '$target_path',
Description = '$description', Price = '$price' WHERE ID = '$id'";
It seems you're not escaping quotes as your column Description must have a single quote inside. Use mysql_real_escape_string to escape quotes.