Been staring at this all day and can't seem to figure out why my update statement fails to update the field 'image_filename':
$fileName = $_FILES['image_filename'];
if($fileName["name"] <> ""){
$imageFile = $fileName['name'];
$destination = "../../../../assets/resources/images/".$fileName['name'];
move_uploaded_file($fileName['name'], $destination);
}
$updateSQL = sprintf("UPDATE content SET image_filename='$imageFile' WHERE id=%s",
GetSQLValueString($_POST['resource_id'], "int"));
mysql_select_db($database_conn_talent, $conn_talent);
$Result1 = mysql_query($updateSQL, $conn_talent) or die(mysql_error());
Can a SQL pro tell me what I"m missing? Much thanks in advance for your feedback!
You appear to be building a query, but never executing it. Also, Drupal'll handle all the sprintfing for you, if you let it.
$query = "UPDATE content SET image_filename='$imageFile' WHERE id=%i";
db_query($query, $_POST['resource_id']);
Related
I am kind of new one for mysql and php. a week ago this code worked perfectly and when now I am trying it shows this error message
Error : You have an error in your SQL syntax; check the manual that
corresponds to your MariaDB server version for the right syntax to use
near 's product portfolio has diversified to encompass a highly
successful multi-brand' at line 1
I search how to solve that after spending a whole day, but couldn't figure it out.
I have tried similar questions here in stackoverflow, Yet I am stucked here.
A help would be really admired
Given below is my code
<?php
if(isset($_POST['upload']))
{ $company_name =$_POST['company_name'];
$service =$_POST['service'];
$email =$_POST['email'];
$password =$_POST['password'];
$details =$_POST['details'];
$fileName = $_FILES['Filename']['name'];
$fileName1 = $_FILES['Filename1']['name'];
$fileName2 = $_FILES['Filename2']['name'];
$fileName3 = $_FILES['Filename3']['name'];
$fileName4 = $_FILES['Filename4']['name'];
$target = "company_images/";
$fileTarget = $target.$fileName;
$fileTarget1 = $target.$fileName1;
$fileTarget2 = $target.$fileName2;
$fileTarget3 = $target.$fileName3;
$fileTarget4 = $target.$fileName4;
$tempFileName = $_FILES["Filename"]["tmp_name"];
$tempFileName1 = $_FILES["Filename1"]["tmp_name"];
$tempFileName2 = $_FILES["Filename2"]["tmp_name"];
$tempFileName3 = $_FILES["Filename3"]["tmp_name"];
$tempFileName4 = $_FILES["Filename4"]["tmp_name"];
$result = move_uploaded_file($tempFileName,$fileTarget);
$result1 = move_uploaded_file($tempFileName1,$fileTarget1);
$result2 = move_uploaded_file($tempFileName2,$fileTarget2);
$result3 = move_uploaded_file($tempFileName3,$fileTarget3);
$result4 = move_uploaded_file($tempFileName4,$fileTarget4);
$file = rand(1000,100000)."-".$_FILES['file']['name'];
$file_loc = $_FILES['file']['tmp_name'];
$file_size = $_FILES['file']['size'];
$file_type = $_FILES['file']['type'];
$folder="pdf_uploads/";
// new file size in KB
$new_size = $file_size/1024;
// new file size in KB
// make file name in lower case
$new_file_name = strtolower($file);
// make file name in lower case
$final_file=str_replace(' ','-',$new_file_name);//anthima
if(move_uploaded_file($file_loc,$folder.$final_file))
{
$query = "INSERT INTO company_details( company_name,service, email, password, details,image_path,file_name,image_path1,file_name1,image_path2,file_name2,image_path3,file_name3,file,type,size,image_path4,file_name4) VALUES ('$company_name','$service','$email','$password','$details','$fileTarget','$fileName','$fileTarget1','$fileName1','$fileTarget2','$fileName2','$fileTarget3','$fileName3','$final_file','$file_type','$new_size','$fileTarget4','$fileName4')";
$con->query($query) or die("Error : ".mysqli_error($con));
mysqli_close($con);
}
}
?>
<?php
Given below is the test data error
VALUES ('singer','Hardware','singer#gmail.com','singer','Singer has been in Sr' at line 1
Because you never sanitize anything and put the data straight into your query,
$company_name =$_POST['company_name'];
$service =$_POST['service'];
$email =$_POST['email'];
$password =$_POST['password'];
$details =$_POST['details'];
...
$query = "INSERT INTO
company_details( company_name,service, email, password, details,image_path,file_name,image_path1,file_name1,image_path2,file_name2,image_path3,file_name3,file,type,size,image_path4,file_name4)
VALUES (
'$company_name','$service','$email','$password','$details','$fileTarget','$fileName','$fileTarget1','$fileName1','$fileTarget2','$fileName2','$fileTarget3','$fileName3','$final_file','$file_type','$new_size','$fileTarget4','$fileName4'
)";
your problem is most likely in the data
's product portfolio has diversified to encompass a highly successful multi-brand
Maybe you have unscaped apostrophes in your data, so you're kinda SQL-injecting yourself. The query ends before the string shown in the error.
The solution is to escape special chars before inserting like in this question: How do I escape only single quotes?
In your case, start with the details
$details = addcslashes($_POST['details'], "'");
or
$details = addslashes($_POST['details']);
But keep adding test scenarios for your code. E.g. what happens if company name gets something like Mc'Donaldson? What is the set of chars you want to accept for each field? Then you will know how to validate those fields and create your functions (or reuse something)
I'm trying to use a variable from a row that is being selected from one table in a SELECT function targetted towards a second table. I tried doing this:
while ($row = mysqli_fetch_assoc($result)) {
$sender = $row['sender_id'];
$sql = "SELECT * FROM users WHERE user_id='$sender'";
$result = mysqli_query($conn, $sql);
while ($row2 = mysqli_fetch_assoc($result)) {
echo $row2['user_uid'];
}
}
I understand that this is not how you set a variable for each row, but I have no clue how it should be done otherwise. At the moment it only displays the username of the sender of the first notification in my inbox database, not the rest.
If anyone knows how to set a variable per row, please let me know. Thank you in advance.
I am developing a php script within the Joomla environment which queries the same table / database twice. Each time I need to know whether any matches are found.
It seemed that the best way would be to use the getNumRows(). The Joomla documentation is very specific on its use:
Miscellaneous Result Set Methods getNumRows()
getNumRows() will return the number of result rows found by the last
query and waiting to be read. To get a result from getNumRows() you
have to run it after the query and before you have retrieved any
results.
I follow this in my script. At the first query there is no problem, but the second query always throws up a warning - most likely because the getNumRows() call for the second time is after the retrieving results from the first query - which does not comply with the Joomla requirement.
Any ideas how to solve? Many thanks!
The part of my script in question reads:
$db = JFactory::getDBO();
$query = "SELECT * FROM #__art_mobiles WHERE user_agent_header='$ua'";
$db->setQuery($query);
$rowsAG = $db->getNumRows();
$replyAG = $db->loadRow();
if ($rowsAG == 0) {
//if no match check www.handsetdetection.com
//see https://www.handsetdetection.com/properties/vendormodel for current list of models in database together with headers
echo "not in local database - try external<br/>";
$prod = '';
if ($hd3->siteDetect()) {
$replyHD = $hd3->getReply();
$man = $replyHD['hd_specs']['general_vendor'];
$dev = $replyHD['hd_specs']['general_model'];
$os = $replyHD['hd_specs']['general_platform'];
echo "found in handsetdetection.com database<br/>";
//check for provisional match in local database
$query = "SELECT * FROM #__art_mobiles WHERE manufacturer='$man' AND device='$dev'";
$db->setQuery($query);
$rowsAGprov = $db->getNumRows();
$replyAGprov = $db->loadRow();
if ($rowsAGprov == 0) { **[ETC]**
I think this could be an issue with using $db->loadRow(); as getNumRows relies on an executed query.
For example you could try:
$db = JFactory::getDBO();
$query = "SELECT * FROM #__art_mobiles WHERE user_agent_header='$ua'";
$db->setQuery($query);
$replyAG = $db->query();
$rowsAG = $db->getNumRows();
And:
$query = "SELECT * FROM #__art_mobiles WHERE manufacturer='$man' AND device='$dev'";
$db->setQuery($query);
$replyAGprov = $db->query();
$rowsAGprov = $db->getNumRows();
Though I am not sure what/if the difference will be between the results returned from query and loadRow. It would be worth experimenting and seeing if this works.
Alternately, if you are only using getNumRows to see if a record exists, you could do some kind of check on your $replyAG variable instead. It again might be worth experimenting to see what loadRow returns if there are no results.
You need to add the following code before you write the the query:
$query = $db->getQuery(true);
You need to use
$db = JFactory::getDbo();
$query = $db->getQuery(true)
->select($db->qn(array('id')))
->from($db->qn('#__social_notifications'))
->where($db->qn('status') . ' = ' . $db->q(0));
$db->setQuery($query);
$db->execute();
$resultData = $db->getNumRows();
Perhaps I am just being a complete idiot but I am trying to insert a record into a MySQL table but it doesn't seem to be working. When I test it (i.e. get the script to echo the values so I can check that they are being posted by the form), they are being sent but the query isn't posting to the database. Like I said, perhaps I am being a complete idiot but I felt that perhaps a fresh set of eyes might speed up my troubleshooting because I have been fighting with this issue for the past 2 hours!
Here is the code:
// Connects to your Database
mysql_connect("localhost", "dbuser", "dbpword") or die(mysql_error());
mysql_select_db("dbname") or die(mysql_error());
// Get Variables
$sectorid = $_POST['sectorid'];
$parentid = $_POST['parentid'];
$sectorname = $_POST['sectorname'];
$status = $_POST['status'];
$creon = $_POST['creon'];
$creby = $_POST['creby'];
$modon = $_POST['modon'];
$modby = $_POST['modby'];
//Insert Record
mysql_query("INSERT INTO cand_emp_sector (sectorid, parentid, sectorname, status, creon, creby, modon, modby)
VALUES ('$sectorid', '$parentid', '$sectorname', '$status', '$creon', '$creby', '$modon', '$modby)");
//On completion, redirect to next page
header("Location: canddb.new.7i.php");
Any assistance would be greatly appreciated.
Thanks
you are missing a quote at the end
, '$modby')");
^---------here
Check the result for errors:
$result = mysql_query("INSERT INTO cand_emp_sector (sectorid, parentid, sectorname, status, creon, creby, modon, modby)
VALUES ('$sectorid', '$parentid', '$sectorname', '$status', '$creon', '$creby', '$modon', '$modby)");
if($result === false) die('query failed..');
I know I am simply missing the simplest thing here but cant seem to figure it out.
so this works with this code but changes all rows of the database as opposed to just the one with the page id...
<? $pageid= $_GET["id"];
$sql = "SELECT id, first_name, last_name, email, bio, job, job2, job3 FROM `".weapons."` WHERE id = $pageid";
if(isset($_POST['Update']))
{
$first_name = $_POST['first_name'];
$last_name = $_POST['last_name'];
$job = $_POST['job'];
$job2 = $_POST['job2'];
$job3 = $_POST['job3'];
$bio = $_POST['bio'];
$email = $_POST['email'];
$sql = "UPDATE weapons SET first_name='$first_name', email='$email' , job='$job', job2='$job2', job3='$job3', bio='$bio', last_name='$last_name'";
if (#mysql_query($sql)) {
echo('<p>Update Complete</p>');
} else {
echo('<p>Error updating: ' . mysql_error() . '</p>');
}
}else{ ...
however when adding the WHERE clause, like as follows
$sql = "UPDATE weapons SET first_name='$first_name', email='$email' , job='$job', job2='$job2', job3='$job3', bio='$bio', last_name='$last_name' WHERE id = $pageid";
I get an error
Error updating: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1
Any help would be great, thanks
EDIT
I actually missed a super easy thing, which is what I initially assumed, I had at first in my form had <form method='post' enctype='multipart/form-data' action='submit.php'> however that obviously messed up the get id because there isnt an idea, so even if that page was submit.php?id=4 when you hit submit it wouldnt run because the id would be gone.
Switching the code to <form method='post' enctype='multipart/form-data' action='#'> did just the trick.
Thanks for the help guys and I am looking into the sql injection now and working on how to better secure my site.
Please escape your strings before you create your SQL statement. Various characters in your input values will both break your query and open a HUGE security hole. That may very well be your problem. Look at this post for more info How can I prevent SQL injection in PHP?
In short, you assignments would look like this:
$first_name = mysql_real_escape_string($_POST['first_name']);
echo $sql; before you run it and post what that outputs.