I am trying to get the details of a person using their id, I have the following code and it's showing me an error.
$id = isset($_GET['id']) ? isset($_GET['id']) : "";
$sql = "SELECT * FROM `ArtListing` where `id` = $id";
$result = $conn->query($sql);
if (!$result) {
die("Query failed " . $conn->error);
}
if ($result->num_rows > 0) {
while ($row = $result->fetch_assoc()) {
echo $row["id"] . "." . $row["name"] ;
}
If I use where the id is some random number like it gives me back the details. The error it's showing me is as following
Query failed You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1
It looks like the id you grabbing is undefined.
You should assign the $id variable as:
$id = isset($_GET['id']) ? $_GET['id'] : "0";
You cannot simply put variable inside a string
You need to properly concatinate it to become a part of a sting as follows
$sql = "SELECT * FROM `ArtListing` where `id` = '".$id."'";
You can test this code here
https://www.tehplayground.com/3HcoDppV0jAqdCYP
Take a look at combination of double quotes and single quotes.
Your SQL query string is created as follows
SELECT * FROM `ArtListing` where `id` = yourid; <-- incorrect
Whereas as per SQL syntax there should be single quotes
SELECT * FROM `ArtListing` where `id` = 'yourid'; <-- check single quotes around 'yourid'
Related
I’m trying to use "group by" instead of "DISTINCT" in my php file to select some rows that all of them have an specific column value and it’s "idchat".
And I want to get more than one columns
please help me!
I’ve checked every pages but I didn’t understand enything
<?php
$connection = mysqli_connect("localhost","---","pass","---");
$id = $_GET["id"];
$mobile = $_GET["mobile"];
$idchat = $_GET["idchat"];
if (strpos($mobile, '9') !== false) {
$query = "SELECT DISTINCT a,b,c,d,idchat FROM database where mobile = '$mobile' ORDER BY id DESC";
$result = mysqli_query($connection,$query);
while ($row = mysqli_fetch_assoc($result)) {
$array[] = $row;
}
header('Content-Type:Application/json');
echo json_encode($array);
}
mysqli_close($connection);?>
and this code gives me this error:
Warning: mysqli_fetch_assoc() expects parameter 1 to be mysqli_result, boolean given in /home/---/test.php on line 12
See next output:
mysql> SELECT * FROM database;
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'database' at line 1
mysql> SELECT * FROM mytable;;
ERROR 1146 (42S02): Table 'test.mytable' doesn't exist
ERROR:
No query specified
mysql>
The first query is not understood because database is a reserved word. You should not use that to name a table. A work around is to add backquotes around the name:
mysql> SELECT * FROM `database`;
ERROR 1146 (42S02): Table 'test.database' doesn't exist
mysql>
"Could you correct my codes please?": Ok, but untested:
<?php
$connection = mysqli_connect("localhost","---","pass","---");
$id = $_GET["id"];
$mobile = $_GET["mobile"];
$idchat = $_GET["idchat"];
if (strpos($mobile, '9') !== false) {
$query = "SELECT DISTINCT a,b,c,d,idchat,id FROM `database` where mobile = '$mobile' ORDER BY id DESC";
$result = mysqli_query($connection,$query);
if ($result) {
while ($row = mysqli_fetch_assoc($result)) {
$array[] = $row;
}
header('Content-Type:Application/json');
echo json_encode($array);
}
else {
echo mysqli_error($connection);
}
mysqli_close($connection);?>
}
I also did add id to the query because of comment from #Raymond
i am making a public profile system,like facebook,youtube.....
when user register it create it own profile with his infos and give it a url like "www.mysite.com/userprofile.php?id=1" that can bee seen by any one without sign in,any one that visit that url can see the profile,the userprofile.php get data from the database.
here is my code :
<?php
$id = $_GET["id"];
$query = ("SELECT username,email FROM table WHERE id=" . $id . " LIMIT 1");
$result = mysql_query($query) or die(mysql_error());
while($row = mysql_fetch_array($result)){
echo $row['username']. " - ". $row['email']; }
?>
it work when visiting "www.mysite.com/userprofile.php?id=1" it get the user info that have the id 1,then echo them, but when i visit "www.mysite.com/userprofile.php" it give this sq error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'LIMIT 1' at line 1
even when i delete the "LIMIT 1" it give this error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1
And one more thing, if any one fixed the error,can you tell me how to make "www.mysite.com/userprofile.php?id=1" to "www.mysite.com/user1" and how to return a 404 error when the user profile doesn't exist
And any way to secure it from sql injection ?
Thank's Advance :)
When you navigate to /userprofile.php instead of /userprofile.php?id=123 you're essentially running this query:
SELECT username,email FROM table WHERE id= LIMIT 1
Which is an invalid SQL statement. There's a number of ways to fix it, but the easiest would probably be something like this:
<?php
$id = $_GET["id"];
if(!empty($id)) {
// typecast it for at least a little security
$query = ("SELECT username,email FROM table WHERE id=" . (int) $id . " LIMIT 1");
$result = mysql_query($query) or die(mysql_error());
while($row = mysql_fetch_array($result)){
echo $row['username']. " - ". $row['email']; }
} else {
echo "Please provide a user ID."
}
This checks if the user ID is set and that it's not empty, and typecasts it to an int before running the query.
With that said, you should really look into mysqli or PDO for this kind of thing.
I am getting the below error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'testing order by id'
Here is the main page..
echo "<div ><a href='secondpage.php?title=".urlencode($row['title'])."'>".wordwrap($row['title'], 35, "<br />\n", true)."</a></div>";
and here is the second page the error appearing on. the address bar reads http://localhost/secondpage.php?title=more+testing
<?php
$mydb = new mysqli('localhost', 'root', '', 'test');
$sql = "SELECT * FROM test where urlencode(title) =".$_GET['title']" order by id ";
$result = $mydb->query($sql);
if (!$result) {
echo $mydb->error;
}
?>
<div>
<?php
while( $row = $result->fetch_assoc() ){
echo $row['firstname'];
}
$mydb->close ();
?>
</div>
You want to use urldecode to decode the encoded string in your query:
$title = urldecode($_GET['title']);
$sql = "SELECT * FROM test where title = '$title' order by id";
I'm assuming you have a column named title in your test table. I don't think MySQL has urlencode function unless you have a procedure by that name which functions exactly like PHP's urlencode.
Update:
Thanks to #GeorgeLund, who pointed out the point of SQL Injection. Important topic which I missed earlier during answering your question. Please have a look at: https://www.owasp.org/index.php/SQL_Injection
For the very least please update your code to following:
$title = urldecode($_GET['title']);
$title = mysqli_real_escape_string($title); // Addition
$sql = "SELECT * FROM test where title = '$title' order by id";
$sql = "SELECT * FROM test where urlencode(title) ='".$_GET['title']."' order by id ";
Try like
$sql = "SELECT * FROM test WHERE urlencode(title) = ".$_GET['title']." ORDER BY id ";
You missed . leads syntax go away.
As far as I know SQL does not have function urlencode and why would you even want to urlencode the column name?
Also to store the encoded title string which is received from the last page you should decode the encoded title
So here is what I think you meant to do.
$sql = "SELECT * FROM test WHERE title = ".urldecode($_GET['title'])." order by id ";
Please try this code using urldecode
$sql = "SELECT * FROM test where title =".urldecode($_GET['title'])" order by id ";
This question already has answers here:
why this mysql query is not working?
(7 answers)
Closed 8 years ago.
Please help me regarding the specified problem:
The code section:
$result = mysql_query("SELECT *, UNIX_TIMESTAMP(eventdate) AS eventdate,
UNIX_TIMESTAMP(throughdate) AS throughdate FROM events where
id='$_GET[id]' ORDER BY eventdate");
// the above query is not working
if (! $result) {
echo mysql_errno() . ": " . mysql_error(). "\n";
}
if ( mysql_num_rows($result) == 0 ) {
print "<p>No events right now.</p>\n";
}
else {
$lasteventmonth = '';
while ($row = mysql_fetch_array($result)) {
$eventmonth="";
$eventmonth = date("F Y",$row['eventdate']);
if ($lasteventmonth != $eventmonth) {
print "<p style='font-size: 18px;'><b>$eventmonth</b></p>";
}
$lasteventmonth = $eventmonth;
showEvent($row);
}
}
?>
........................
........................//other codes
when the code evaluates as follows:
No events right now.
But specific id is present in the database and if $_GET['id'] is echoed in the page the value is shown.
what is id in id='$_GET[id]' at the beginning?
If you have a query http:// ... ?id=123, I would put id in quotes. Having said that, better like this:
$id = mysql_real_escape_string($_GET['id']); // safe against SQL injection
$sql = "SELECT *, UNIX_TIMESTAMP(eventdate) AS eventdate, UNIX_TIMESTAMP(throughdate) AS throughdate FROM events where id='$id' ORDER BY eventdate";
$result = mysql_query($sql);
If you are still getting trouble, use echo to check the variables $id and $result before the query runs; then you will have a clearer idea why it is not running the query you expect.
I am sure id=$_GET[id] is checking an int versus an int where you have it checking an int vs a string. Remove the single quotes around $_GET['id'] and try again. The single quotes define it as a string rather than an int.
This code below gives me this error:
"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' where id = '000'' at line 1"
I don't understand the issue here
<?php
include(".conf.php");
$con = mysql_connect($conf['db_hostname'], $conf['db_username'], $conf['db_password']) or die (mysql_error());
$db = mysql_select_db("aTable", $con);
$pr = $_GET['aThing'];
$pr = addslashes(htmlentities($prof));
$info_array = mysql_query("SELECT * FROM '$db' where id = '$pr'", $con) or die(mysql_error());
while($row = mysql_fetch_array( $info_array )) {
echo $row['aThing'];
echo "</br>";
echo $row['aThing'];
echo "</br>";
echo $row['aThing'];
echo "</br>";
echo $row['aThing'];
};
?>
Thanks for your help.
You should put table name into FROM : SELECT * FROM aTable WHERE .....Also, you don't escape variable that comes from user.
You will need something like :
mysql_query("SELECT * FROM aTable where id = '".mysql_real_escape_string($pr)."'", $con) or die(mysql_error());
Function mysql_select_db returns either TRUE or FALSE
Instead, try:
$info_array = mysql_query("SELECT * FROM aTable where id = '$pr'", $con) or die(mysql_error());
Or perhaps:
$dbtable = "aTable";
$info_array = mysql_query("SELECT * FROM $dbtable where id = '$pr'", $con) or die(mysql_error());
I am pretty sure it doesn't have any errors with the exception of the
fatal error killing it.
I would say you'll get to a solution faster if you believe MySQL when it tells you there's a problem.
Re-reading the error message:
You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near ''' where id = '000'' at line 1
I would question the table name and the quotes around the id. If that's an integer column, I'd expect to see a number without quotes.
If I remember correctly, mysql_select_db returns true or false. It doesn't return database name.