I have a strange error:
I have that simple code:
$id = strip_tags($_SESSION["infos_profile_id"]);
$id_friend = strip_tags($_POST["update_user_chat_every_5_second"]);
$q = $bdd->query('SELECT * FROM message WHERE id_sender = '.$id_friend.' AND id_send_to = '.$id.' AND message_read = "0"');
It work fine on mysql.
But after hosting my website on mariadb server, It see that error.
PHP Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'AND message_read = "0"' at line 1' in
I have done everything to solve but I can't find where is really the error from.
Any help to solve that error ?
Thanks.
I agree with the comment from #MaxT above -- you should echo your SQL query after interpolating all variables into it. It's too difficult to debug when you're looking at code that formats an SQL query, instead of the query itself.
Comments are also correct that strip_tags() is not useful for SQL injection protection.
Query parameters are the best protection against SQL injection, and they help you avoid syntax errors too.
Here's what it would look like for your code:
$id = $_SESSION["infos_profile_id"];
$id_friend = $_POST["update_user_chat_every_5_second"];
$sql = 'SELECT * FROM message WHERE id_sender = :id_friend AND id_send_to = :id AND message_read = 0';
$q = $bdd->prepare($sql);
$q->execute( ['id'=>$id, 'id_friend'=>$id_friend] );
It's really very easy!
Related
This is my full page code, but notice the error in writing which line is causing the error.
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'id']; ?>'' at line 131)
When I write this $getpost = $db->select($query_edit); code, this type of error appears on my admin page, I do not understand what to do, I have tried many things, but error is not resolved!
<?php
$query_edit = "SELECT * FROM tbl_post WHERE id='$editpost' ";
$getpost = $db->select($query_edit);// This is the line that caused this error to be written
My admin panel image:
It appears that you are using quotes improperly.
You can but shouldn't do this....
$query_edit = 'SELECT * FROM tbl_post WHERE id="' . $editpost . '"';
You leave yourself open to SQL injection. Look up PDO prepared statements.
I'm following a tutorial but it seems I'm either doing something wrong, or the tutorial is outdated.
The tutorial told me to run this query:
$recordsPerPage = 3;
$fromRecordNum = ($recordsPerPage * $page) - $recordsPerPage;
$query = $engine->runQuery("SELECT * FROM forum_posts ORDER BY id DESC LIMIT $fromRecordNum, $recordsPerPage WHERE topic_id=:topic");
$query->execute(array(':topic'=>$thread['id']));
But this appears to output this error:
Uncaught exception 'PDOException' with message 'SQLSTATE[42000]:
Syntax error or access violation: 1064 You have an error in your SQL
syntax; check the manual that corresponds to your MariaDB server
version for the right syntax to use near '-3, 3 WHERE topic_id='20''
at line 1'
I've tried looking up different tuturials about pagination but it seems they all use this technique.
I hope someone knows how to fix this! Thanks a lot!!
I am new to php and cannot get this! I'm attempting to edit data on an edit page which will be stored through an update page onto mySQL.
<?php
include("secure/connect.php");
$newtitle = mysqli_real_escape_string($conn, ($_POST['title']));
$newinfo = mysqli_real_escape_string($conn,($_POST['info']));
$newprice = mysqli_real_escape_string($conn,($_POST['price']));
$newmenu_img = mysqli_real_escape_string($conn,($_POST['menu_img']));
$id = mysqli_real_escape_string($conn, ($_POST['rowid']));
//setup a SQL query
$query= "UPDATE cocktails SET title='$newtitle', info='$newinfo', price='$newprice', menu_img='$newmenu_img', WHERE id='$id'";
$result = mysqli_query($conn, $query) or die(mysqli_error($conn));
mysqli_close($conn);
?>
I keep getting the error:
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'WHERE id='
\r\nNotice: Undefined variable: iddata in /var/www/vh' at line 1
If your parameters are OK, removing comma(,) in this line
UPDATE cocktails SET title='$newtitle', info='$newinfo', price='$newprice', menu_img='$newmenu_img', WHERE id='$id'
before WHERE will do the job. Note that MariaDB will start code in error message from exactly the part that gives error - in your case it tries to parse WHERE part as continuation of list of parameters.
Your code is also vulnerable to SQL code injection, so check out this answer before sending your code into production server.
I'm trying to execute a pdo update statement definded as follows:
$sql = "UPDATE users SET (email,name) VALUES (:email,:name) WHERE userId = :userId";
$result= $db->prepare($sql);
$result->execute(array(':userId'=>21,':email'=>'test',':name'=>'testname'));
But no matter what I try it returns the following error
Uncaught exception 'PDOException' with message 'SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '(email,name) VALUES ('test','testname') WHERE userId = '21'' at line 1' in /var/www/vhosts/tftest.co.uk/biggreensquare.co.uk/application/models/user_model.php:79
I can't see what is wrong with my syntax that is causing this any feedback much appreciated.
I would expect the syntax to look like:
UPDATE users
SET email = :email,
name = :name
WHERE userId = :userId;
I'm gettng a weird error from PDO and it doesn't make sense. I am trying the following code but even if I change the code I get the exact same error that doesn't reflect any of the changes.
$stmt = $db->prepare("SELECT database, gpsthr from ccprefs where fleetnumber=?");
$stmt->bindValue(1, (int) $smpfleet, PDO::PARAM_INT);
$stmt->execute();
Here's the error message:
"SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' gpsthr from ccprefs where fleetnumber= ?' at line 1"
If I change the code to this I still get the same error.
$stmt = $db->prepare("SELECT database, gpsthr from ccprefs where fleetnumber= :fleet");
$stmt->bindValue(':fleet', (int) $smpfleet, PDO::PARAM_INT);
$stmt->execute();
DATABASE is a reserved keyword and as such you have to quote it.