I am new to php and cannot get this! I'm attempting to edit data on an edit page which will be stored through an update page onto mySQL.
<?php
include("secure/connect.php");
$newtitle = mysqli_real_escape_string($conn, ($_POST['title']));
$newinfo = mysqli_real_escape_string($conn,($_POST['info']));
$newprice = mysqli_real_escape_string($conn,($_POST['price']));
$newmenu_img = mysqli_real_escape_string($conn,($_POST['menu_img']));
$id = mysqli_real_escape_string($conn, ($_POST['rowid']));
//setup a SQL query
$query= "UPDATE cocktails SET title='$newtitle', info='$newinfo', price='$newprice', menu_img='$newmenu_img', WHERE id='$id'";
$result = mysqli_query($conn, $query) or die(mysqli_error($conn));
mysqli_close($conn);
?>
I keep getting the error:
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'WHERE id='
\r\nNotice: Undefined variable: iddata in /var/www/vh' at line 1
If your parameters are OK, removing comma(,) in this line
UPDATE cocktails SET title='$newtitle', info='$newinfo', price='$newprice', menu_img='$newmenu_img', WHERE id='$id'
before WHERE will do the job. Note that MariaDB will start code in error message from exactly the part that gives error - in your case it tries to parse WHERE part as continuation of list of parameters.
Your code is also vulnerable to SQL code injection, so check out this answer before sending your code into production server.
I tried to use the following code to insert,
$op=$_POST["ans"];
$username=$_GET["username"];
mysql_query("insert into $username values('Q3','$op')")
or die(mysql_error());
But I got the following error:
You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near 'values('Q1','Wrong')' at line 1
Why am I getting this error? How can I fix it?
Your query structure is not making any sense. You're inserting into $username? That's not the name of the table, is it?
mysql_query("INSERT INTO `tablename` values('Q3','" . mysql_real_escape_string($op) . "')") or die(mysql_error());
Always be very careful to escape any and all user data being put into your queries, and please, please stop using mysql_query in new code.
I'm trying to insert some values into the database using information posted on a form through php
following is the code that i'm using for insertion
$query=mysql_query("select * from poll_question where question = '$question'") or die(mysql_error());
$numrows=mysql_num_rows($query);
if($numrows)
{
while($row=mysql_fetch_assoc($query))
{
$dbid=$row['id'];
}
}
$sql1 = "INSERT INTO poll_option(option , poll_id ,click)
VALUES('$_POST[optionone]',
'$dbid' , 0)";
$result1 = mysql_query($sql1);
echo "1 record added";
echo mysql_error();
$sql2 = "INSERT INTO poll_option(option , poll_id , click)
VALUES('$_POST[optiontwo])',
'$dbid', 0)";
$result2 = mysql_query($sql2);
echo mysql_error();
$sql3 = "INSERT INTO poll_option(option , poll_id, click)
VALUES('$_POST[optionthree])',
'$dbid ', 0)";
$result3 = mysql_query($sql3);
echo mysql_error();
now i'm getting the following output
You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version for the right syntax to use near 'option , poll_id ,click) VALUES('sj', '24' , 0)' at line 1
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'option , poll_id , click) VALUES('dsdg', '24', 0)' at line 1
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'option , poll_id, click) VALUES('xzf', '24 ', 0)' at line 1
The part under the "values" syntax is the one that i'm trying to insert. that information is correct.that is VALUES('xzf', '24 ', 0) is Correct and i want to insert this only , but their is some problem with the syntax.Any suggestions?
What echo_me said.
Additionally, in $sql2 and $sql3 you are closing the VALUES (...) parenthesis too soon:
VALUES('$_POST[optiontwo])',
^ remove this
Your $sql1 is correct.
OPTION is reserved keyword for mysql
try use backticks around it in all your queries
like that:
`option`
look reserved keywords here
In addition to what echo_me stated in removing the parentheses incorrectly added to $sql2 and $sql3, you really should migrate over to mysqli (since mysql is deprecated) and at least use the real escape string option on your post variable before automatically inserting whatever is posted to the script into your database. A good example for your code is:
$post_option1 = mysql_real_escape_string($_POST['optionone']);
$post_option2 = mysql_real_escape_string($_POST['optiontwo']);
$sql1 = "INSERT INTO poll_option (`option`, `poll_id`, `click`) VALUES('$post_option1', '$dbid', 0)";
$sql2 = "INSERT INTO poll_option (`option`, `poll_id`, `click`) VALUES('$post_option2', '$dbid', 0)";
My opinion is it would make things simpler for you as well. The info on the real escape string can be found here:
http://php.net/manual/en/function.mysql-real-escape-string.php
It's against best practice to insert a POST or GET directly into your database without any form of mitigation against SQL injection.
Try to avoid using mysql functions, but rather learn to use PDO functions. They have a number of advantages over mysql functions, although im really sorry, i dont remember them right now, and i dont want to say anything that's not true.
Also, i dont think that the mysql functions can prevent SQL injection, which can let any user alter your Database however they want.
Most importantly though, is that they're deprecated in PHP 5.5
Sorry if i didn't solve your question, just thought to let you know. Good luck, maybe you can get it to work with the new functions.
Update: Sorry, didn't see the comments and posts about switching to mysqli and such.
I have a following code:
<?php
include("config.php");
$key = 'blahblah';
$sql = "INSERT INTO softversions SET key='$key'";
$result = mysql_query($sql) or die ($mysql_error());
echo "dude";
?>
This gives me an error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'key='svksskjfvns'' at line 1
The thing is that I've used this script about a hundred times on other pages and it worked.
Table and field names are 100% correct.
I don't understand what is going on.
Do you see the syntax error there?
KEY is a reserved word in MySQL and you need to escape it using backticks to use it as a column name and also you should not use SET when inserting.
$sql = "INSERT INTO softversions (`key`) VALUES ('$key')";
key is a reserved word in MySQL. To use it as a column, you need to escape it every time you call it.
$sql = "INSERT INTO softversions SET `key`='$key'";
$sql = "INSERT INTO softversions(keyName) values('{$key}')";
I'm trying to update using mysql_query in php and it gives me this error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'read='1' WHERE id='14'' at line 1
I've been looking at my query for about 10 minutes now and I cant find whats wrong with it. Here it is:
if ($row['read'] == 0) {
mysql_query("UPDATE mail SET read='1' WHERE id='$mailid'") or die(mysql_error());
}
Do anyone see where the error is?
read is a reserved word.
Enclose it into the backticks:
UPDATE mail SET `read`='1' WHERE id='$mailid'
How about...
"UPDATE `mail` SET `read`='1' WHERE `id`='".$mailid."'"
read is a reserved word. You need to use backticks ` around read.