Here is the Query string I am using, i have tried many different itterations...
if (!mysqli_query($db_connection,'UPDATE `questions` SET
`question`='.$question.', `answer1`='.$answer1.', `answer2`='.$answer2.',
`answer3`='.$answer3.', `answer4`='.$answer4.', `rationale`='.$rationale.',
`resources`='.$resources.' WHERE `question_id`='.$id))
{
echo("Error description: " . mysqli_error($db_connection));
}
this is the error I get:
Error description: You have an error in your SQL syntax; check the
manual that corresponds to your MySQL server version for the right
syntax.
I have tried using single quotes, double quotes without ` and with. Nothing seems to work.
It's not a case of using single or double quotes but doing both correctly, you need to wrap your strings in double quotes and open and close your concatenation with singles eg ’answer’ = " ' .$variable. ' ", ..... Then the quotes become part of your string.
Try this:
$query = mysqli_query($db_connection,"UPDATE `questions` SET question`='{$question}',`answer1`='{$answer1}', `answer2`='{$answer2}', `answer3`='{$answer3}', `answer4`='{$answer4}', `rationale`='{$rationale}', `resources`='{$resources}' WHERE `question_id`=".$id);
if ($query)
{
echo("Error description: " . mysqli_error($db_connection));
}
First of all, as the comments stated prepared statements is the way to go. You are open to SQL injection.
Secondly, as for the mysql error message, It looks like you are missing a single quote at the end of your query. WHERE question_id='.$id. Also Echo out the query string and you'll notice that your query does not have single quotes around your parameters. You are using single quotes to create the query string but not for the query parameters. Use double quotes for the query string, and single quotes for the parameters:
"UPDATE `questions` SET
`question`='".$question."', `answer1`='".$answer1."', `answer2`='".$answer2."',
`answer3`='".$answer3."', `answer4`='".$answer4."', `rationale`='".$rationale."',
`resources`='".$resources."' WHERE `question_id`="'.$id."'"
Related
'...where T4."firstName"!=\'ERD\''
*I am sure you know but: ''\'ERD\'' means "ERD" inside single quotation marks.
This is a part of sql query but I want to use a variable instead of ERD. Having trouble with double and single quotation marks. How should I write the variable?
An option to prevent SQL injection is appreciated. I am using ODBC.
I would suggest concatenating it:
"SELECT * from table1 where firstName = '" . $ERD . "'";
In my PHP script, I need to update fields to remove the double quotes in a particular column. When I execute my query, the fields are not stripped of the double quotes. I suspect that it has something to do with escaping the characters in the query. The query below is what phpMyAdmin generated for me when I clicked "Create PHP" after successfully running the query in phpMyAdmin.
$sql = "UPDATE `TNDB_CSV2` \n"
. " SET `Event` = TRIM(BOTH \'\"\' FROM `Event`)";
How can I change this to run in my PHP script instead of running it manually in phpMyAdmin?
You are going to have to escape the slashes themselves so that they stick around when the SQL query is executed so I am suggesting you do it like so:
$sql = "UPDATE `TNDB_CSV2` \n"
. " SET `Event` = TRIM(BOTH '\\\"' FROM `Event`)";
I also got rid of the backslashes around the quotes
My code is
$user_query = '
UPDATE
users
SET
`password`="$password",
`email`="$email",
`position`="$position",
WHERE
`username`=".$uname."';
$user_result = mysql_query($user_query, $connection);
confirm_query($user_result);
When I run this query it gives me an error:
Database query failed: You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE username=".$uname."' at line 7
Can any body help me resolve this error?
Your query is in single quotes, so the variables aren't parsed. As you can see in error, the string is literally
`username`=".$uname."
You need to either use double quotes around the enitre thing, to parse variables correctly.
$user_query = "
UPDATE
users
SET
`password`='$password',
`email`='$email',
`position`='$position'
WHERE
`username`='$uname'";
Or correctly use the string concatanation operator, ..
$user_query = '
UPDATE
users
SET
`password`="'.$password.'",
`email`="'.$email.'",
`position`="'.$position.'"
WHERE
`username`="'.$uname.'"';
As others have noted, there's also an extra , after postion="$position".
Remove the comma , before the WHERE clause
Just change quotes, and better escape data with DB driver funcs like mysql_real_escape_string()
Difference between quotes: https://stackoverflow.com/a/3446286/765634
Escaping: http://php.net/mysql_real_escape_string
Complete query:
$user_query = <<<SQL
UPDATE
users
SET
`password`="{$password}",
`email`="{$email}",
`position`="{$position}",
WHERE
`username`="{$uname}"
SQL;
There is a trailing comma between position="$position", and the where clause. Remove the comma just before the where clause.
UPDATE
users
SET
`password`="$password",
`email`="$email",
`position`="$position"
WHERE
`username`=".$uname."';
You had a trailing , after position
You have an extra comma after position="$position". Remove that.
I'm seeing some weirdness when I try to run a query using PDO. The following code shouldn't return results, but it does:
$safe_path = $this->_databaseConnection->quote($unsafe_path);
$sql = "SELECT * FROM routes WHERE path=$safe_path LIMIT 1";
$statement_handle = $this->_databaseConnection->query($sql);
var_dump($statement_handle->fetchAll());
I'm confused because there aren't single quotes around the $safe_path variable as there would be if I were using the mysqli extension - but it's working. If I enclose $safe_path in quotes, no results are returned. This seems strange to me.
You are already quoting the $safe_path variable with your first line in the sample:
$safe_path = $this->_databaseConnection->quote($unsafe_path);
That is why it works as it stands. If you attempt to add quotes yourself in the:
$sql = "SELECT * FROM routes WHERE path='$safe_path' LIMIT 1";
line then you would be doubling up the quotes and therefore breaking the SQL query.
Please see the manual page for quote() for more information:
PDO::quote() places quotes around the input string (if required) and
escapes special characters within the input string, using a quoting
style appropriate to the underlying driver.
The PDO quote method just add quotes in a string context.
http://php.net/manual/en/pdo.quote.php
PDO::quote() places quotes around the input string (if required)[...]
Aren't you adding quotes?
$safe_path = $this->_databaseConnection->quote($unsafe_path);
I have just read the following code but do not understand why there is " and also ' used. Thank you!
$sql='SELECT uid,name FROM users WHERE user="'.mysql_real_escape_string($_POST['login_name']).'" AND ..
There shouldn't be.
The "correct" $sql might look like this:
$sql="SELECT uid,name FROM users WHERE user='".mysql_real_escape_string($_POST['login_name'])."';
You use ' in SQL to say it's a string / literal.
I would suggest that you look into prepared statements, i don't trust mysql_real_escape_string nor mysql_very_real_seriously_this_is_the_real_escape_string, that php-syndrome is not to trust .
This is a PHP program to write an SQL query (and store it in a string).
The target SQL looks like this:
SELECT uid,name FROM users WHERE user="something" AND …
So in PHP terms:
$foo = 'SELECT uid,name FROM users WHERE user="something" AND …'
But you want to replace "something" with dynamic data. In this case the posted login_name — but made safe for MySQL.
$foo = 'SELECT uid,name FROM users WHERE user="' .
mysql_real_escape_string($_POST['login_name']) .
'" AND …'
A better approach is to use prepared statements.
The single quotes surround the SQL-statement ("SELECT..."), the double quote surround the data for the field "user" (though I'd use the quotes the other way around).
The query would look something like this (use single quotes):
SELECT uid FROM users WHERE user='snake'
To assign this query to the variable $sql, you'd have to enclose it in quotes, using double quotes this time, so PHP doesn't assume, the string would end before 'snake':
$sql = "SELECT uid FROM users WHERE user='snake'";
And as you won't always be asking for 'snake' statically, you exchange 'snake' with a dynamic name, exiting/entering the $sql-string by using double quotes again:
$sql = "SELECT uid FROM users WHERE user='" . $dynamic . "'";
If you only wanted one type of quotes, you'd have to escape the quotes that enclose the user-string.
the " will be literally included in the final mysql request so the request send to the mysql database will be:
SELECT uid,name FROM users WHERE user="loginname" AND ..
The single quotes are used to define your string in PHP. The double ones delimit your text field (login_name) in your SQL query.
This is done to avoid escaping the quotes of the query, if the same were used.
You can use single or double quotes for wrapping strings in php. However, there are differences.
With single quote strings, you cannot inline variables (eg: $a = 'hi $name'), nor can you escape characters (eg: $a = 'hi!\n$name').
Here is a nice summary: http://www.jonlee.ca/php-tidbit-single-quotes-vs-double-quotes/
Also on a side note.. Not sure if double quotes should be used for encasing strings in SQL. I do believe you should use single quotes in most DBs.
Looks like the single quotes are used for the PHP code what form the query and the double quotes are use for the query itself
More on Single/Double quotes
you can always echo out the $sql value to see how the Single/Double quotes look before executing the SQL against a DB.
something like:
$sql='SELECT uid,name FROM users WHERE
user="'.mysql_real_escape_string($_POST['login_name']).'";
// Print the SQL
echo $sql."<br />";