We Keep Coding

how to search a name that include apostrophe in SQL [duplicate] - php

This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 4 years ago.
i want to search a title that include apostrophe in it.
i call the title from variable.
for example:
$mytitle = "Daddy's Home";
then i try to search it.
$apostrophe = $val;
$replacementsapostrophe = [
"'" => "''",
];
$newval = strtr($apostrophe, $replacementsapostrophe);
$query2 = $db->prepare ("SELECT category, id_master_post, master_post_name FROM `master_post` WHERE master_post_name = '$newval'");
$query2->execute();
$value2 = $query2->fetch();
Error given
Fatal error: Uncaught PDOException: SQLSTATE[42000]: Syntax error or
access violation: 1064 You have an error in your SQL syntax; check the
manual that corresponds to your MariaDB server version for the right
syntax to use near 's Home 2'' at line 1 in
C:\xampp\htdocs\piratefiles\list.php:31 Stack trace: #0
C:\xampp\htdocs\piratefiles\list.php(31): PDOStatement->execute() #1
{main} thrown in C:\xampp\htdocs\piratefiles\list.php on line 31
im already try '%''%' still not working.

You should use prepared statements to avoid sql injection but to answer your question . An example;
try{
$db=new PDO(DSN,USER,PASS);
}catch(PDOException $e){
echo "couldn't connect cos of $e";
}
$sqlQuery = "SELECT category, id_master_post, master_post_name FROM `master_post` WHERE master_post_name = ? "
$prepared= $db->prepare($sqlQuery);
$prepared->execute($myTitle);
$resultObject = $prepared->fetchObject() ;

Related

This question already has answers here:
How to include a PHP variable inside a MySQL statement
(5 answers)
Closed 3 years ago.
I get this error
(Uncaught PDOException: SQLSTATE[42000]: Syntax error or access
violation: 1064 You have an error in your SQL syntax;)
I know it's regarding the code below as I get this error code in my console
([Tue Jan 21 21:32:11.564497 2020] [proxy_fcgi:error] [pid 14681:tid
140542562248448] [client 81.226.126.93:39132] AH01071: Got error 'PHP
message: PHP Fatal error: Uncaught PDOException: SQLSTATE[42000]:
Syntax error or access violation: 1064 You have an error in your SQL
syntax; check the manual that corresponds to your MariaDB server
version for the right syntax to use near 'WHERE rakel IN ('3
31-1710')' at line 1 in
/var/www/vhosts/stockholmblaljusklan.se/httpdocs/cad/assets/includes/utl/larm.php:144\nStack
trace:\n#0
/var/www/vhosts/stockholmblaljusklan.se/httpdocs/cad/assets/includes/utl/larm.php(144):
PDOStatement->execute(Array)\n#1
/var/www/vhosts/stockholmblaljusklan.se/httpdocs/cad/sos/index.php(37):
include('/var/www/vhosts...')\n#2 {main}\n thrown in
/var/www/vhosts/stockholmblaljusklan.se/httpdocs/cad/assets/includes/utl/larm.php
on line 144', referer:
https://stockholmblaljusklan.se/cad/sos/index.php)
Someone that knows how to solve this problem? Much appreciated!
if(isset($_POST['submit_units'])){
$units = $_POST['enheter'];
$units_2 = implode(", ", $units);
$query_3 = "UPDATE larm SET enheter=:enheter WHERE id=:id";
$stmt = $db->prepare($query_3);
$stmt->bindparam(":enheter",$units_2);
$stmt->bindparam(":id",$id);
$stmt->execute();
$enheter_3 = explode(", ", $units_2);
$count_2 = str_repeat('?,', count($enheter_3) - 1) . '?';
$query_4 = "UPDATE fordon SET on_call=$id WHERE rakel IN ($count_2)";
$stmt = $db->prepare($query_4);
$stmt->execute($enheter_3);
}

I was not sure how to add all the below points in readable form in comments, so I am adding it here in the Answer section. Have a look at the below points:
$id not set
$stmt not closed after completing the query
You did not set $id for 2nd query
Comment out $enheter_3 = explode(", ", $units_2); $count_2 = str_repeat('?,', count($enheter_3) - 1) . '?';
and you can directly use $count_2 = str_repeat('?,', count($_POST['enheter']) - 1) . '?';
Your last query is susceptible to the SQL injection attack

This question already has answers here:
How to apply bindValue method in LIMIT clause?
(11 answers)
Closed 5 years ago.
I want to pass a GET var into the query to set the OFFSET.
try {
$sql_offset = isset($_GET['offset']) ? $_GET['offset'] : 0;
$main_query = "SELECT * FROM Orders
LIMIT 150 OFFSET :offset";
$result = $db->prepare($main_query);
$result->bindParam(':offset', $sql_offset, PDO::PARAM_INT);
$result->execute();
} catch (Exception $e) {
$error = $e->getMessage();
echo "<h2>".$error."</h2>";
die();
}
The query fails and the error message received is:
SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''450'' at line 2
Note: If I place 450 directly into the query it works fine.
It seems to me that the problem is that it is reading the param as a string '450' and not an int 450. I tried solving that with the PDO::PARAM_INT - didn't help. I parsed the value with (int)$sql_offset and int_val($sql_offset) and didn't help. Meaning, I was still receiving the same error message.
Question: am I right? Is the problem that it is seeing as a string? If so, how can I fix?
Or is there a different problem here?

Try to parse value in int then check:
$sql_offset = (int)(isset($_GET['offset']) ? $_GET['offset'] : 0);

This question already has an answer here:
Syntax error due to using a reserved word as a table or column name in MySQL
(1 answer)
Closed 7 years ago.
Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'keys) VALUES ('1','159')' at line 1' in C:\xampp\htdocs\***\index12.php:93 Stack trace: #0 C:\xampp\htdocs\***\index12.php(93): PDOStatement->execute(Array) #1 {main} thrown in C:\xampp\htdocs\***\index12.php on line 93
$dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
for($i = 1; $i < sizeof($counts_index);$i++){
//echo $i.": ".$counts_index[$i]."<br/>";
$index = $counts_index[$i];
$sql1 = "INSERT INTO asce (idn,keys) VALUES (:idn,:keys)";
$q1 = $dbh->prepare($sql1);
$params1 = array(
':idn'=>$i,
':keys'=> $index
);
$q1->execute($params1);
}

Keys is a reserved word in MySQL. Either change your column name (better solution) or update your query wrapping keys in backticks.
INSERT INTO asce (idn, `keys`...

I am inserting the values using PDO but i am getting error as:
Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'desc,price,nick_name,gender,size,color,birth_date,uname,uphone,ucountry,ustate,u' at line 1' in C:\wamp\www\aa\abc.php:58 Stack trace: #0 C:\wamp\www\www\aa\abc.phpphp(58): PDOStatement->execute(Array) #1 {main} thrown in C:\wamp\www\www\aa\abc.php.php on line 58
also getting Warning: implode() [function.implode]: Bad arguments for implode function
Code:
foreach ($_POST['pcheck'] as $p_check) ////storing checkbox values
{
$pcheckp[] = $p_check;
} $finalcheck = implode(',', $pcheck);
foreach ($_POST['pinc'] as $p_inc) ////storing inputfield values
{
$pinc[] = $p_inc;
} $finalpinc = implode(',', $pinc);
$sql = "INSERT INTO list (u_id,list_type,list_ff,breed,title,desc,price,nick_name,gender,size,color,birth_date,uname,uphone,ucountry,ustate,ucity,usite,pcheck,pinc,photo)
VALUES(:uid,:list_type,:list_ff,:breed,:title,:desc,:price,:nick_name,:gender,:size,:color,:date,:uname,:uphone,:ucountry,:ustate,:ucity,:usite,:pcheck,:pinc,:p_photo)";
$q = $db->prepare($sql);
$q->execute(array(':uid'=>dd,
':list_type'=>$list_type,
':breed'=>$breed,
':title'=>$title,
':desc'=>$desc,
':price'=>$price,
':list_ff'=>$list_ff,
':nick_name'=>$nick_name,
':gender'=>$gender,
':size'=>$size,
':color'=>$color,
':date'=>$date,
':uname'=>$uname,
':uphone'=>$uphone,
':ucountry'=>$ucountry,
':ustate'=>$ustate,
':ucity'=>$ucity,
':usite'=>$usite,
':pcheck'=>$finalcheck,
':pinc'=>$finalpinc,
':p_photo'=>$p_photo));
$_POST['pcheck'] and $_POST['pinc'] is used to get checkbox and input values which i am going to store in column in mysql.
I have checked many times to find the syntax error in insert query but nothing wrong is in it
Hoping to get help
Thanks!

for Warning: implode()
$finalcheck = implode(',', $pcheck);
should be
$finalcheck = implode(',', $pcheckp);
also desc is reserved for mysql you need to use it with `
$sql = "INSERT INTO list (`u_id`,`list_type`,`list_ff`,`breed`,`title`,`desc`,`price`,`nick_name`,`gender`,`size`,`color`,`birth_date`,`uname`,`uphone`,`ucountry`,`ustate`,`ucity`,`usite`,`pcheck`,`pinc`,`photo`)
VALUES(:uid,:list_type,:list_ff,:breed,:title,:desc,:price,:nick_name,:gender,:size,:color,:date,:uname,:uphone,:ucountry,:ustate,:ucity,:usite,:pcheck,:pinc,:p_photo)";

I have a php script to update details in a MySQL table. It all worked fine but now I have changed the db connection method to PDO:
$pdo = new PDO('mysql:host=localhost;dbname=****', '****', '*****');
I made various changes to the script to accommodate this so it continues to work, The only place that fails is right at the end after the mysql table has been updated. I get this error:
Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'and park_id=31' at line 1' in /home3/danville/public_html/test2/index.php:29 Stack trace: #0 /home3/danville/public_html/test2/index.php(29): PDO->query('update tpf_ride...') #1 {main} thrown in /home3/danville/public_html/test2/index.php on line 29
This is the piece of code causing the error:
$query = "update tpf_rides set name='$name',type='$type'";
if($topride!=""){$query .= ",top_ride=$topride";}
if($info!=""){$query .= ",info='$info'";}
if($height!=""){$query .= ",height=$height";}
if($length!=""){$query .= ",length=$length";}
if($speed!=""){$query .= ",speed=$speed";}
if($inversions!=""){$query .= ",inversions=$inversions";}
$query .= " where ride_id=".$ride_id." and park_id=".$park_id;
$pdo->query($query);
}
line 29 is this on Notepad++ $pdo->query($query); although the error message seems to reference the line above that $query .= " where ride_id=".$ride_id." and park_id=".$park_id;
Any ideas what I ned to change to stop the error? Additional details - I connect to the db with a require_once include. The updates do take effect despite the error.

If you're going to switch to PDO, you might as well take advantage of prepared statements and parameter binding. It actually makes your queries much safer from SQL injection and also makes your code more readable. Your query builder approach does complicate things a little but it's still possible. I'd also highly recommend enabling error reporting during development. For example
error_reporting(E_ALL);
ini_set('display_errors', 'On');
$upd = array('name = :name', 'type = :type');
$values = array(
'name' => $name,
'type' => $type,
'ride_id' => $ride_id,
'park_id' => $park_id
);
if (!empty($topride)) {
$upd[] = 'top_ride = :topride'; // :topride is the named parameter placeholder
$values['topride'] = $topride; // the array key matches the named placeholder above
}
if (!empty($info)) {
$upd[] = 'info = :info';
$values['info'] = $info;
}
// and so on
$query = sprintf('UPDATE tpf_rides SET %s WHERE ride_id = :ride_id AND park_id = :park_id',
implode(', ', $upd));
$stmt = $pdo->prepare($query);
$stmt->execute($values);