I have this code
$ntimes = $wpdb->get_var("SELECT Count(*) FROM wp_comp_review_list where email = $key->email");
What I was trying to do is count the number of emails where email = "sample#gmail.com". Wherein the email to compare is generated from another foreach loop.
I am having the following error:
"WordPress database error: [You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '#gmail.com' at line 1]"
I tried the by comparing names that has spaces. I got the same error because of the space.
Any tips on how to use WHERE with special characters?
An email is a string so you should use quotes, where email = '$key->email' though you're also open to SQL injection, if not it's better safe then hacked..
So you should use prepared statements instead using prepare().
<?php
$results = $wpdb->get_results(
$wpdb->prepare('
SELECT Count(*)
FROM wp_comp_review_list
WHERE email = %s',
[
$key->email
]
)
);
This should also work using esc_sql(), though avoid when you can:
<?php
$email = esc_sql($key->email);
$wpdb->get_var("
SELECT Count(*)
FROM wp_comp_review_list
WHERE email = '{$email}'"
);
?>
Use this :
$ntimes = $wpdb->get_var("SELECT Count(*) FROM wp_comp_review_list where email = '$key->email'");
Since your $key->email has space, it is no more a single word and next thing after space is considered as SQL command (which is it not)
You miss quote '' from the condition:
$ntimes = $wpdb->get_var("SELECT Count(*) FROM wp_comp_review_list where email = '$key->email'");
Related
I have code like these
<?php
$mdb_file = realpath('../PEB_MDB/dbPEB.mdb');
$dsn='Driver={MSAccess};DBQ='.$mdb_file.';';
//$mdb_file = $_SERVER['DOCUMENT_ROOT']."/sapfiles/web_supp/PEB_MDB/dbPEB.mdb";
$user = "";
$password = "MumtazFarisHana";
$conn = odbc_connect($dsn,$user,$password);
var_dump($conn);
$sql = "SELECT a.NAMABELI,s.URBRG1,a.NAMABELI,a.NEGBELI,a.NEGTUJU,a.CAR,a.KDKTR,a.PELMUAT,
a.NODAFT,a.TGDAFT,a.FOB,d.NoDok,d.TgDok FROM (tblpebhdr AS a INNER JOIN tblpebdok AS d
ON a.CAR = d.CAR) INNER JOIN tblpebdtl AS s ON a.CAR = s.CAR
WHERE d.KdDok='380' and a.TGDAFT>=#01/jan/2018# AND a.TGDAFT<=#01/Apr/2018#";
$rs = odbc_exec($conn, $sql) or die(odbc_errormsg());
var_dump($rs);
?>
When I try running these code, it said Couldn't parse SQL, if I change my query like SELECT * FROM tblpebhdr it working prefectly, But why my first query didn't work at all? Is because the hashtag (#)? or something else?
Your syntax is correct Access SQL syntax, so try to remove one field at the time and you should find the offending field name.
Also, never use text months in filters as the names are expected to be localised, and - while the "reverse" US format is accepted, thus can't be the source of your error, if TGDAFT is of data type DateTime - make it a habit to use the ISO sequence yyyy-mm-dd:
a.TGDAFT>=#2018/01/01# AND a.TGDAFT<=#2018/04/01#";
if (isset($_POST['update'])) {
$column=(isset( $_POST['column']));
$type= (isset($_POST['type']));
$value= (isset($_POST['value']));
mysql_query("UPDATE `combo1` SET column = '$column', type = '$type' ,value ='$value' WHERE id = '$id'");
}
The update query is not working I am not getting what is the solution please help me to overcome this problem
You have an error in your SQL syntax; check the manual that
corresponds to your MariaDB server version for the right syntax to use
near 'column = '', type = '' ,value ='' WHERE id = '20'' at line 1
isset() method returns boolean value change like this
$column = isset( $_POST['column']) ? $_POST['column']:"";
Same for others
Modify your code as follows:
if (isset($_POST['update'])) {
$column = $_POST['column'];
$type = $_POST['type'];
$value = $_POST['value'];
mysql_query("UPDATE `combo1` SET column = '$column', type = '$type' ,value ='$value' WHERE id = '$id'");
}
If you remove the isset() method (refer to this link if you want more about the isset() method) as I have given above, the texts inside $column, $type and $value are substituted directly into the update string.
Update string does not contain any syntax errors in this case. Refer to this link if you want more information.
I also recommend you read up on SQL injection, as this sort of parameter passing is prone to hacking attempts if you do not sanitize the data being used:
MySQL - SQL Injection Prevention
The error message has virtually nothing to do with the 'version'. It is a syntax error complaining about "column". That word is a reserved word. Since you seem to have called the column column, put backtics around it, just as you did for the tablename.
mysqli_query($link,"UPDATE combo1 SET column='$column',type = '$type',value='$value' WHERE id ='$id'")
or die(mysqli_error($link));
I want to insert a record with an apostrophe into a MySQL database using PHP. Following is my code:
$importer_name =mysql_escape_string ($objWorksheet->getCellByColumnAndRow(1,3)->getValue());
$exporter_name = $objWorksheet->getCellByColumnAndRow(1, 3)->getValue();
$prod_quantity_unit = $objWorksheet->getCellByColumnAndRow(1,6)->getValue();
$prod_fob_value = $objWorksheet->getCellByColumnAndRow(5,6)->getValue();
$prod_quantity = $objWorksheet->getCellByColumnAndRow(1,8)->getValue();
$prod_fob_unit= $objWorksheet->getCellByColumnAndRow(5,8)->getValue();
$prod_gross_waight= $objWorksheet->getCellByColumnAndRow(1,10)->getValue();
$prod_cif_value= $objWorksheet->getCellByColumnAndRow(5,10)->getValue();
$prod_net_weight= $objWorksheet->getCellByColumnAndRow(1,12)->getValue();
$prod_cif_unit_price= $objWorksheet->getCellByColumnAndRow(5,12)->getValue();
$prod_brand= $objWorksheet->getCellByColumnAndRow(5,14)->getValue();
$hs_code = $objWorksheet->getCellByColumnAndRow(1,17)->getValue();
$shipping_date = $objWorksheet->getCellByColumnAndRow(5,17)->getValue();
$customs = $objWorksheet->getCellByColumnAndRow(1,19)->getValue();
$transport_company = $objWorksheet->getCellByColumnAndRow(5,19)->getValue();
$country_of_origin = $objWorksheet->getCellByColumnAndRow(1,21)->getValue();
$transport_mode = $objWorksheet->getCellByColumnAndRow(5,21)->getValue();
$country_of_trade = $objWorksheet->getCellByColumnAndRow(1,23)->getValue();
$hs_code_description = $objWorksheet->getCellByColumnAndRow(1,26)->getValue();
$product_description = $objWorksheet->getCellByColumnAndRow(1,28)->getValue();
$insertquery="INSERT INTO tb_peru_data
(importer_name,exporter_name,product_quantity_unit,
product_fob_unit,product_quantity,product_fob_value,
product_gross_weight,product_cif_value,
product_net_weight,product_cif_unit_price,
product_brand,shipping_hs_code,shipping_date,
shipping_customs,shipping_transport_company,
shipping_country_of_origin,shipping_transport_mode,
shipping_country_of_trade,hs_code_description,
product_description)
VALUES
('$importer_name','$exporter_name','$prod_quantity_unit',
'$prod_fob_unit','$prod_quantity','$prod_fob_value',
'$prod_gross_waight','$prod_cif_value','$prod_net_weight',
'$prod_cif_unit_price','$prod_brand','$hs_code','$shipping_date',
'$customs','$transport_company','$country_of_origin',
'$transport_mode','$country_of_trade',
'$hs_code_description','$product_description')";
mysql_query($insertquery)or die('ErrorrPERU: '.mysql_error());
/*$del="DELETE * FROM tb_excel_file";
mysql_query($del);*/
?>
This does not work, and gives the following error:
you have an error in your SQL syntax; check the manual that corresponds
to your MySQL server version for the right syntax to use near
's','12U','6','9','54',
'34.83','55.5','31.83','6.17','','7323931000','2008/04/1' at line 3
Use mysqli_real_escape_string instead of deprecated mysql_real_escape_string
This function will force you to input mysql table / database.
This way your collation will be considered while escaping
You can use real_escape_string() in PHP. You need to escape the apostrophe (that is, tell SQL that the apostrophe is to be taken literally and not as the beginning or end of a string). To add more, I'd say that you can also use PDO, but consider using addslashes($string) and stripslashes($string).
I'm inserting value to my MySQL table from php as:
$journey = $_POST['way'];
$from = $_POST['from'];
$to = $_POST['to'];
$dpdt = $_POST['dp_date'];
$rtdt = $_POST['rt_date'];
$fare = $_POST['fare'];
$sql = "insert into tours set " .
"journey='$journey', from='$from', to='$to', dp_date=CAST('$dpdt' AS DATE), " .
"rt_date=CAST('$rtdt' AS DATE), fare='$fare'";
on trying echo for $sql I'm getting output as:
insert into tours set journey='round', from='Aurangabad', to='Kashmir', dp_date=CAST('27-08-2013' AS DATE), rt_date=CAST('21-08-2013' AS DATE), fare='2500'
but I'm continuously getting the same error message:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'from=Aurangabad, to='Kashmir', dp_date=CAST('27-08-2013' AS DATE), rt_date=CAST(' at line 1
even if I try to remove ' around the values of column names.
I'm using the same syntax for inserting data and that's working fine.
What's wrong with this?
Why MySQL does not give a proper error for such terrible mistake?
`from`='$from', `to`='$to'
FROM is reserved word use backtick around it.
FROM is reserved keyword and you should not use it. Refer Here
'from' and 'to' are reserve words
Try to do like this
[from] = 'Aurangabad', [to] ='Kashmir'
FROM is a SQL-Keyword. You must not use that without delimiters as a column name.
If I use a variable in a php SQL statement that also has COUNT, I get an error. If use a literal number instead of the variable, it works fine. In the code below, you can see where I set my variable. It's set to "test2", first line of code below.
What am I doing wrong?
//$tag_text_ipb hardcoded here for testing
$tag_text_ipb="test2";
//when I replace $tag_text_ipb with the literal 'test2' in SQL below, it works fine.
$query_total_tags = "SELECT COUNT(1) FROM core_tags WHERE tag_meta_app = 'downloads' AND tag_text = $tag_text_ipb";
$dlresult_total_tags = mysql_query( $query_total_tags );
//Mysql reports an error here (see below for the error text) ONLY when I use the $tag_text_ipb variable in the SQL statement.
$tag_count= mysql_result($dlresult_total_tags,$k[COUNT(1)]);
The error is:
Warning: mysql_result(): supplied argument is not a valid MySQL result resource in /home/ipboard/admin/... : eval()'d code on line 3884
This error disappears and everything works properly if I use a literal in the SQL statement instead of $tag_text_ipb.
You're missing quotes around the tag text var in your SQL. Should be like this:
$query_total_tags = "SELECT COUNT(1) FROM core_tags WHERE tag_meta_app = 'downloads' AND tag_text = '".$tag_text_ipb."'";
$query_total_tags = "SELECT COUNT(1) ... AND tag_text = '$tag_text_ipb'";
^ ^
You need to quote the text values, otherwise your query will be malformed. Please do read about SQL injection, and see if you can use bind parameters rather than raw queries.
try this
$query_total_tags = "SELECT COUNT(1) FROM core_tags WHERE tag_meta_app = 'downloads' AND tag_text = '$tag_text_ipb'";
(single qoutes around $tag_text_ipb)