This question already has answers here:
Are you allowed to use numbers as table names in MySQL?
(5 answers)
Closed 5 years ago.
Am trying to use dynamic column name in php mysql update but am getting error
Here is code
$time=date("H");
$video_view = 234
$update_query = "UPDATE videos SET ". $time . "= {$video_view} WHERE id={$id}";
Here is the error
UPDATE videos SET 14= 200079 WHERE id=1Query failedYou have an error in
your SQL syntax; check the manual that corresponds to your MariaDB
server version for the right syntax to use near '14= 200079 WHERE id=1' at line 1
First of all you should really use prepared statements and bound parameters.
If your column really got the name '14' like in the variable $time then you can try this
$update_query = "UPDATE videos SET `". $time . "` = {$video_view} WHERE id={$id}";
So far as I know column names should stand between `` because of reserved names like numbers or function names.
I would avoid it because it will make those errors und I don't know if the query does make sense
Related
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 7 years ago.
I have an application which takes the information of a mysql database(a music-db) and shows it via echos in a div. Everything works fine.
Now I wanted to add a search bar so you can search the database for a specific song.
The search bar just loads a php file with a mysql query. The word or the letters you want to search for are passed via a varbiable in the link(for example test.php?searchvalue=it).
Now my problem: I get the following Mysql-error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1
The quotes in the error are single quotes!
The Query is:
$searchvalue = $_GET["searchvalue"];
$query = mysql_query("select SongID, Songtitel, artwork, duration, SCID from tMusic where Songtitel LIKE '%$searchvalue%'") or die(mysql_error());
Why is this wrong?
Thanks for help.
$searchvalue = $_GET["searchvalue"];
$query = mysql_query("select SongID, Songtitel, artwork, duration, SCID from tMusic where Songtitel LIKE '%".mysql_real_escape_string($searchvalue)."%'") or die(mysql_error());
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 8 years ago.
I'm trying to update a value in my table, but i have a syntax-error and i can't find the error.
This is my php code:
$data = new MysqlClass();
$data->connect();
$result_sql = $data->query("UPDATE iscrizioni SET '".$matricola."' = 'si' WHERE 'COD'=".$cod);
it returns me:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''805710' = 'si' WHERE 'COD'=1' at line 1
Have you any idea where the error is?
Thank you very much!
You are using column's names as strings, use ` instead of '. Or don't use it at all.
$result_sql = $data->query("UPDATE `iscrizioni` SET `".$matricola."` = 'si' WHERE `COD` = ".$cod);
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 9 years ago.
This is where I think it´s the problem...
$sql1 = "SELECT `puntos_globales`, '$juego'
FROM `lista_jugadores` WHERE `id_jugador`='$noTop'";
This is the error message:
Error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near "blackOps2'='1' WHERE `id_jugador` = '10" at line 1
$juego .. is a php variable that holds the column name; in this case blackOps2. I don´t know why in the error says blackOps2'='1'??
from the error it seems you didnt provide the true query and it looks you have two where clause
blackOps2='1' WHERE `id_jugador` = '10"
try do it like that
WHERE `id_jugador` = '10' AND blackOps2='1'
This question already has answers here:
Can PHP PDO Statements accept the table or column name as parameter?
(8 answers)
Closed 9 years ago.
I need to know can I use question marks (?) in PDO prepared statements as table name or not.
$table = $_POST['table'];
$id = $_POST['id'];
$sql = "UPDATE ? SET priority = priority + 1 WHERE id = ?";
$q = $db->prepare($sql);
$q->execute(array($table,$id));
I'm getting this error:
Warning: PDO::prepare() [pdo.prepare]: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '? SET priority = priority + 1 WHERE id = ?'
Aside from that simple problem, there is another one - your code smells of bad database design. In a properly planned database you would never need to receive a table name via POST request.
Most likely you are using multiple tables where you have to use only one.
You need to bind the parameters like this:
$q->bindParam(1, $table);
$q->bindParam(2, $id);
Source (see Example #2)
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 9 years ago.
I have a MySQL query I'm running. I want to add 1 to a field called articleswritten.
I get this error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''users' SET articleswritten = articleswritten + 1 WHERE id = '1'' at line 1
Code:
$sql = "UPDATE 'users' SET articleswritten = articleswritten + 1 WHERE `id` = '$userid'";
$result = mysql_query($sql) or die(mysql_error());
I can't find an issue. Am I blind?
Any help would be appreciated.
This should either be
UPDATE `users`
Or just
UPDATE users
The single quotes make the table name invalid. Everything else in the query is okay.
However, your query is vulnerable to injection. Instead of using ext/mysql, you should use properly parameterized queries with PDO or mysqli
You don't need to single quote the table name here. This should do
$sql = "UPDATE users SET articleswritten = articleswritten + 1 WHERE id = '$userid'";