I have a Mysql Database named user. Here is a picture:
I want to change the Username of the user "dodlo.rg" programmatically.
Actually, I have the PHP-Version 7.1. And this is a part of my PHPCode:
EDITED CODE:
$newName= $_POST["changeT"];
$userId = $_POST["userId"];
$db = mysqli_connect("trolö", "trolö", "trolö123", "trolö")
$sql = "UPDATE user SET username = '$newName' WHERE user_id = '$userId'";
$query = mysqli_query($db, $sql);
$response["successU"] = true;
But I get the Error: "You gave an Error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'SELECT * FROM user' at line 1"
Thanks in advance.
The problem lies in 2 parts.
Firstly, since this column is a varchar field it needs to be inside quotes else it produces an sql error.
Secondly the SELECT statement just after is not valid, but i guess it was a copy/paste error.
Therefore your working code should be:
$newName= $_POST["changeT"];
$db = mysqli_connect("trolö", "trolö", "trolö123", "trolö")
$sql = "UPDATE user SET username = '".addslashes($newName)."' WHERE username = 'dodlo.rg'";
$query = mysqli_query($db, $sql);
$response["successU"] = true;
Also, please consider using your primary keys on your where statement rather a varchar field, as it'll improve speed when more complex queries. (eg. where user_id = 35 instead of where username = 'dodlo.rg' ).
Lastly, but quite important this code might be vulnerable to sql injections. You need to use prepared statements.
You have to convert this query into two parts
$sql1 = "UPDATE user SET username = $newName WHERE username = 'dodlo.rg'";
$sql2 = "SELECT * FROM user";
Related
I am trying to update varchar cell in SQL users table. Now the value of groups_id is 3. $last_id = 4. I want to change it to 3, 4. Could you please tell me what I am doing wrong?
With this code the value remains the same
$sql = "UPDATE registration.users SET groups_id = groups_id+', $last_id' WHERE username = '$user_name'";
$update_groups_id = $db->query($sql);
$val = $groups_id . ", ".$last_id;
$sql = "UPDATE registration.users SET `groups_id` = '$val' WHERE username = '$user_name'";
$update_groups_id = $db->query($sql);
your SQL query is wrong, you are not concatenating variables properly, try doing this way, I think it should help you
There is a syntax fault in your $sql object as you use +', $last_id'. If you want to append in PHP you can use . in string context
Also I'm pretty sure you can leave the '' from the variables so '$last_id' will become $last_id
But more important is that you do not check for any security issues. I hope $user_name and $last_id are not just taken from the input as SQL injections are possible.
I recommend you to look at mysqli_prepare and mysqli_bind
I have php script like this
$query = "select * where userid = 'agusza' ";
$result = mysql_query($query) or die(mysql_error());
while($row=mysql_fetch_array($result)) {
echo $result;
}
when I execute, the result like this
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'where userid = 'agusza'' at line 1
But when I run that sql in sqlserver, it running well
Anybody has solution ?
$query = "select * from table_name where userid = 'agusza' ";
See the corrections I have made. You haven't used the right syntax for SELECT query
You didn't select a table using FROM. Without that, it does not know which table you are selecting data from.
You should also stop using mysql as it is deprecated. Use mysqli or PDO as they are safer.
You are also echoing the wrong variable in your while loop, try this:
while ($row = mysql_fetch_array($result) {
echo $row['column_name'];
}
$query = "select * from table where userid = 'agusza'";
Right now, you're not telling which table SQL should look in.
You should format your query like so:
select * from `TableName` where userid='agusza'
In your query below you doesnt state the database table where you should get that data using FROM
$query = "select * where userid = 'agusza' "; // instead of this
$query = "select * FROM declaredtable where userid = 'agusza' "; used this
I'm trying to create a function for my forum that will increment my user's "Posts" attribute by 1. For whatever reason, the following PHP does not work.
function postCountIncrease($username) {
//get the connection variable
global $con;
//change to the users database (this function works correctly)
sqlconnect_users();
//get current post number (this is also working)
$getCurrentPosts = "SELECT Posts\n"
. "FROM users\n"
. "WHERE Username='".$username."'";
$query1 = mysqli_query($con, $getCurrentPosts) or die(mysqli_error($con));
$currentPosts = mysqli_fetch_array($query1);
//here is the problematic post. Assume that $username is a valid value, and that I've already done mysqli_real_escape_string() on it
$incrementPostsQuery = "UPDATE users.users SET Posts=". $currentPosts[0]+1 ." WHERE Username='". $username ."'";
$query2 = mysqli_query($con, $incrementPostsQuery) or die(mysqli_error($con));
//return the result
$result = mysqli_fetch_array($query2);
return $result;
}
I honestly don't see what I'm doing wrong, because the SQL works fine. If I use UPDATE users.users SET Posts=1 WHERE Username='Lampitosgames' in the console, it works with no errors. Help is much appriciated. Also, here is the error it is throwing at me:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1 WHERE Username='Lampitosgames''
You can not concatenate that way "toto ".$var+1, you have to surround with brackets "toto ".($var+1)
In your case, this is declaration of var $incrementPostsQuery which fails
Look at your errors, your syntax is off
$getCurrentPosts = "SELECT Posts
FROM users
WHERE Username='$username'";
The error is in the building of your query.
$incrementPostsQuery = "UPDATE users.users SET Posts=". $currentPosts[0]+1 ." WHERE Username='". $username ."'";
I'll suggest you some tips to create query like this:
"update table set field = value"; // you can write the value directly
"update table set field = ". $value; // easy
"update table set field = ". ($a+$b); // ...
"update table set field = {$value}"; // you can add a variable with curly braces
"update table set field = {$va[3]}"; // more compless way
"update table set field = {$a->b}"; // an object field
I'm having trouble getting this to update when needed. This is an optout script intended to updated the selected email row with the value of 1 in the removed column. I can't seem to get it to update and I'm thinking its an issue with my sql. Any help in understanding this is much appreciated.
As a note:
I'm making it to Sorry there seems to be an issue with.........
Here is the script.
<?php
if (isset($_GET['e'])) {
include_once "../storescripts/connect_to_mysql.php";
$email = $_GET['e'];
$sql_delete = mysql_query("UPDATE test WHERE email='$email' SET removed = '1'");
if (!$sql_delete) {
echo "Sorry there seems to be and issue when trying to remove your listing. Please email Admin directly using this email address: chris#.com";
} else {
echo "Sorry to see you go! You will not receive our newsletter ever again unless you relist. To gain access to our newsletter again simply let us know by email at chris#.com";
}
}
?>
Try:
$sql_delete = mysql_query("UPDATE test SET removed = '1' WHERE email='$email'");
The problem is your syntax, have a look at the mysql update syntax, where the where clause should go and where set should go http://dev.mysql.com/doc/refman/5.0/en/update.html.
You would have seen this problem had you used proper error handling, like follows:
$sql_delete = mysql_query("UPDATE test SET removed = '1' WHERE email='$email'") or die(mysql_error());
Have a look at mysql_real_escape_string http://www.php.net/manual/en/function.mysql-real-escape-string.php, to prevent SQL injection. Example:
$email = mysql_real_escape_string($email);
$sql_delete = mysql_query("UPDATE test SET removed = '1' WHERE email='$email'") or die(mysql_error());
Also note that mysql_ extension are deprecated, you want to start using mysqli or PDO.
Use SET before your WHERE clause.
UPDATE test
SET removed = '1'
WHERE email = '$email'
The update syntax is
UPDATE
table
SET
column = value
WHERE
condition = met
On another note, I see you're using a very unsafe method of dynamic entries ($_GET) and Mysql_* function are deprecated in new version of php >= 5.5. I'd highly recommend researching PDO for the use of bind variables otherwise you can easily get "hacked" if
$_GET['e'] = "fake' OR '1'='1" // known as sql injection
Good Read
How to prevent SQL injection in PHP?
Why shouldn't I use mysql_* functions in PHP?
You are right, your UPDATE syntax is incorrect. This is the correct form:
UPDATE test
SET removed = '1'
WHERE email = '$email'
Your query should be
mysql_query("UPDATE test SET removed = '1' WHERE email='$email'");
But please notice that this extension is deprecated.
Use MySQLi or PDO_MySQ instead.
the solution in both extensions are as follows.
MySQLi:
$mysqli = new mysqli(GDB_HOST, GDB_USERNAME, GDB_PASSWORD, GDB_NAME);
$cmd = $mysqli->prepare("UPDATE test SET removed = '1' WHERE email= ? ");
$cmd->bind_param('s', $email);
$cmd->execute();
PDO
$dbh = Database::connect();
$query = "UPDATE test SET removed = '1' WHERE email= ? ";
$sth = $dbh->prepare($query);
$sth->execute(array($email));
One of the big importances of using one of these 2 extensions is the fact that you avoid any attempt of SQL injection
I believe I have a simple syntax problem in my SQL statement. If I run this code, I get an error in the database query.
$user = $_GET['linevar'];
echo $user; // testing - url variable echos correctly
$sql = "SELECT * FROM `userAccounts` WHERE `name` = $user";
$result = mysql_query($sql) or die("Error in db query");
If I replace $user in the $sql string with 'actualName' or a known record in my table, the code works fine. Am I using the $ variable incorrectly in the SQL string?
You need to surround the value that you're getting from $user with quotes, since it's probably not a number:
$sql = "SELECT * FROM `userAccounts` WHERE `name` = '$user'";
Just as a note, you should also read up on SQL injection, since this code is susceptible to it. A fix would be to pass it through mysql_real_escape_string():
$user = mysql_real_escape_string( $_GET['linevar']);
You can also replace your or die(); logic with something a bit more informative to get an error message when something bad happens, like:
or die("Error in db query" . mysql_error());
You need escape the get input, then quote it.
// this is important to prevent sql injection.
$user = mysql_real_escape_string($_GET['linevar']);
$sql = "SELECT * FROM `userAccounts` WHERE `name` = '$user'";
This should work:
$sql = "SELECT * FROM `userAccounts` WHERE `name` = '" . $user . "'";