I am trying to update my table row but can't get success.
here is error that coming.
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Current_date = '2017-03-30', Content = 'This is first notification te' at line 2
here is my code
if(!empty($_FILES) || isset($_FILES['Details_file'])){
$filetmp = $_FILES["Details_file"]["tmp_name"];
$filename = $_FILES["Details_file"]["name"];
$filetype = $_FILES["Details_file"]["type"];
$filepath = "notification/".$filename;
move_uploaded_file($filetmp, $filepath);
echo $_POST['post_date'];
$stmt = $con1->prepare("UPDATE notification SET
Current_date = '".$_POST['post_date']."',
Content = '".$_POST['Content']."',
File_name= '".$filename."',
File_path ='".$filepath."',
Apply_link = '".$_POST['apply_now']."',
Last_date = '".$_POST['Last_date']."'
WHERE id = '".$_POST['fetch_id']."'") or die(mysqli_error($con1));
$stmt->execute();
$stmt->close();
}
any one can tell me what is problem with my code here.
There is no point in prepare() and execute() if you aren't using them properly. Try this instead:
$query = "UPDATE notification SET `Current_date`=?, `Content`=?, `File_name`=?, `File_path`=?, `Apply_link`=?, `Last_date`=? WHERE `id`=?";
$stmt = $con1->prepare($query);
$stmt->bind_param("ssssssi", $_POST['post_date'], $_POST['Content'], $filename, $filepath, $_POST['apply_now'], $_POST['Last_date'], $_POST['fetch_id']);
$stmt->execute();
$stmt->close();
You'll want to check the return values of each step (prepare, bind, execute) to ensure there are no errors being returned.
Current_date is a reserved keyword in mySQL, so in order to use it as a name of the column, you would need to enclose it in backticks.
Related
I have made an update page which fetches record from a table, shows all the details on html form where user can change/Edit the values and submit. Next page fetches those values using $_POST and Update the table.
$new_id = $_POST['c_id'];
$new_name = $_POST['c_name'];
$table_name = "tcompany";
$sqlStatement = "UPDATE $table_name SET 'name'=$new_name WHERE 'id'= $new_id";
if($result_1 = mysql_query($sqlStatement))
{
header('Location: edit_company.php');
}
else {
echo "". mysql_error();
}
I am getting error :
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''name'=HARDWARE Exporters WHERE 'id'= 69' at line 1
I am not considering security issues related to injection. Using this code for personal use.
Don't use apostrophe (') for column names and use it instead to your variables.
$sqlStatement = "UPDATE ".$table_name." SET name='$new_name' WHERE id='$new_id'";
You should also sanitize the values you are binding to your query. Use *_real_escape_string.
$new_id = mysql_real_escape_string($_POST["c_id"]);
And mysql_* API is already deprecated and you should consider using mysqli prepared statement instead.
If you want an example of prepared statement, using the code you have given, you can refer below. No need to sanitize each values before using them to your query.
/* ESTABLISH FIRST YOUR CONNECTION */
$con = new mysqli("YourHost","Username","Password","Database"); /* REPLACE NECESSARY DATA */
if($stmt = $con->prepare("UPDATE ? SET name = ? WHERE id = ?")){ /* CHECK IF STATEMENT IS TRUE */
$stmt->bind_param("ssi",$table_name,$_POST["c_name"],$_POST["c_id"]); /* BIND VALUES TO YOUR QUERY */
$stmt->execute(); /* EXECUTE THE QUERY */
$stmt->close();
} /* END OF PREPARED STATEMENT */
The problem is that variable $new_name contains spaces. So you should quote the use of variables in the statement, like this:
$sqlStatement = "UPDATE $table_name SET 'name'='$new_name' WHERE 'id'= '$new_id'";
I am new to mysql and I would really appreciate any help. What I want to do is to upload an image to a specific row in a database and then display the image in the user's page. The error I get is:
Error in Query:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = 1' at line 4.
This is the piece of code referenced:
$sql = "INSERT INTO users5 (image, imageName)
VALUES ('{$imgData}', '{$_FILES['userfile']['name']}')WHERE id = $id;";
What I want to do is to upload an image to a specific row in a database
You have to use an UPDATE command if a row is already existing.
$sql = "UPDATE users5 SET image = ?, imageName = ? WHERE id = ?";
$stmt = $mysqli->prepare( $sql );
$stmt->bind_param( 'ssi', $imgData, $_FILES['userfile']['name'], $id );
As suggested, you better use prepared statement to bind parameter values for placeholders safely, avoiding SQL injection.
I'm trying to do like this using PHP and MySql PDO:
//PHP Variables
$msg_a = 'Too Little';
$msg_b = 'Score OK';
$sql = "select if(stdScore >= stdRequired, $msg_a, $msg_b) from scores;"
$results = $conn->prepare($Sql);
$results->execute();
AFAIK this should have worked. But I keep getting the following error message:
Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '
How can something like this be done?
$results = $conn->prepare($Sql);
---------------------------------------------^ (capital S)
it should be with a lowercase s
$results = $conn->prepare($sql);
because you have:
$sql = "select if(stdScore >= stdRequired, $msg_a, $msg_b)
from scores";(//semicolon after double quotes)
---^
with a lowercase s ($sql)
Can you try this,
$sql = "select if(stdScore >= stdRequired, $msg_a, $msg_b) from scores";
$results = $conn->prepare($sql);
Have you tried it this way ?
$sql = "select if(stdScore >= stdRequired, "'.$msg_a.'", "'.$msg_b.'") from scores;"
Since you're already using PDO don't do query string interpolation leaving your code vulnerable to sql injections and value escaping problems. Instead use prepared statements properly.
Your code could've looked something like
$msg_a = 'Too Little';
$msg_b = 'Score OK';
// use placeholders in a query string
$sql = "SELECT IF(stdScore >= stdRequired, :msg_a, :msg_b) msg FROM scores";
// prepare the statement
$query = $conn->prepare($sql);
// bind parameters and execute the query
$query->execute(array(':msg_a' => $msg_a, ':msg_b' => $msg_b));
// fetch the resultset
$rows = $query->fetchall(PDO::FETCH_ASSOC);
I just learned I had magic_quotes_gpc on (much to my chagrin). I turned that off.
My database connection is made prior to this query. I have the following:
$subject = mysqli_real_escape_string($link, $_POST["subject"]);
$body = mysqli_real_escape_string($link, $_POST["body"]);
$id = mysqli_real_escape_string($link, $_POST["id"]);
mysqli_query($link, "UPDATE press SET press_title = '$subject', press_release = '$body' WHERE press_id = '$id'") or die( mysqli_error($link) );
With magic quotes on, this works fine. Once I turn it off, single quotes jam up the works (with a MySQL syntax error at the quote). I thought I understood the concept but I must be missing something. Can someone explain what I'm doing wrong?
UPDATE
Error spit out by MySQL:
you have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's what she said' at line 1
UPDATE #2
Here's the echo'd query:
UPDATE press SET press_title = \'That\'s what she said\', press_release = \'That\'s what she said again!\' WHERE press_id = \'513\'
Use a parametrized query:
$stmt = mysqli_prepare($link, "UPDATE press SET press_title = ?, press_release = ? WHERE press_id = ?") or die (mysqli_error($link));
mysqli_stmt_bind_param($stmt, "ssi", $_POST['subject'], $_POST['body'], $_POST['id']);
mysqli_stmt_execute($stmt);
Manual
My code:
$fileid = $_GET['imgid'];
$fileid = (int)$fileid; //id is int type in photos table
require 'database.php';
//get the image sourc name
$q = "SELECT src form photos WHERE id='$fileid'";
$result = $mysqli->query($q) or die(mysqli_error($mysqli));
if ($result)
{
$row = $result->fetch_object();
$filename = $row->src;
ERROR: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'photos WHERE id='12'' at line 1
You have FROM misspelled. Try:
$q = "SELECT src FROM photos WHERE id='$fileid'";
In addition, while not related to this syntax error, note that your code appears to be vulnerable to SQL Injection.