Update query gives Mariadb version error - php

if (isset($_POST['update'])) {
$column=(isset( $_POST['column']));
$type= (isset($_POST['type']));
$value= (isset($_POST['value']));
mysql_query("UPDATE `combo1` SET column = '$column', type = '$type' ,value ='$value' WHERE id = '$id'");
}
The update query is not working I am not getting what is the solution please help me to overcome this problem
You have an error in your SQL syntax; check the manual that
corresponds to your MariaDB server version for the right syntax to use
near 'column = '', type = '' ,value ='' WHERE id = '20'' at line 1


isset() method returns boolean value change like this
$column = isset( $_POST['column']) ? $_POST['column']:"";
Same for others


Modify your code as follows:
if (isset($_POST['update'])) {
$column = $_POST['column'];
$type = $_POST['type'];
$value = $_POST['value'];
mysql_query("UPDATE `combo1` SET column = '$column', type = '$type' ,value ='$value' WHERE id = '$id'");
}
If you remove the isset() method (refer to this link if you want more about the isset() method) as I have given above, the texts inside $column, $type and $value are substituted directly into the update string.
Update string does not contain any syntax errors in this case. Refer to this link if you want more information.
I also recommend you read up on SQL injection, as this sort of parameter passing is prone to hacking attempts if you do not sanitize the data being used:
MySQL - SQL Injection Prevention


The error message has virtually nothing to do with the 'version'. It is a syntax error complaining about "column". That word is a reserved word. Since you seem to have called the column column, put backtics around it, just as you did for the tablename.


mysqli_query($link,"UPDATE combo1 SET column='$column',type = '$type',value='$value' WHERE id ='$id'")
or die(mysqli_error($link));

Related

MySQL UPDATE Query PHP doesn't work

I'm trying to update a column, I got no modification in the column value can you please help me with that?
Code i am trying:-
global $wpdb;
$param1 = $_GET['projectID'];
$sql1 = "UPDATE wp_projects SET nbrDonation = nbrDonation+1 WHERE projectID = $param1";
$wpdb->query($sql1);
echo $param1;
echo $sql1;
this is what i got as error :
Erreur de la base de données WordPress : [You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1] UPDATE wp_projects SET nbrDonation=nbrDonation+1 WHERE projectID=
UPDATE wp_projects SET nbrDonation=nbrDonation+1 WHERE projectID=

It seems like your $param1 value may be empty, or otherwise invalid.
[You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1]
The '' implies that the value is empty; so the SQL is doing:
UPDATE wp_projects SET nbrDonation=(nbrDonation+1) WHERE projectID=''
Which is invalid as nothing ('') is not an integer value as expected.
Solution:
You need to force the $param1 value to be interger. You can do this by typecasting in PHP.
so:
$param1 = (int)$_GET['projectID']; // forces it to a numeric value, 1 or 0
This will then mean the SQL will work correctly:
$sql1 = "UPDATE wp_projects SET nbrDonation = nbrDonation+1 WHERE projectID = $param1";
You do not need the brackets around the nbrDonation+1 and you do not need quotes around the ID number, because it's numeric.
Please also note:
How to Prevent SQL Injection compromise in MySQL with PHP

Remove the single quote your projectID
$sql1="UPDATE wp_projects SET nbrDonation=(nbrDonation+1) WHERE projectID=$param1";
Try now.

PHP posting a variable in a variable using mysql

I need to use the number of the district to be the tail end of my variable. Example $publish_page_ADD THE DISTRICT NUMBER
I am grabbing the $district_num from my url which I've verified with echo
Here is what I've tried
$district_num = $_REQUEST['district_num']; // from url and works
$publish_page_.''.$district_num = $district_var['publish_page_'.$district_num.'']; //this does not work
$publish_page_.''.$district_num = addslashes($_POST['publish_page_'.$district_num.'']); //this does not work
$sql = "UPDATE districts SET
publish_page_$district_num = '$publish_page_$district_num' //this does not work and throws error "can not find publish_page_ in field list
WHERE district_num ='$district_num'"; //this works when the above code is removed
Follow up on corrected code... Thank You #cale_b and #Bill Karwin
$district_num = (int) $_REQUEST['district_num'];
$$publish_page = "publish_page_{$district_num}";
$$publish_page = $district_var[ "publish_page_{$district_num}"];
if (isset($_POST['submitok'])):
$$publish_page = addslashes($_POST[$publish_page]);
$sql = "UPDATE districts SET
publish_page_{$district_num} = '$publish_page'
WHERE district_num ='$district_num'";

If you want to learn about PHP's variable variables, it's in the manual (I linked to it). But you actually don't need it in your case.
Be careful about SQL injection. Your code is vulnerable to it.
Since you're using input to form a SQL column name, you can't use SQL query parameters to solve it. But you can cast the input to an integer, which will protect against SQL injection in this case.
$district_num = (int) $_REQUEST['district_num'];
$publish_page_col = "publish_page_{$district_num}";
The above is safe because the (int) casting makes sure the num variable is only numeric. It isn't possible for it to contain any characters like ' or \ that could cause an SQL injection vulnerability.
For the other dynamic values, use query parameters.
$publish_page_value = $_REQUEST["publish_page_4{$district_num}"];
$sql = "UPDATE districts SET
`$publish_page_col` = ?
WHERE district_num = ?";
$stmt = $pdo->prepare($sql);
$stmt->execute([ $publish_page_value, $district_num ]);
As #cale_b comments below, you should understand that in PHP, variables can be expanded inside double-quoted strings. See http://php.net/manual/en/language.types.string.php#language.types.string.parsing for details on that.

Delete from table where id in (*php variable*) returns error

I working in a php application where I must delete the selected items from a list where each item haves their own ID from mysql database, everything goes ok until execute the query in php.
This is the error message:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 5
this is the String that I execute in the query:
$queryDE = "delete from md5_agenda
where id_empresa = $empi
and id_unidade = $unii
and id_usuario = $usrr
and id_item_agenda in ($deletar);"
The variable $deletar receives their value from post method and their value is like: 35,36,47,... and can be one ore many different values
But my problem is if I change $deletar for the exactly values everything goes fine, but if I use the php variable with THE EXACTLY SAME VALUE it doesn't work and returns the previous error message, I have no more ideas about what to do... I wanna keep in this way where I can choose all IDs that I want delete, without repeat the query.
Thanks.
edit:

foreach($deletar as $val)
{
$queryDE = "delete from md5_agenda
where id_empresa = $empi
and id_unidade = $unii
and id_usuario = $usrr
and id_item_agenda = $val;"
}
your code is not working because $deleter is return multiple value.
check code it's working.

Why don't you use a safe parametrized query?
$db =new PDO('... your connection string ... ');
$stmt = $db->prepare("delete from md5_agenda
where id_empresa = :empi
and id_unidade = :unii
and id_usuario = :usrr
and id_item_agenda in (:deletar);");
$stmt->execute(array(
':empi' => $empi,
':unii' => $unii,
':usrr' => $usrr,
':deletar' => $deletar
)
);

Insert a record with an apostrophe mysql php

I want to insert a record with an apostrophe into a MySQL database using PHP. Following is my code:
$importer_name =mysql_escape_string ($objWorksheet->getCellByColumnAndRow(1,3)->getValue());
$exporter_name = $objWorksheet->getCellByColumnAndRow(1, 3)->getValue();
$prod_quantity_unit = $objWorksheet->getCellByColumnAndRow(1,6)->getValue();
$prod_fob_value = $objWorksheet->getCellByColumnAndRow(5,6)->getValue();
$prod_quantity = $objWorksheet->getCellByColumnAndRow(1,8)->getValue();
$prod_fob_unit= $objWorksheet->getCellByColumnAndRow(5,8)->getValue();
$prod_gross_waight= $objWorksheet->getCellByColumnAndRow(1,10)->getValue();
$prod_cif_value= $objWorksheet->getCellByColumnAndRow(5,10)->getValue();
$prod_net_weight= $objWorksheet->getCellByColumnAndRow(1,12)->getValue();
$prod_cif_unit_price= $objWorksheet->getCellByColumnAndRow(5,12)->getValue();
$prod_brand= $objWorksheet->getCellByColumnAndRow(5,14)->getValue();
$hs_code = $objWorksheet->getCellByColumnAndRow(1,17)->getValue();
$shipping_date = $objWorksheet->getCellByColumnAndRow(5,17)->getValue();
$customs = $objWorksheet->getCellByColumnAndRow(1,19)->getValue();
$transport_company = $objWorksheet->getCellByColumnAndRow(5,19)->getValue();
$country_of_origin = $objWorksheet->getCellByColumnAndRow(1,21)->getValue();
$transport_mode = $objWorksheet->getCellByColumnAndRow(5,21)->getValue();
$country_of_trade = $objWorksheet->getCellByColumnAndRow(1,23)->getValue();
$hs_code_description = $objWorksheet->getCellByColumnAndRow(1,26)->getValue();
$product_description = $objWorksheet->getCellByColumnAndRow(1,28)->getValue();
$insertquery="INSERT INTO tb_peru_data
(importer_name,exporter_name,product_quantity_unit,
product_fob_unit,product_quantity,product_fob_value,
product_gross_weight,product_cif_value,
product_net_weight,product_cif_unit_price,
product_brand,shipping_hs_code,shipping_date,
shipping_customs,shipping_transport_company,
shipping_country_of_origin,shipping_transport_mode,
shipping_country_of_trade,hs_code_description,
product_description)
VALUES
('$importer_name','$exporter_name','$prod_quantity_unit',
'$prod_fob_unit','$prod_quantity','$prod_fob_value',
'$prod_gross_waight','$prod_cif_value','$prod_net_weight',
'$prod_cif_unit_price','$prod_brand','$hs_code','$shipping_date',
'$customs','$transport_company','$country_of_origin',
'$transport_mode','$country_of_trade',
'$hs_code_description','$product_description')";
mysql_query($insertquery)or die('ErrorrPERU: '.mysql_error());
/*$del="DELETE * FROM tb_excel_file";
mysql_query($del);*/
?>
This does not work, and gives the following error:
you have an error in your SQL syntax; check the manual that corresponds
to your MySQL server version for the right syntax to use near
's','12U','6','9','54',
'34.83','55.5','31.83','6.17','','7323931000','2008/04/1' at line 3

Use mysqli_real_escape_string instead of deprecated mysql_real_escape_string
This function will force you to input mysql table / database.
This way your collation will be considered while escaping

You can use real_escape_string() in PHP. You need to escape the apostrophe (that is, tell SQL that the apostrophe is to be taken literally and not as the beginning or end of a string). To add more, I'd say that you can also use PDO, but consider using addslashes($string) and stripslashes($string).

multiple update using ajax with php

hey guys im trying to update my database using php ang ajax, but assuming that the textbox are dynamic thats why im trying to update the database using multiple updates with one click of a button but my fire bug says that "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '= '100' WHERE student_id = '33' AND subject_id = '2' AND school_id = '1' AND adv' at line 1 " im not pretty sure with my code because im just experimenting on how to do it in ajax with php.
PHP:
session_start();
$school_id = $_SESSION['school_id'];
$faculty_id = $_SESSION['user_id_fac'];
$subject_id = $_POST['subject_id'];
$year_grade_level = $_POST['year_level'];
$subject_handeler_id = $_POST['subject_handler_id'];
$student_grades_boy = $_POST['student_grades_boy'];
$student_grades_girl = $_POST['student_grades_girl'];
$update_grades_boys = "UPDATE registrar_grade_archive SET";
//SET status = '0' WHERE subject_id = '$subject_id'"
$vaues_girl = array();
$values_boy = array();
foreach ($student_grades_boy as $key=>$data) {
$student_id_B= $data['studnt_B_id'];
$grade_B = $data['studnt_grade_B'];
$values_boy[$key] = 'grade = \''.$grade_B.'\' WHERE student_id = \''.$student_id_B.'\' AND subject_id = \''.$subject_id.'\' AND school_id = \''.$school_id.'\' AND advisor_faculty_id = \''.$faculty_id.'\' AND subject_handler_id = \''.$subject_handeler_id.'\' ' ;
}
$values_boy = implode(', ', $values_boy);
$ready_edit_grades_boy = $update_grades_boys . $values_boy;
$save_grades_boy = mysql_query($ready_edit_grades_boy) or die(mysql_error());
please help guys. thanks in advance

Some problems here:
if $student_grades_boy contains more than 1 item, your sql will have multiple WHERE statements (you can only have 1);
you need a space between SET and the column name;
you have a serious sql injection problem;
you should switch to PDO or mysqli as the mysql_ functions are deprecated.

It appears you have no space between SET and grade.
Adding a space here should do the trick:
$update_grades_boys = "UPDATE registrar_grade_archive SET ";
If this doesn't do it, it would help tremendously if you could post the result of echo $ready_edit_grades_boy; and update your question.

try
$update_grades_boys = "UPDATE registrar_grade_archive SET ";
One space is needed after SET..

You are not escaping vars, so it could be some ' or " in your values.
http://php.net/manual/en/mysqli.real-escape-string.php

Categories