$sql = "UPDATE debtorsmaster SET name='" . $_POST['CustName'] . "',
address1='" . $_POST['Address1'] . "',
address2='" . $_POST['Address2'] . "',
address3='" . $_POST['Address3'] . "',
How to change this to update to all rows
Because you're not adding a WHERE statement all the rows will be updated. As noted in the above comments you have a trailing , which causes the query to be invalid.
Also it's adviced to use prepared statements to prevent SQL Injection.
$statement = $db->prepare("UPDATE `debtorsmaster` SET `name`=?, `address1`=?, `address2`=?, `address3`=?");
$statement->bind_param("ssss", $customerName, $address1, $address2, $address3);
$customerName = $_POST['CustName'];
$address1 = $_POST['Address1'];
$address2 = $_POST['Address2'];
$address3 = $_POST['Address3'];
$statement->execute();
EDIT: Above example is based on mysqli.
Related
This question is unlikely to help any future visitors; it is only relevant to a small geographic area, a specific moment in time, or an extraordinarily narrow situation that is not generally applicable to the worldwide audience of the internet. For help making this question more broadly applicable, visit the help center.
Closed 10 years ago.
I'm trying to run a PHP script, but I keep getting this error whenever I run it.
Error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''id', 'firstname', 'lastname', 'email', 'username', 'password', 'hash', 'active'' at line 1
PHP:
<?php
require('includes/connect.php');
if($_POST['submit'] == true) {
$firstname = mysql_real_escape_string($_POST['firstname']);
$lastname = mysql_real_escape_string($_POST['lastname']);
$email = mysql_real_escape_string($_POST['email']);
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
$hash = mysql_real_escape_string(md5(uniqid(rand(), true)));
$active = mysql_real_escape_string(0);
$query = mysql_query(" INSERT INTO users_main ( 'id', 'firstname', 'lastname', 'email', 'username', 'password', 'hash', 'active' ) VALUES ( '', '" . $firstname . "', '" . $lastname . "', '" . $email . "', '" . $username . "', '" . $password . "', '" . $hash . "', '" . $active . "' ) ") or die(mysql_error());
} else {
}
?>
Don't quote column names with single quotes. MySQL uses backticks for quoting column and table identifiers.
Some special keywords need to be quoted with backticks if used as an identifier, but you have not used any of those. None of your columns require quoting.
$query = mysql_query(" INSERT INTO users_main ( id, firstname, lastname, email, username, password, hash, active ) VALUES ( '', '" . $firstname . "', '" . $lastname . "', '" . $email . "', '" . $username . "', '" . $password . "', '" . $hash . "', '" . $active . "' ) ") or die(mysql_error());
I am have created a web app that will use PHP to insert a row into an Oracle database. I am using Zend Framework to connect to the database. When I test it I dont get any errors but I dont see that added row in the table.
Here is my code:
$remote = $_SERVER['REMOTE_ADDR'];
// Connect with PDO
$db = Zend_Db::factory('PDO_OCI',
array(
'dbname' => $dbname,
'username' => $dbuser,
'password' => $dbpass
)
);
$req = "INSERT INTO " . $dbtable . " (id, url, adddate, addip) VALUES ('', '" . $safeurl . "', SYSDATE, '" . $remote . "')";
$res = $db->prepare($req);
$res->execute();
$safeurl is generated by user input, and it is sanitized.
id is autogenerated when you insert the row.
Please help me solve this. Thanks!
You have to commit. Each update/insert/delete begins a new transaction if it's not started. So issue another COMMIT statement after inserting a record (or a bunch of records). Oracle doesn't have autocommit mode.
after
$res = $db->prepare($req);
do echo $req->__toString(); to get the generated query then copy it and execute it in SQL Plus
if it works then your only issue is that you need to commit:
$db->beginTransaction();
$req = "INSERT INTO " . $dbtable . " (id, url, adddate, addip) VALUES ('', '" . $safeurl . "', SYSDATE, '" . $remote . "')";
$res = $db->prepare($req);
$res->execute();
$db->commit();
I was troubleshooting some code and ended up with this:
$url=$this->_protected_arr['f3b'];
$title=$this->_protected_arr['f3a'];
$email=$_SESSION['email'];
database::query("INSERT INTO bo VALUES ('$title','$url','','$email')");
I think that it should be abel to get rid of $url, $title, and $email and just insert their values directly into the query. How do I write this in a single statement?
Like this:
database::query("INSERT INTO bo VALUES ('{$this->_protected_arr[f3b]}', '{$this->_protected_arr[f3a]}', '', '$_SESSION[email]')");
Be sure that everything is properly escaped for the SQL query.
database::query("INSERT INTO bo VALUES ('"
. $this->_protected_arr[f3b] . "', '"
. $this->_protected_arr[f3a] . "', '', '"
. $_SESSION[email]."')");
My sql query when I check manually in phpmyadmin works fine, but when I try to handle it through php mysql_query throw me a syntax error. How to solve this issue?
Error message:
Invalid query:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'INSERT INTO scores( user_id ) VALUES (LAST_INSERT_ID( ))' at line 1
Whole query:
INSERT INTO users (id_fb, name, first_name, last_name, email, link, first_login)
VALUES ('1000001010101010', 'Bart Roza', 'Bart', 'Roza', 'lalalala#gmail.com','http://www.facebook.com/profile.php?id=1000001010101010','2011-05-07 11:15:24');
INSERT INTO scores( user_id ) VALUES (LAST_INSERT_ID( ));
My php function:
public function createUser()
{
$time = date("Y-m-d H:i:s");
$insert = "INSERT INTO users (id_fb, name, first_name, last_name, email, link, first_login) VALUES (" .
"'" . $this->me['id'] . "', " .
"'" . $this->me['name'] . "', " .
"'" . $this->me['first_name'] . "', " .
"'" . $this->me['last_name'] . "', " .
"'" . $this->me['email'] . "'," .
"'" . $this->me['link'] . "'," .
"'" . $time . "'); " .
"INSERT INTO scores( user_id ) VALUES (LAST_INSERT_ID( ));";
$result = mysql_query($insert);
if (!$result) {
$message = 'Invalid query: ' . mysql_error() . "\n";
$message .= 'Whole query: ' . $insert;
die($message);
}
}
EDIT:
Thanks for the solution!
Since mysql_query accepts only one query you need to split your query string into 2 separated queries and perform it with 2 mysql_query calls.
You can not run multiple queries in once using mysql_query function. you have to run these two queries with separate mysql_query call
mysql_query() sends a unique query
(multiple queries are not supported)
AS #zerkms and #Shakti said, mysql_query does not support multiple queries. If you want to use such functionality, consider migrating to mysqli. It supports multiple queries in a single packet by mysqli_multi_query
I have this PHP SQL statement:
$updateCategory = "UPDATE category
SET name=".$name.", description=".$description.",
parent=".$parent.", active=".$active."
WHERE id=".$catID."";
What is the best way to write this?
Thanks,
Chris.
I suggest you use prepared statements instead of concatenating the query string together:
$sql = 'UPDATE
category
SET
name=:name,
description=:description,
parent=:parent,
active=:active
WHERE
id=:catID';
if you are using PDO, which I strongly suggest, you would then call it like this:
$params = array(
':name' => $name,
':description' => $description,
':parent' => $parent,
':active' => $active,
':catID' => $catID
);
$stmt = $pdo->prepare($sql);
$stmt->execute($params);
You might ask, "why all this hassle?" The advantages of this approach are quite overwhelming:
You don't have to care about SQL injection, since the database driver now handles the correct transformation of the input parameters
You don't have to care about escaping special characters, but you can concentrate on what you want to achieve rather than on how to achieve it :-)
You could format it like this to make it more readable.
$updateCategory = "
UPDATE
category
SET
`name` = '" . $name . "',
`description` = '" . $description . "',
`parent` = '" . $parent . "',
`active` = '" . $active . "'
WHERE
`id` = '" . $catID . "'";
I find that concatenating queries causes me major headaches with syntax errors-- all those quotes and dots sprinked around like pepper. Here's how I would write the query:
$updateCategory = "
UPDATE category
SET catname = '$name', description = '$description',
parent = '$parent', active = '$active'
WHERE id = '$catID'";
Note that "name" is a reserved word and should not be used as a column name. Also if id is an integer, $catID doesn't need to be quoted.
You can try:
$update = "update table_name SET name = '$name', email = '$email', password = '$password', phoneno = '$phoneno' WHERE id = '$id'";