I have this code that does not work, and im not sure why...
if(isset($_GET['id'], $_SESSION['username'])){
$id = $_GET['id'];
$user = $_SESSION['username'];
$query = $handler->query("INSERT INTO photolikes('User', 'Photo')
SELECT '$user', '$id'
WHERE NOT EXISTS (SELECT Id FROM photolikes WHERE User='$user' AND Photo=$id)");
}else{
}
Is just supposed to insert user and photo into a table if there is no such in there before... thanks for any help!
The SELECT is missing the FROM clause which is required when a WHERE clause is used.
That's the problem.
There's a couple of ways to fix it.
For a quick fix, you can add FROM DUAL before the WHERE.
If you don't like your MySQL queries looking like they are Oracle queries, you can use an inline view as a rowsource.
In place of FROM DUAL you could use FROM (SELECT 1) i.
That's the less-Oracle-more-MySQL-like way of fixing it. That's how I would do it.
You could also reference any table or view that you are guaranteed returns exactly one row. (It can't be zero rows, and it can't be two rows.
A couple other notes:
In MySQL, identifiers (for example column names) can be escaped with backtick characters, but not single quotes. Identifiers only need to be escaped if they contain characters that aren't allowed (in unescaped identifiers) or if the identifier conflicts with a reserved word.
INSERT INTO photolikes(`User`, `Photo`)
^ ^ ^ ^
Also, the code appears to be vulnerable to SQL Injection. Potentially unsafe values that are incorporated into the text of a SQL statement should be properly escaped. But an even better pattern is to use prepared statements with bind placeholders.
INSERT INTO photolikes(`User`, `Photo`)
SELECT '$user', '$id'
FROM <someTable>
^^^^ you miss the FROM
WHERE NOT EXISTS (SELECT Id
FROM photolikes -- Here you didnt forget.
WHERE User='$user' AND Photo=$id)")
Related
We need to update various columns on 3 different tables via an input form. most of this is functional however when we try to update the other 2 tables that have been joined (publisher and category), it updates that record and every other record with the same input.
(for example if we change the genre from metal to jazz then all of the metal CD's will change to Jazz as well)
Below is the code we have so far for the update.
$sql = "UPDATE nmc_cd, nmc_category, nmc_publisher
SET CDTitle ='$title', CDYear = '$year', nmc_publisher.pubID = '$publisherID', nmc_category.catID = '$categoryID', CDPrice = '$price', pubName ='$pubName', catDesc='$catDesc'
WHERE CDID = $id
AND nmc_category.catID = nmc_cd.catID
AND nmc_publisher.pubID = nmc_cd.pubID";
I am relatively new to this site so please if anything such as code, names of variables/functions etc. is needed please say and I will edit my post or reply.
Thanks in advance!
A couple of recommendations.
1) qualify all column references in SQL statement that references more than one table, even when the column references aren't ambiguous to MySQL. (Also consider assigning a short alias to each table.) Several reasons for this, but one big one is that it lets a human reader know which table each referenced column is in.
2) ditch the old school comma operator for join operations, and use the JOIN keyword. Also move the join predicates from the WHERE clause to the appropriate ON clause.
3) for a multitable update, first write a SELECT statement, get that working and tested, and then convert that to an UPDATE statement
4) avoid SQL Injection vulnerabilities. The preferred pattern is to use prepared statements with bind placeholders. Or (less optimal) at a minimum, all potentially unsafe values that are included in the SQL text must be properly escaped.
Ignoring SQL Injection vulnerabilities (assuming that the contents of the variables have already been properly escaped)...
I would first write a SELECT statement that returns the current values of the columns we're planning to update, along with the new values we're planning to assign to those columns. For example:
SELECT cd.cdtitle AS old_cd_cdtitle
, '$title' AS new_cd_cdtitle
, cd.cdyear AS old_cdyear
, '$year' AS new_cdyear
, pub.pubid AS old_pub_pubid
, '$publisherID' AS new_pub_pubid
, cat.catid AS old_cat_catid
, '$categoryID' AS new_cat_catid
, cd.cdprice AS old_cd_cdprice
, '$price' AS new_cd_cdprice
, pub.pubName AS old_pub_pubname
, '$pubName' AS new_pub_pubname
, cat.catDesc AS old_cat_catdesc
, '$catDesc' AS new_cat_catdesc
FROM nmc_cd cd
JOIN nmc_category cat
ON cat.catID = cd.catid
JOIN nmc_publisher pub
ON pub.pubID = cd.pubid
WHERE cd.cdid = $id
(That is really just a guess, I'm not sure what you are actually trying to achieve.)
It seems really odd to assign a new value to the catid column, when that's referenced in a join predicate. To maintain the relationship between the rows in cd and cat, the catid in column in both tables would need to be updated, unless we're depending on an ON UPDATE CASCADE rule to propagate the change.
Without understanding what this statement is attempting to achieve, it's not possible to recommend any particular statement.
In terms of converting the SELECT into an UPDATE statement, replace the SELECT ... FROM with the keyword UPDATE.
And before the WHERE clause, add a SET statement. Taking the expresssions for old_cd_cdyear and new_cd_cdyear from the SELECT list, convert that into a SET clause like this:
SET cd.cdyear = '$year'
Subsequent assignments, use a comma in place of the SET keyword, e.g.
, cd.cdprice = '$price'
I have a line of code in PHP as follows...
mysql_query("INSERT INTO `updates` (project_id, date, update) VALUES ('{$project}', '{$date}', '{$update}')") or die(mysql_error());
However I'm getting the following SQL syntax error...
You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near 'update) VALUES ('14', '2012-05-06', 'Test update')' at line 1
If anyone could help me with this that would be great, perhaps it's obvious but I just can't see what's wrong here!
Change the query as below:
mysql_query("INSERT INTO `updates` (`project_id`, `date`, `update`) VALUES ('{$project}', '{$date}', '{$update}')") or die(mysql_error());
This is because date and update are registered keywords in MySQL. We cannot use it directly in the query. We need to escape it.
date and update are reserved words in MySQL.
You can use:
"INSERT INTO `updates` (project_id, `date`, `update`) VALUES ('{$project}', '{$date}', '{$update}')"
Though ideally you should never use a reserved word as an entity name. It offers no advantages, yet has a few minor disadvantages (for example, makes the SQL less portable).
Also, a fairly minor point, if project_id is an integer typed field, pass it an integer, not a string. Like:
INSERT INTO `updates` (project_id, `date`, `update`) VALUES ({$project}, '{$date}', '{$update}')
update is a keyword in SQL, encapsulate your mysql fields in backticks.
First and foremost Thing: you can not user mysql preserver word. When you use it, be ready to waste your hours in finding out error.
Here is the list of reserve words: DO NOT USE ANY AMONG IT
http://dev.mysql.com/doc/refman/5.5/en/reserved-words.html
Second: Even if you want to dare to use preserved keyword. User table prefix or column prefix along with reserved keyword.
Third:
When ever you perform the database operations along php either quote each and every parameter where required or just user simple one.
i.e if you wish to quote db table columns than surround each column by quote
"INSERT INTO `updates` (`project_id`, `date`, `update`) VALUES ('{$project}', '{$date}', '{$update}')"
and if you don't quote then quote none of them
"INSERT INTO updates (project_id, date, update) VALUES ('{$project}', '{$date}', '{$update}')"
Hope this would help you
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 2 years ago.
The sql injection will work only when my query looks like below sample
SELECT * FROM login WHERE id = $my_id_va;
Assume if my query is
SELECT * FROM login WHERE id = $my_id_va ORDER BY id DESC
Than I will get following error
#1064 - You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near 'order by id desc' at line 1
So, this 1 or 1=1; SHOW TABLES will not work, correct?
My site was hacked successively many times.
I want one quick answer: When my query looks like the following one, what ways or which types of query can they use to hack my site?
SELECT * FROM login WHERE id = $my_id_va ORDER BY id DESC
What are the ways to execute the show table in the following query
SELECT * FROM login WHERE id = $my_id_va ORDER BY id DESC
I am also using escaping function to handle the query string values, like mysql_real_escape_string($my_id_va). Yes, obviously this for single related hack, but not sure.
Added some more
SELECT EventActuallyCharged, EventDate FROM tblevent WHERE EventDate between '2011-07-21 or 1=1; SHOW TABLES --' and '2011-07-31' ORDER BY EventDate DESC
but show table not worked
If you are using PHP5, use parametarized query, use PDO.
Int cast
If id is a number, you can int-cast your variable as well. Integers are safe to use:
$x = (int)$yourInputVar;
$s = "select * from Table where id = $x";
mysql_real_escape_string
If you want to pass a string, you can, and should, use mysql_real_escape_string, but this function escapes only those characters that are inside the string. You will still need to add quotes around the string, so:
$x = mysql_real_escape_string('hello');
$s = "select * from Table where id = $x";
.. will result in the query: select * from Table where id = hello. This is obiously not a valid query, since hello should be in quotes.
Change the query to:
$x = mysql_real_escape_string('hello');
$s = "select * from Table where id = '$x'";
.. and everything works fine. You add the quotes around, and mysql_real_escape_string takes care of special characters inside the string, if any.
Parameters
Another solution is to use parameterized queries. This can by done using MySQLi or PDO. The advantage is that you only tell your database where a variable should be inserted, and the database takes care of the escaping yourself.
It also may add a performance benefit, because these queries could be cached without their parameters, make a more efficient use of the query cache. This doesn't really work yet in current versions of MySQL, though.
You are right that 1 or 1=1; SHOW TABLES will give a syntax error but this will work:
1 or 1=1 --
The -- comments out the rest of the query.
In your case the value is an integer so instead of using mysql_real_escape_string you can use intval.
If you set $my_id_va to:
1 or 1=1; SHOW TABLES --
The -- will comment out the rest of the command, effectively terminating it.
I'm not sure what effect mysql_real_escape_string will have on the query. What you should be doing is parameterized queries.
1. First query somehow secured
$sql = sprintf('SELECT * FROM login WHERE id = %d ORDER BY id DESC', mysql_real_escape_string($my_id_va));
2. Second query somehow secured
$sql = sprintf("SELECT EventActuallyCharged, EventDate FROM tblevent WHERE EventDate BETWEEN '%s' AND '%s' ORDER BY EventDate DESC",
mysql_real_escape_string($start_date),
mysql_real_escape_string($end_date));
Read the docs about sprintf if you don't understand it.
However, as others have said, it would be very very secure if you would use parameterized queries with a class such as PDO or MySQLi.
I am using a particular query for inserting records. It is going well. I am even fetching records with a select query. But my problem is that, if the record contains single quotes ' ', then it gives me this error:
> NOTE:You have an error in your SQL syntax;
> check the manual that corresponds to your MySQL server
> version for the right syntax to use near 'B''' at line 1
The SELECT query is:
$result= mysql_query("SELECT s.name,
s.sid as sid,
s.category,
p.name as pname
FROM poet p
INNER JOIN song s
ON p.pid = s.pid
WHERE s.name= '$sid'") or die(mysql_error());
What should I do to skip quotes problem in this. When I want quotes to insert in my records.
Your problem is much worse than this -- what if someone enters the value '; DROP TABLE poet; --? You need to use either mysql_real_escape_string() to escape the value, or use parametrized queries (with PDO, for example).
It's 2011, for crying out loud. Why is SQL injection still a widespread problem?
You have to escape the data
$sid = mysql_real_escape_string($sid);
use http://www.php.net/manual/en/function.mysql-real-escape-string.php function on your string to quote "'" and other special symbols
Other way to prevent injection - use different connections (login-passwords) with different rights for inserting and selecting. In this case mysql_real_escape_string wi9ll work good
INSERT INTO `test` (`x`, `y`) WHERE `id` = `$id`
VALUES (`$x`, `$y`)
Whats wrong with this query? I run this in a mysql_query() function in a php file.
You can't use a Where clause with an insert. You are either inserting a row or you're not.
If you're trying to update information from the database, use UPDATE instead of INSERT INTO in the query you're running.
You can't use a where clause on an insert. I think you might be wanting an update statement:
update test set
x = $x,
y = $y
where id = $id
When you're inserting a new value in the database, you usually don't have an ID value until after the insert (assuming you're using auto-generated IDs).
You need to remove the "WHERE id=$id" - it has no meaning in an INSERT statement.
So, either
UPDATE test SET x='x', y='$y' WHERE id ='$id';
OR
INSERT INTO test ('x', 'y') VALUES ('$x', '$y');
as stated in other posts - you cannot do an INSERT with a WHERE.
Also note that you must use single quotes (') rather than backticks (`) for values. Backticks are used when referencing column names / field names.
This:
`field` = '$value'
rather than this:
`field` = `$value`
unless you really do want to reference another field. This is sometimes what you want when copying values or matching JOINs and such. But because you have a variable there, I'm assuming you want to use single quotes rather than backticks.