1064 error, Not sure what the issue is - php

I keep getting this error when submitting. I have checked my form 10x and I cannot figure out what is wrong with it.
Here is the error
SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE order_num = '5293528'' at line 1
Here is the form code
public function next()
{
try
{
if(isset($_POST['giventoatpdate']))
{
$update = trim($_POST['update']);
$orders = $_SESSION['order_nums'];
$st=$this->db->prepare("INSERT INTO `orders` (giventoatpdate) VALUES (:upd) WHERE order_num = :orderr");
$st->bindparam(":upd", $update);
$st->bindparam(":orderr", $orders);
$st->execute();
return $st;
}
$order = $_GET['uid'];
$stmt=$this->db->prepare("SELECT * FROM orders WHERE order_num = :order");
$stmt->execute(array(":order"=>$order));
$row=$stmt->fetch(PDO::FETCH_ASSOC);
if($row['giventoatpdate'] = ' ')
{
echo
"
<form name='atpdate' method='POST'>
Date Sent to clown?
<br>
<input type='text' name='update'>
<br>
<input type='submit' name='giventoatpdate'>
</form>
";
}
Everything else is working fine. It gives me this error when I hit submit.


Seeing somebody popped in an answer...
It's because INSERT doesn't have a WHERE clause.
Now read the manual http://dev.mysql.com/doc/en/insert.html
INSERT ... ON DUPLICATE KEY UPDATE does.
http://dev.mysql.com/doc/refman/5.7/en/insert-on-duplicate.html
Or, you may have intended to do an UPDATE. http://dev.mysql.com/doc/en/update.html
Seeing $update = trim($_POST['update']); the operative word being "update" in the POST array, I'm thinking you want to do an UPDATE here rather than an INSERT, since you are dealing with orders taken from your site.
So, you have a few choices here.
If it's an UPDATE, your query would read as:
UPDATE `orders`
SET giventoatpdate = :upd
WHERE order_num = :orderr
Check for errors:
http://php.net/manual/en/pdo.error-handling.php
Add error reporting to the top of your file(s) which will help find errors.
<?php
error_reporting(E_ALL);
ini_set('display_errors', 1);
// Then the rest of your code
Sidenote: Displaying errors should only be done in staging, and never production.
Footnotes:
Seeing if($row['giventoatpdate'] = ' ') you do realize that this checks for a "space" rather than if($row['giventoatpdate'] = '') to check if it's "empty".
You're also "assigning" rather than doing a "comparison" here which should read as:
if($row['giventoatpdate'] == '')
If you're checking for empty'ness, then remove the space in there, or you can do
if(empty($row['giventoatpdate']))
References:
http://php.net/manual/en/language.operators.assignment.php
http://php.net/manual/en/language.operators.comparison.php
http://php.net/manual/en/function.empty.php


INSERT doesn't have WHERE operator.
You need to change query to something like this:
UPDATE myTable SET my_field = :new_value WHERE my_another_filed = :another_value_or_row_id

Related

Update query gives Mariadb version error

if (isset($_POST['update'])) {
$column=(isset( $_POST['column']));
$type= (isset($_POST['type']));
$value= (isset($_POST['value']));
mysql_query("UPDATE `combo1` SET column = '$column', type = '$type' ,value ='$value' WHERE id = '$id'");
}
The update query is not working I am not getting what is the solution please help me to overcome this problem
You have an error in your SQL syntax; check the manual that
corresponds to your MariaDB server version for the right syntax to use
near 'column = '', type = '' ,value ='' WHERE id = '20'' at line 1

isset() method returns boolean value change like this
$column = isset( $_POST['column']) ? $_POST['column']:"";
Same for others

Modify your code as follows:
if (isset($_POST['update'])) {
$column = $_POST['column'];
$type = $_POST['type'];
$value = $_POST['value'];
mysql_query("UPDATE `combo1` SET column = '$column', type = '$type' ,value ='$value' WHERE id = '$id'");
}
If you remove the isset() method (refer to this link if you want more about the isset() method) as I have given above, the texts inside $column, $type and $value are substituted directly into the update string.
Update string does not contain any syntax errors in this case. Refer to this link if you want more information.
I also recommend you read up on SQL injection, as this sort of parameter passing is prone to hacking attempts if you do not sanitize the data being used:
MySQL - SQL Injection Prevention

The error message has virtually nothing to do with the 'version'. It is a syntax error complaining about "column". That word is a reserved word. Since you seem to have called the column column, put backtics around it, just as you did for the tablename.

mysqli_query($link,"UPDATE combo1 SET column='$column',type = '$type',value='$value' WHERE id ='$id'")
or die(mysqli_error($link));

SQL Update Query Error in PHP Function

I'm currently trying to use the following PHP function/SQL query with a page that edits medications on a project I'm building for school. I'm getting the following error and having trouble to finding where the error is :
Syntax error or access violation: 1064 You have an error in your SQL syntax;
function edit_medicine($medicine_name, $medicine_dose, $medicine_date, $medicine_current, $medicine_id) {
global $db;
$query = "UPDATE Medicine
SET MedicineName = :medicine_name,
Medicine Dose = :medicine_dose,
MedicineDatePrescribed = :medicine_date,
MedicineCurrent = :medicine_current
WHERE MedicineKey = :medicine_id";
$statement = $db->prepare($query);
$statement->bindValue(':medicine_name', $medicine_name);
$statement->bindValue(':medicine_dose', $medicine_dose);
$statement->bindValue(':medicine_date', $medicine_date);
$statement->bindValue(':medicine_current', $medicine_current);
$statement->bindValue(':medicine_id', $medicine_id);
$statement->execute();
$statement->closeCursor();
}
I'd appreciate any help anyone can offer- it's the end of finals week and I'm totally burnt out. Thanks!

Use quote to your column names, especially your Medicine Dose column because of its space (). Next time, don't use space to name your columns:
$query = "UPDATE `Medicine`
SET `MedicineName` = :medicine_name,
`Medicine Dose` = :medicine_dose,
`MedicineDatePrescribed` = :medicine_date,
`MedicineCurrent` = :medicine_current
WHERE `MedicineKey` = :medicine_id";

If double quotes or backtick does not work , try including the string within square brackets.
For example
SELECT [Business Name],[Other Name] FROM your_Table

Update and Insert into three tables simultaneously

I have a record that needs to be updated. If the update is successful, then it should insert record into three different tables. I did it with the code below,but one of the table(tab_loan_targetsave)is not inserting.I need a third eye to looked into this, as I have had a lot of pain in fathoming where the problem lies.
Pls i need assistance.Also, I welcome better approach if possible.
<?php
if(isset($_POST["savebtn"])){
$custNo = $_POST["custid"];
$transDate = $_POST["transDate"];
$grpid = $_POST["custgrp"];
$contAmount =$_POST["amtCont"];
$amount = $_POST["amount"];
$disAmount =$_POST["disbAmt"];
$savAmount =$_POST["savAmt"];
$intAmount =$_POST["intAmt"];
$postedBy = $_SESSION["staffid"];
//$preApproved =$_POST["preAmount"];
$loanRef = $_POST["refid"];
$st = "Approved";
$appDate = date("Y-m-d H:i:s");
$appBy = $_SESSION['staffid'];
$counter = 1;
$locate = $_SESSION['location'];
$insure = $_POST["insuAmt"];
$dis = $_POST["DisAmt"];
$update = mysqli_query($connection,"UPDATE tab_loan_request SET approval_status='$st',approvalDate='$appDate',approvedBy='$appBy',loanRef='$loanRef' WHERE custid='$custNo' AND RepayStatus='1'");
if($update && mysqli_affected_rows($connection)>0){
$insertTar = mysqli_query($connection,"INSERT INTO tab_loan_targetsave(custid,grpid,transactionDate,loanRef,savingAmt,status,postedBy,location,appStatus)
VALUES('$custNo','$grpid','$transDate','$loanRef,'$savAmount','Cr','$postedBy','$locate','1')");
$insertInt = mysqli_query($connection,"INSERT INTO tab_loan_interest(custid,requestAmt,transactionDate,interestFees,postedBy,loanRef,InsuranceFees,DisasterFees)VALUES(
'$custNo','$amount','$transDate','$intAmount','$postedBy','$loanRef','$insure','$dis')");
//if($insertInt){
//}if($insertTar){
$insertSav = mysqli_query($connection,"INSERT INTO tab_loan_saving(custid,grpid,transactionDate,loanRef,loanAmount,savingAmt,status,postedBy,location,appStatus)
VALUES('$custNo','$grpid','$transDate','$loanRef','$amount','0','Cr','$postedBy','$locate','1')");
}//first if
if($insertSav){
echo "<span style='font-weight:bold;color:red;'>"." Application Approval is successful!"."</span>";
}else{
//Unable to save
echo "<span style='font-weight:bold;color:black;>"."Error! Application Approval not Successful!"."</span>";
}
}else{
$custid = "";$saving=0.00;$st="";
$transDate = "";
$grpid = "";
$amount = "";
$postedBy = "";$loanRef="";
}
?>

"#Fred: See the error generated when i used mysqli_error($connection). Could you please interprete this: ErrorMessage: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1000.00','Cr','SPL002','Ojo','1')' at line 2 – Dave"
Seeing the error generated by the suggestion I've given you to check for errors.
You're missing a quote here '$loanRef
in your query:
VALUES('$custNo','$grpid','$transDate','$loanRef , '$savAmount'...
^ right there
I suggest to escape all of your incoming data.
I.e.:
$var = mysqli_real_escape_string($connection, $_POST['var']);
and apply that same logic to all your POST arrays.
Plus, as I stated; make sure you started the session, since there is no mention of that in your question and session_start(); wasn't included in your posted code.
The session needs to be started inside all pages using sessions.
Using a prepared statement will is better.
http://php.net/manual/en/mysqli.prepare.php
http://php.net/manual/en/pdo.prepared-statements.php
which is what you really should be using.
Additional references:
http://php.net/manual/en/mysqli.error.php
http://php.net/manual/en/function.error-reporting
Also make sure there aren't any constraints in your table(s).

Dude make sure you properly escape your variables http://php.net/manual/en/mysqli.prepare.php
i would check the Table Name! make sure it is case sesntive, also just wondering if you could do something to your database design? It seems a lot of duplicate data is going into your tables. Think about a better way to organise and store that data

I got where the error is emanting from . Just because I forgot to add a single quote to one of the values. ie missing the quote- near $loanRef. No closing string. Anyway, I was able to detect that through the error message stated parameter as adviced by Fred nad Mark. Correct
$insertTar = mysqli_query($connection,"INSERT INTO tab_loan_targetsave(custid,grpid,transactionDate,loanRef,savingAmt,status,postedBy,location,appStatus)
VALUES('$custNo','$grpid','$transDate','$loanRef','$savAmount','Cr','$postedBy','$locate','1')");
Thank you all.

mysql UPDATE code dont work :((

I have a like button on my site http://zabavajsa.eu/new/ .
When you click on the button, it shoud add +1 like to the database and it doesn't work.
Here is my code:
<form method='post'>
<li>
<button class='like' name='like' value='48'>Like</button>
</li>
</form>
<?php
if(isset($_POST['like'])) {
$id = $_POST['like'];
require('db.php');
$resultiiik = $mysql->query("SELECT * FROM fotka WHERE id='{$id}'");
$p = $resultiiik->fetch_assoc();
$pocet = $p[like];
$pocet = $pocet +1;
$mysql->query("UPDATE fotka SET like='{$pocet}' WHERE id='{$id}'") or die ('This always write to me -.-');
}
?>

Firstly, this
<button class='like' name='like' value='48'>Like</button>
it needs a "type", let's use a "submit" type
<button class='like' name='like' value='48' type='submit'>Like</button>
then the word like is a MySQL reserved word which needs to be wrapped in ticks
SET `like`
http://dev.mysql.com/doc/refman/5.5/en/reserved-words.html
LIKE is used in string comparisons and pattern matching
http://dev.mysql.com/doc/refman/5.0/en/pattern-matching.html
http://dev.mysql.com/doc/refman/5.0/en/string-comparison-functions.html
Therefore it's best to stay away from using reserved words. You could use the word "likes" instead and won't require the column to be escaped, or do as above and wrap it in backticks.
You're also not getting MySQL to signal the proper errors with
or die ('This always write to me -.-')
use
or die(mysqli_error($mysql))
or
die('There was an error running the query [' . $mysql->error . ']')
Which would have triggered something like:
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'like
Edit:
As stated in comments, your code is vulnerable to SQL injection.
Use prepared statements, or PDO with prepared statements, they're much safer.

Additionally to #Fred -ii- 2 more bugs:
$pocet = $p[like];
like is a constant, but since you never define a constant named 'like' php will just treat it as string and print a notice if they are enabled. You should use $pocet = $p['like']; instead of $pocet = $p[like];
And: You don't need to fetch the value just to increment and update it. Your Database can do the work for you:
UPDATE fotka SET `like`=`like`+1 WHERE id='{$id}'

mysql syntax error

<?php
ob_start();
$id=$_REQUEST['req-id'];
// #header("location:feed.php?tumblr_id=$id");
echo "aaaa";
include_once('../config/config.php');
echo $name=$_REQUEST['req-name'];
echo $id=$_REQUEST['req-id'];
echo $mobile=$_REQUEST['req-mobile'];
echo $Email=$_REQUEST['req-email'];
echo $select=$_REQUEST['image'];
echo $img=$_REQUEST['img'];
echo $audio=$_REQUEST['audio'];
echo $ado=$_REQUEST['ado'];
echo $regular=$_REQUEST['regular'];
echo $reg=$_REQUEST['reg'];
echo $video=$_REQUEST['video'];
echo $vdo=$_REQUEST['vdo'];
echo $link=$_REQUEST['link'];
echo $lnk=$_REQUEST['lnk'];
echo $quote=$_REQUEST['quote'];
echo $qte=$_REQUEST['qte'];
echo $fbPid=$_REQUEST['fbPid'];
$sql="update tumblr set (tumblr_name,tumblr_id,mobile_no,Email,img_post,link_post,ado_post,vdo_post,reg_post,qte_post) values('$name','$id','$mobile','$Email','$img','$lnk','$ado','$vdo','$reg','$qte')";
$res=mysql_query($sql) or die(mysql_error());
?>
I am getting error: - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '(tumblr_name,tumblr_id,mobile_no,Email,img_post,link_post,ado_post,vdo_post,reg_' at line 1

UPDATE tumblr
SET tumblr_name = '$name',
tumblr_id = '$id',
mobile_no = '$mobile',
Email = '$Email',
img_post = '$img',
link_post = '$lnk',
ado_post = '$ado',
vdo_post = '$vdo',
reg_post = '$reg',
qte_post = '$qte'
You are trying to execute an update query based on an insert's format. Check the update query format.
In addition, your code is HIGHLY insecure. At least use mysql_real_escape_string(), e.g. $name=mysql_real_escape_string($_REQUEST['req-name']); to protect against SQL injection.

You are confusing the insert syntax with the update syntax. The update syntax is detailed here: http://dev.mysql.com/doc/refman/5.0/en/update.html
Example:
UPDATE table
SET
col1 = value1,
col2 = value2
WHERE
...

You are using INSERT syntax in an UPDATE statement.
Update looks like this:
UPDATE tableone SET fieldone='one' WHERE id=2;
For example.

UPDATE syntax is
UPDATE `tablename` SET `column`=value, `column`=value, ... WHERE conditions
u use INSERT syntax.

And what have you done to diagnose the problem?
Showing us all those echo statements doesn't really help - it might have done if you'd told us what the values were. You're not escaping any of the values you are putting in your SQL statement. You seem to be quoting values which may be numeric. You've included an ob_start() statement which is also entirely irrelevant but there's no mysql_connect here.
But the reason your code is failing is because there is no 'UPDATE....VALUES...' statement in SQL. Use 'INSERT INTO...VALUES....ON DUPLICATE KEY UPDATE'.

Categories