This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 7 years ago.
Here is the query:
$table = $_GET['type'];
$q="DELETE FROM '$table' WHERE cont_id='".$_GET['where']."'";
I also tried removing the single/double quotes on the $_GET part, but didn't work. I'm printing the values of my variables before executing the query and they are right so I don't think that's the problem.
Any ideas?
Database table names should not be enclosed with single quotes.
Corrected SQL:
$q="DELETE FROM $table WHERE cont_id='".$_GET['where']."'";
Tables and field names can be enclosed with backticks (`) to avoid clashes with
MySQL reserved keywords.
In that case, corrected SQL should be:
$q="DELETE FROM `$table` WHERE `cont_id` = '".$_GET['where']."'";
Also, do not trust input from user.
This can cause security vulnerability.
use mysqli_real_escape_string() for $_GET['where']
In you want quote table name you had to use symbol "`"
$table = $_GET['type'];
$q="DELETE FROM `$table` WHERE cont_id='".$_GET['where']."'";
$table = $_GET['type'];
$q="DELETE FROM $table WHERE cont_id='".$_GET['where']."'";
OR
$table = $_GET['type'];
$q="DELETE FROM `$table` WHERE cont_id='".$_GET['where']."'";
Related
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 7 years ago.
This is my code and I can't figure out how to update the product_info:
include_once "dbconnect.php";
session_start();
$p_id = $_SESSION['rbtn'];
$p_name=securethis( $_POST['p_name']);
$p_unit=securethis( $_POST['p_unit']);
$p_price=securethis( $_POST['p_price']);
$p_details=securethis($_POST['p_details']);
$query= "UPDATE product_info SET p_name=$p_name,p_unit=$p_unit,p_price=$p_price,p_details=$p_details,p_directory=hi WHERE p_id=$p_id";
mysql_query($query) or die(mysql_error()) ;
$_SESSION['rbtn'] = "";
header("Location: admin.php");
Your used query should be in valid format to execute by MySQL . May be there are some columns in product_info table are VARCHAR type like as p_name . So use single quote (') to create a valid query . You can also check it by echoing your query and execute this on MYSQL prompt . It will tell the exact problem.
echo $query= "UPDATE product_info SET p_name=$p_name,p_unit=$p_unit,p_price=$p_price,p_details=$p_details,p_directory=hi WHERE p_id=$p_id";
and execute the the printed query directly to the MYSQL shell .
Write the query like this-
$query= "UPDATE product_info SET p_name='$p_name',p_unit='$p_unit',p_price='$p_price',p_details='$p_details',p_diretory='hi' WHERE p_id='$p_id'";
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 7 years ago.
include("db_connector.php");
$soru = "asdasds";
$tip = 1;
$soruId = 0;
$sql = "insert into sor (anketId,soruMetni,tip) values (".$_SESSION['anket'].",".$soru.",".$tip.")";
$islem = mysql_query($sql)or die(mysql_error());;
if(isset($islem))
{
$soruId = mysql_insert_id();
}else
{
header("refresh:2;sorular.php");
}
this code give an error like this : Unknown column 'asdasds' in 'field list'
You need to change the SQL statement in this:
$sql = "INSERT INTO `sor` (anketId,soruMetni,tip)
VALUES ('".$_SESSION['anket']."','".$soru."',".$tip.")";
Strings needs to be encapsulated with a single quote. :)
I just add ' before and after every variable in query. You cannot pass string to query without adding single quote '.
Change From:
$sql = "insert into sor (anketId,soruMetni,tip) values (".$_SESSION['anket'].",".$soru.",".$tip.")";
to :
$sql = "INSERT INTO `sor` (anketId,soruMetni,tip)
VALUES ('".$_SESSION['anket']."', '".$soru."', '".$tip."')";
I'm using SQL2000.
How can i escape single quote&double quote into query without get SQLi?
PHP:
$Username = "s'ql'fp".'"ffo"t';
SQL:
$Query = "INSERT INTO Users (Username, Password) VALUES (".$Username.", '432432')";
mssql_query($Query);
Sorry for my bad english :S
You must enclose string constants in single quotes and double all single quotes within them in SQL:
PHP:
$Username = "s'ql'fp".'"ffo"t'";
SQL:
$Query = "INSERT INTO Users (Username, Password) VALUES ('"
. str_replace("'", "''", $Username),
. "', '432432')";
mssql_query($Query);
str_replace("'", "''", $Username) will be "s''ql''fp".''"ffo"t''", i. e. all single quotes doubled. This does not change your $Username variable, but just the string used as SQL statement.
Probably, you would do that for the password as well (if it is not a string you know does not contain quotes, as is the case for the literal password you use here).
mysqli_real_escape_string() on the inserted data should do the trick.
You should also put your varchar()s in brackets, escaping won't help if you insert VALUES (SOME STRING) this works mainly with integers.
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 8 years ago.
Ignoring the fact that concatenating user input into SQL strings is possibly the worst thing you can do in terms of avoiding SQL injection (this is not for a production site), what is wrong with the following SQL?
"SELECT '_id', 'email', 'password', 'salt', 'banned', 'ban_reason' FROM 'tbl_users' WHERE 'email'='" . $email . "' LIMIT 1";
I'm getting the error message:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'_id\', \'email\', \'password\', \'salt\', \'banned\', \'ban_reason\' FROM \'tb' at line 1
I'm using mysqli_real_escape_string() on it right before running the query, hence the backslashes.
I also tried enclosing everything in backticks, but the error changed then to unknown column.
Exactly where it says. "near '\'_id\'"
You use `backticks` to surround column and table names. Not 'single quotes'.
You should be escaping your variables you're inserting, not your query, and using backticks around field names
$sql = "SELECT `_id`, `email`, `password`, `salt`, `banned`, `ban_reason` FROM `tbl_users` WHERE `email`='" . mysqli_real_escape_string($email) . "' LIMIT 1";
"SELECT `_id`, `email`, `password`, `salt`, `banned`, `ban_reason` FROM tbl_users WHERE `email`='" . $email . "' LIMIT 1"
You should use ` instead of ' when selecting fields.
I try to do a form which can insert data into database. After I insert a dummy data the is come out.
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax
This error are make me in trouble. My database are not inserted any record
<?php
$db = "assignment";
$table = "column";
$conn = mysqli_connect("localhost","root","");
mysqli_select_db($conn,$db);
$Title = $_POST['title'];
$Author = $_POST['author'];
$Country = $_POST['country'];
$Date = $_POST['date'];
$Abstract = $_POST['abstract'];
$Problem = $_POST['rproblem'];
$Aim = $_POST['raim'];
$Objectives = $_POST['robjective'];
$Type = $_POST['rstudies'];
if(isset($_POST['rmethod'])){
$method = implode(",",$_POST['rmethod']);
}else{
$method = "";
}
$sql = "INSERT INTO '$table' (title,author,country,date,abstract,rproblem,raim,robjective,rstudies,rmethod)
VALUES ('$Title','$Author,'$Country','$Date','$Abstract','$Problem','$Aim','$Objectives','$Type','$method')";
mysqli_query($conn,$sql);
if (!mysqli_query($conn,$sql)){
die('Error: ' . mysqli_error($conn));
}else{
echo "Data Added";
}
mysqli_close($conn);
?>
You've set your $table variable inside single quotes while using a reserved word, column for your table name $table = "column";
Use backticks around it, like so:
INSERT INTO `$table`
either do that or give your table another name.
Read the manual about table and column identifiers
You also have a quote missing here '$Author, so do '$Author',
Also, you can remove mysqli_query($conn,$sql); since you're already using
if (!mysqli_query($conn,$sql))
Footnotes:
Your present code is open to SQL injection. I strongly suggest that you use prepared statements, or PDO with prepared statements.
Try this
$sql = "INSERT INTO $table (title,author,country,date,abstract,rproblem,raim,robjective,rstudies,rmethod)
VALUES ('$Title','$Author','$Country','$Date','$Abstract','$Problem','$Aim','$Objectives','$Type','$method')";
The table name or column name must enclose them in back-ticks (`) and not in single quotes or double quotes. Otherwise don't wrap them.Simply try like above.And if you are using reserved keywords as table name or column name then you must enclose them in back-ticks.And its better not to use any reserve keyword.So if you can change the name then it will be the best choice.You are using two reserve keywords in your query. Your table name and date column. Both are keywords
You can check my answer here for more
Follow other answer you also missing ' on $author
$sql = "INSERT INTO `$table` (title,author,country,date,abstract,rproblem,raim,robjective,rstudies,rmethod)
VALUES ('$Title','$Author','$Country','$Date','$Abstract','$Problem','$Aim','$Objectives','$Type','$method')";
Also better use to replace
mysqli_query($conn,$sql);
if (!mysqli_query($conn,$sql)){
to
$result = mysqli_query($conn,$sql);
if (!$result){
else your query will execute two time.