This question already has an answer here:
Syntax error due to using a reserved word as a table or column name in MySQL
(1 answer)
Closed 2 years ago.
I have encountered an issue with updated my MySQL data which includes HTML data, I continuously fixed errors; however, once one error is fixed it gives another. The current error is as follows:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'desc='Live updates to certain games will also be posted on this website througho' at line 1
I have been scavenging on Stack Overflow for nearly 3 days without any definitive answers. So I am hoping someone can find this!
Here is my PHP form code:
if (isset($_POST['submit'])) {
$WName = mysql_prep($_POST['wname']);
$SName = mysql_prep($_POST['sname']);
$Desc = mysql_prep($_POST['desc']);
$LogoURL = mysql_prep($_POST['logourl']);
$aboutPage = mysql_prep($_POST['aboutpage']);
$query = "UPDATE settings SET name='$WName',subName='$SName',desc='$Desc',logoUrl='$LogoURL',about='$aboutPage'";
// $query = mysql_prep($query);
mysql_query($query) or die(mysql_error());
header("Location: settings.php?=success");
}
The function mysql_prep() can be found on the internet, namely here: https://gist.github.com/ZachMoreno/1504031
Here is the HTML form:
<form role="form" action="" method="post">
<!-- text input -->
<div class="form-group">
<label>Website Name</label>
<input type="text" name="wname" class="form-control" placeholder="
<?php echo $row['name']; ?>" value="
<?php echo $row['name']; ?>" />
</div>
<div class="form-group">
<label>Sub Name</label>
<input type="text" name="sname" class="form-control" placeholder="
<?php echo $row['subName']; ?>" value="
<?php echo $row['subName']; ?>" />
</div>
<div class="form-group">
<label>Description</label>
<textarea name="desc" class="form-control" rows="3" placeholder="
<?php echo $row['desc']; ?>" >
<?php echo $row['desc']; ?>
</textarea>
</div>
<div class="form-group">
<label>Logo URL</label>
<input type="text" name="logourl" class="form-control" placeholder="
<?php echo $row['logoUrl']; ?>" value="
<?php echo $row['logoUrl']; ?>" />
</div>
<div class="form-group">
<label>About Page</label>
<textarea class="form-control" name="aboutpage" rows="6" placeholder="
<?php echo $row['about']; ?>">
<?php echo $row['about']; ?>
</textarea>
</div>
<div class="box-footer">
<input type="submit" name="submit" class="btn btn-primary" value="Submit" style="margin-left:-10px;" />
</div>
</form>
Thanks very much for any assistance that you can provide, I hope this can be figured out and I aim to use this to assist future visitors who encounter the same/similar issues.
Can't believe I didn't see this earlier; the issue I had with MySQL was that the database had the column name 'desc' which I originally had the idea that it meant 'description' but in fact it was conflicting with the keyword 'descending'. This gave the syntax error.
Here is what I found on the MySQL documentation; 9.3 Keywords and Reserved Words
:
Keywords are words that have significance in SQL. Certain keywords, such as SELECT, DELETE, or BIGINT, are reserved and require special treatment for use as identifiers such as table and column names. This may also be true for the names of built-in functions.
On that web link above you can see a list of keywords/reserved words that shouldn't be used or should include back slashes (which I won't go into).
My solution? Don't use reserved words as identifiers!
The easiest solution that you can do is to simply avoid using these words. I prevented using the reserved word 'desc' by changing the identifier to 'description'.
Thanks for all your help! Hope this assists people in the future.
The string returned from your mysql_prep() function has escaped single quotes.
So.. ..you can't use these as delimiters in your query string. Change them to double quotes.
$query = "UPDATE settings SET name = \"$WName\",
subName = \"$SName\",
desc = \"$Desc\",
logoUrl = \"$LogoURL\",
about = \"$aboutPage\" ";
Can you try a $testQuery with just text..
$testQuery = "UPDATE settings SET name = \"ABC\",
subName = \"DEF\",
desc = \"GHI\",
logoUrl = \"JKL\",
about = \"MNO\" ";
Also, you are missing a WHERE clause, or is there only 1 row?
Related
I am new to PHP, and have a web form, that I am using PHP to get data from the database. What I have currently done, as I havent been able to find out another solution to do so (despite my searching - probably dont know the correct terms to look for), is individually executing a SQL Query for each input field on my form.
As below:
<div class="search-line">
<div class="search-option">
<label>Asset Tag:<i title=""></i></label>
<?php
$asset_tag_sql = "SELECT HardwareAsset.HardwareAssetAssetTag FROM HardwareAsset WHERE HardwareAssetID = '".$_SESSION["HardwareAssetID"]."'";
$asset_tag = sqlsrv_query($database_connection, $asset_tag_sql);
?>
<input type="text" id="AssetTag" disabled value="<?php while ($asset_tag_option = sqlsrv_fetch_object($asset_tag)){echo $asset_tag_option->HardwareAssetAssetTag;} ?>" />
</div>
<div class="search-option">
<label>Serial Number:<i title=""></i></label>
<?php
$serial_number_sql = "SELECT HardwareAsset.HardwareAssetSerialNumber FROM HardwareAsset WHERE HardwareAssetID = '".$_SESSION["HardwareAssetID"]."'";
$serial_number = sqlsrv_query($database_connection, $serial_number_sql);
?>
<input type="text" id="SerialNumber" disabled value="<?php while ($serial_number_option = sqlsrv_fetch_object($serial_number)){echo $serial_number_option->HardwareAssetSerialNumber;} ?>" />
</div>
</div>
Is there anyway to have one PHP piece of code to do one SQL query and then use that to fetch and echo the value for both input fields, as opposed to the two above?
Try it like this?
<?php
$asset_sql = "SELECT HardwareAsset.HardwareAssetAssetTag,HardwareAsset.HardwareAssetSerialNumber FROM HardwareAsset WHERE HardwareAssetID = '".$_SESSION["HardwareAssetID"]."'"
$asset_result = sqlsrv_query($database_connection, $asset_sql);
$asset_data = sqlsrv_fetch_object($asset_result);
?>
<div class="search-line">
<div class="search-option">
<label>Asset Tag:<i title=""></i></label>
<input type="text" id="AssetTag" disabled value="<?php echo $asset_data->HardwareAssetAssetTag; ?>" />
</div>
<div class="search-option">
<label>Serial Number:<i title=""></i></label>
<input type="text" id="SerialNumber" disabled value="<?php echo $asset_data->HardwareAssetSerialNumber; ?>" />
</div>
</div>
Why not just select two fields from the initial query like this:
$serial_number_sql = "SELECT HardwareAsset.HardwareAssetSerialNumber,
HardwareAsset.HardwareAssetAssetTag FROM HardwareAsset WHERE
HardwareAssetID = '".$_SESSION["HardwareAssetID"]."'";
I'm creating a CRUD system and on my edit page, its retrieving the data but the records are cut off after the first space.
For example, if the database record says Stack Overflow within the company column and i use the code below, i only get the word Stack instead of Stack Overflow.
<?php
include_once("connection.php");
$id = $_GET['id'];
$result = mysqli_query($mysqli, "SELECT * FROM leads WHERE id=$id");
while ($res = mysqli_fetch_array($result)) {
$company = $res['company'];
}
?>
<input type="text" class="form-control" id="company" name="company" placeholder="Company" required value=<?php echo $company;?>>
Why is it just pulling the first word?
You are missing the quotes in your html code:
Wrong
value=<?php echo $company;?>>
Correct
value="<?php echo $company;?>">
Also, if you want to avoid any issues with company names that contain " you should probably escape double quotes using htmlentities.
<input type="text" class="form-control" id="company" name="company" placeholder="Company" required value="<?php echo htmlentities($company, ENT_COMPAT); ?>">
I'm trying to make a user search with the following code:
<?php
session_start();
include("../BD/bd.php");
$searched_for = $_POST['searched_for'];
$query = #mysql_query("SELECT * FROM user_media WHERE nombre LIKE '%$searched_for%'") or die(mysql_error());
while($got_users = #mysql_fetch_array($query)){
echo '<div class="searched-content-info">'.
'<div class="searched-photo"><img src="'.$got_users['foto'].'"></div>
<div class="searched-names"><h3>'.$got_users['nombre'].'</h3></div>
<div class="searched-dates"><h3>'.'Miembro desde: '.$got_users['created_on'].'</h3></div>
</div>
<div class="divisor-search-user"></div>';
}
?>
But I'm getting all the rows, I just want to display the searched users info, seems like the $query is receiving a clean $searched_for
Any help here? Btw, I'm a little newbie here, please don't bully :)
EDIT: I tried changing $got_users['nombre']; with $searched_for to see if $searched_for is empty and yes it doesn't return any string that's why I am getting all the rows. $query is getting an empty variable but Why?
Here's my HTML:
<form target="u-n" id="search_input" action="search_user.php" method="post">
<input id="search-input" name="searched_for" type="search" placeholder="Search">
</form>
You used <input type="search" /> which is a HTML5 feature. Older browsers may not support this. Replace this input with type="text".
Then, your $_POST['searched_for'] should populate properly, that is:
<input name="searched_for" type="text" placeholder="Search" />
Also, you used the same id multiple times, which is an invalid HTML syntax.
Reference: HTML input tag at MDN
I have a scenario. Let's say someone is on my website and there is a form which adds an event for example and there is a field as follows:
<input type="text" name="title" id="title">
Let's say that person used F12 developer tools and changes the id="title" to id="whatever", or even remove the id attribute, then how would I make my PHP script stop running so that nothing is posted to MySQL?
Here's an example for a Bookmarks feature I have: (front-end form)
<form action="bookmarks.php" method="post" enctype="multipart/form-data">
<div class="control-group">
<label class="control-label" for="input-mini">Title*</label>
<div class="controls">
<input class="span12" id="title" name="title" type="text" placeholder="e.g. Oliver's pet cat...">
</div>
</div><!-- /control-group -->
<div class="control-group">
<label class="control-label" for="input-mini">Link*</label>
<div class="controls">
<input class="span12" id="link" name="link" type="text" placeholder="e.g. http://boopeo.com">
<input type="hidden" name="parse_var" id="parse_var" value="addbookmark" />
<br /><input name="submit" type="submit" class="btn btn-success span12" value="Bookmark" /></form>
Back-end PHP:
if (isset($_POST['parse_var'])){
$parser = $_POST['parse_var'];
$parser = htmlspecialchars($parser);
if ($parser == "addbookmark"){
$title = $_POST['title'];
$title = htmlspecialchars($title);
$linkurl = $_POST['link'];
$linkurl = htmlspecialchars($linkurl);
$sqlrecentmark = $db->query("SELECT link_url FROM tablenamehere WHERE mem_id='$id' ORDER BY id DESC LIMIT 20");
while($row = $sqlrecentmark->fetch(PDO::FETCH_ASSOC)) {
$recent_link = $row["link_url"];
}
if ( $linkurl != $recent_link ){
$dataact = array( 'mem_id' => $id, 'title' => $title, 'link_url' => $linkurl );
$sqlactivity = $db->prepare("INSERT INTO tablenamehere (mem_id, title, link_url) value (:mem_id, :title, :link_url)");
$sqlactivity->execute($dataact);
} else {
$not_msg = '<br /><br /><div class="alert alert-error">Oops! You have added that bookmark before. Just look and you shall find!</div>';
}
}
}
Never trust data from the user. Always sanitize and validate. You are using prepared statements which is good, so you'll be mostly protected from injection. The other thing you'll want to do is determine if the data the user has sent you matches up with what you were expecting, if it does then proceed to use it with the database. (Which you are for the most part doing, so in all honesty there should be no bad effects from a malicious user)
The id of input field doesn't get passed as posted data, so there's no way to tell in the back-end php code. Maybe you're talking about the name attribute.
<input type="text" name="theTitle" id="aTitle">
In my above example, the input field will be posted as $_POST["theTitle"]
You could use javascript to check these elements before the form is submitted, but if you're worried about the user manipulating the DOM, that probably won't help much.
After reading your concern about the Undefined index error, you simply need to check if the variable is set before you use it:
if(isset($_POST["title"])) {
$title = $_POST['title'];
} else {
//output error
}
This question already has an answer here:
Syntax error due to using a reserved word as a table or column name in MySQL
(1 answer)
Closed 6 years ago.
I'm trying to update my database entries with this form:
<form method="post" action="inc/update.php">
<?php foreach ($links as $row) {
?>
<div class="btn_admin">
<p>
<label>Titulo</label>
<input type="text" name="title[]" value="<?php echo $row["desc"] ?>">
</p>
<p>
<label>Url</label>
<input type="text" name="url[]" value="<?php echo $row["url"] ?>">
<input type="hidden" name="id[]" value="<?php echo $row["id"] ?>" />
</p>
</div>
<?php }
?>
<input type="submit" name="submit" value="Update Links" />
</form>
On my update.php file:
if ($_SERVER["REQUEST_METHOD"] == "POST"
&& $_POST["submit"] == "Update Links") {
include_once 'db.php';
$db = new PDO(DB_INFO, DB_USER, DB_PASS);
foreach($_POST['id'] as $id ) {
$title=$_POST["title"][$id-1];
$url=$_POST["url"][$id-1];
$sql = "UPATE index_links
SET desc=?, url=?
WHERE id=?";
$stmt = $db->prepare($sql);
$stmt->execute(array($title, $url, $id-1));
$stmt->closeCursor();
}
}
I've looped through $title and $url and everything is being 'grabbed' correctly, but the query is failing somehow with no errors.
I have even tried messing with erroneous query syntax (like in the query in the example above - "UPATE"), no errors whatsoever... and yes, the foreach loop is being accessed.
This seems like such intro level stuff, but I'm looking at this for an hour or so no and mind=blown... there are other queries (not UPDATE ones) on my project which are working fine.
In your case, the query probably fails because desc is a reserved word in mySQL.
PDO can be very secretive about its error messages by default. See this question on how to change that.