I have made a php file from which parameters are passed through GET method..
The Problem is when I am passing paramenters it is saying:
Parameters using Following URL:
http://www.akshay.site90.net/sendlats.php?username=rakesh&lat=30.13348419&longitude=77.28685067
MySQL query failedYou have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' longitude=77.28685067 WHERE `username`=rakesh' at line 1
The code of MY Php file is given below please have a look:
<?php
$username = $_GET['username'];
$latitude = $_GET['latitude'];
$longitude = $_GET['longitude'];
$con = mysql_connect("mysql3.000webhost.com","a2418693_GCM","[passwordhere");
if(!$con){
die('MySQL connection failed'.mysql_error());
}
$db = mysql_select_db("a2418693_GCM",$con);
if(!$db){
die('Database selection failed'.mysql_error());
}
$sql = "UPDATE driver SET lat=$latitude, longitude=$longitude WHERE `username`=$username";
if(!mysql_query($sql, $con)){
die('MySQL query failed'.mysql_error());
}
mysql_close($con);
IMPORTANT!
Try to avoid SQL-Injection situation.
Before using these values:
$username = $_GET['username'];
$latitude = $_GET['latitude'];
$longitude = $_GET['longitude'];
...
filter, escape, prepare them in order to have safe query to your Database.
The best way is to use PDO
use this:
$sql = "UPDATE driver SET lat='$latitude', longitude='$longitude' WHERE `username`='$username'";
instead of this:
$sql = "UPDATE driver SET lat=$latitude, longitude=$longitude WHERE `username`=$username";
your variables must be quoted.
Try as below, you have missed quotes for variable $username:
$sql = "UPDATE driver SET lat=$latitude, longitude=$longitude WHERE `username`='".$username."'";
You are missing quotes for both field names and variable names :
$sql = "UPDATE driver
SET `lat` = '".$latitude."',
`longitude` = '".$longitude."'
WHERE `username` = '".$username."'";
PS: Don't forget the "." concat operator for PHP!
Related
I have a Mysql Database named user. Here is a picture:
I want to change the Username of the user "dodlo.rg" programmatically.
Actually, I have the PHP-Version 7.1. And this is a part of my PHPCode:
EDITED CODE:
$newName= $_POST["changeT"];
$userId = $_POST["userId"];
$db = mysqli_connect("trolö", "trolö", "trolö123", "trolö")
$sql = "UPDATE user SET username = '$newName' WHERE user_id = '$userId'";
$query = mysqli_query($db, $sql);
$response["successU"] = true;
But I get the Error: "You gave an Error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'SELECT * FROM user' at line 1"
Thanks in advance.
The problem lies in 2 parts.
Firstly, since this column is a varchar field it needs to be inside quotes else it produces an sql error.
Secondly the SELECT statement just after is not valid, but i guess it was a copy/paste error.
Therefore your working code should be:
$newName= $_POST["changeT"];
$db = mysqli_connect("trolö", "trolö", "trolö123", "trolö")
$sql = "UPDATE user SET username = '".addslashes($newName)."' WHERE username = 'dodlo.rg'";
$query = mysqli_query($db, $sql);
$response["successU"] = true;
Also, please consider using your primary keys on your where statement rather a varchar field, as it'll improve speed when more complex queries. (eg. where user_id = 35 instead of where username = 'dodlo.rg' ).
Lastly, but quite important this code might be vulnerable to sql injections. You need to use prepared statements.
You have to convert this query into two parts
$sql1 = "UPDATE user SET username = $newName WHERE username = 'dodlo.rg'";
$sql2 = "SELECT * FROM user";
I'm trying to get data from an database that I have created in phpMyAdmin. My problem is that however I change my query I'm getting the same type of error message using the mysql_error() function:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''foods'' at line 1
PHP code index file:
<?php
require 'connect.inc.php';
$query = "SELECT 'food_type', 'calories' FROM 'foods'";
if($query_run = mysql_query($query)){
while ($query_row = mysql_fetch_assoc($query_run)){
$food = $query_row('food_type');
$calories = $query_row('calories');
echo $food.' has '.$calories.' calories ';
}
}else{
echo mysql_error();
}
?>
PHP code database connection file:
<?php
$connectionError = 'Can\'t connect.';
$mySqlHost = 'localhost';
$mySqlUser = 'root';
$mySqlPassword = 'Bhu8Nji9';
$mySqlDataBase = 'my_first_database';
if(!#mysql_connect($mySqlHost, $mySqlUser, $mySqlPassword) || !#mysql_select_db($mySqlDataBase)){
die($connectionError);
}else{
//echo 'Connected';
}
?>
Rewrite your query [Use Backticks instead of Single quotes]
$query = "SELECT 'food_type', 'calories' FROM 'foods'";
to
$query = "SELECT `food_type`, `calories` FROM foods";
use this..
$result = mysql_query("SELECT food_type,calories FROM foods");
while($row = mysql_fetch_array($result))
{...}
Do not use single quotes around table name and field names.
$query = "SELECT food_type, calories FROM foods";
Also avoid mysql_* functions.
Why shouldn't I use mysql_* functions in PHP?
Read following to know when or why to use backticks
Using backticks around field names
Can you try this, added backticks in table foods
$query = "SELECT food_type, calories FROM `foods`";
It is a problem regarding of unknown column name
you should use backtick as:
$query = "SELECT `food_type`, `calories` FROM foods";
There is a syntax error in your query. It should be as below,
$query = "SELECT food_type, calories FROM `foods`";
I just learned I had magic_quotes_gpc on (much to my chagrin). I turned that off.
My database connection is made prior to this query. I have the following:
$subject = mysqli_real_escape_string($link, $_POST["subject"]);
$body = mysqli_real_escape_string($link, $_POST["body"]);
$id = mysqli_real_escape_string($link, $_POST["id"]);
mysqli_query($link, "UPDATE press SET press_title = '$subject', press_release = '$body' WHERE press_id = '$id'") or die( mysqli_error($link) );
With magic quotes on, this works fine. Once I turn it off, single quotes jam up the works (with a MySQL syntax error at the quote). I thought I understood the concept but I must be missing something. Can someone explain what I'm doing wrong?
UPDATE
Error spit out by MySQL:
you have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's what she said' at line 1
UPDATE #2
Here's the echo'd query:
UPDATE press SET press_title = \'That\'s what she said\', press_release = \'That\'s what she said again!\' WHERE press_id = \'513\'
Use a parametrized query:
$stmt = mysqli_prepare($link, "UPDATE press SET press_title = ?, press_release = ? WHERE press_id = ?") or die (mysqli_error($link));
mysqli_stmt_bind_param($stmt, "ssi", $_POST['subject'], $_POST['body'], $_POST['id']);
mysqli_stmt_execute($stmt);
Manual
I'm getting this error:
Invalid query: You have an error in your SQL syntax; check the manual
that corresponds to your MySQL server version for the right syntax to
use near 'INET_ATON('188.92.x.x')' at line 1
While trying to insert IP Address in database. The column type is:
'LastIP int(10) unsigned NOT NULL,'.
The function to execute the query is:
function onNewUser($ip, $hostname, $con)
{
$query = "INSERT INTO tableMachine (LastIP, LastHostName) VALUES ".
"INET_ATON('".mysql_real_escape_string($ip, $con)."'), ".
"'".mysql_real_escape_string($hostname, $con)."'";
$result= mysql_query($query, $con);
if (!$result) {
die('Invalid query: ' . mysql_error());
}
}
I call this function with the parameters:
$ip = $_SERVER['REMOTE_ADDR'];
$hostname = #gethostbyaddr($ip);
onNewUser($ip, $hostname, $con);
What's wrong with it guys?
your values list should be encapsulated inside of parenthesis if I am not mistaken
You should try this :
$query = "INSERT INTO tableMachine (LastIP, LastHostName) VALUES (".
"INET_ATON('".mysql_real_escape_string($ip, $con)."'), ".
"'".mysql_real_escape_string($hostname, $con)."')";
I just add parenthesis for VALUES(...)
Also, as #Shamil said, the functions mysql_* are depricated. You should use mysqli_*This link should help you with the mysqli_* functions.
I believe I have a simple syntax problem in my SQL statement. If I run this code, I get an error in the database query.
$user = $_GET['linevar'];
echo $user; // testing - url variable echos correctly
$sql = "SELECT * FROM `userAccounts` WHERE `name` = $user";
$result = mysql_query($sql) or die("Error in db query");
If I replace $user in the $sql string with 'actualName' or a known record in my table, the code works fine. Am I using the $ variable incorrectly in the SQL string?
You need to surround the value that you're getting from $user with quotes, since it's probably not a number:
$sql = "SELECT * FROM `userAccounts` WHERE `name` = '$user'";
Just as a note, you should also read up on SQL injection, since this code is susceptible to it. A fix would be to pass it through mysql_real_escape_string():
$user = mysql_real_escape_string( $_GET['linevar']);
You can also replace your or die(); logic with something a bit more informative to get an error message when something bad happens, like:
or die("Error in db query" . mysql_error());
You need escape the get input, then quote it.
// this is important to prevent sql injection.
$user = mysql_real_escape_string($_GET['linevar']);
$sql = "SELECT * FROM `userAccounts` WHERE `name` = '$user'";
This should work:
$sql = "SELECT * FROM `userAccounts` WHERE `name` = '" . $user . "'";