I want to perform this mysql search :
SELECT ida, MotsClef FROM Actes WHERE MATCH (MotsClef )
AGAINST ('+"dette" +"plège"' IN BOOLEAN MODE);
Using php, I use regular expressions to add the +" and " to the expressions received via $_POST so a var_dump gives :
'motcle' => string '+"dette" +"plège"'
So that's fine too. However, I use prepared statements using PDO class and I have this piece of code for that:
if($r['motcle']!=''){
$motclef = $r['motcle'];
$demMotsClef = " AND WHERE MATCH (MotsClef ) AGAINST (:motsclef IN BOOLEAN MODE) ";
}
else{
$demMotsClef='';
}
than:
$f = "SELECT COUNT(*) FROM Actes, Bibliographie WHERE id = idBiblio".$demMotsClef;
$demande = $this->prepare($f);
if($r['motcle']!=''){$demande->bindValue(':motsclef',stripslashes($motclef));}
$demande->execute(); //the error is on this line//
I get a MySQL error message saying I have an error in your SQL syntax:
Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[42000]:
Syntax error or access violation: 1064 You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version for the
right syntax to use near 'WHERE MATCH (MotsClef ) AGAINST
('+\"dette\" +\"plège\"' IN BOOLEAN MODE) AND a' at line 1' in
/Library/WebServer/Documents/messources/actions.class.php on line 547.
The error in mysql syntax is that the slashes are added, hence the use of stripslashes (doesn't work).
Any idea on how to solve that - I would rather not change ini settings either in php.ini or in a .php function since that would mess up all my other mysql requests.
Thanks!
Ohh, well took me a while to find the error but this is definetly wrong:
$demMotsClef = " AND WHERE MATCH (MotsClef ) AGAINST (:motsclef IN BOOLEAN MODE) ";
$f = "SELECT COUNT(*) FROM Actes, Bibliographie WHERE id = idBiblio".$demMotsClef;
If you look at this, you'll have double WHERE, which is not allowed, you should make this change:
$demMotsClef = " AND MATCH (MotsClef ) AGAINST (:motsclef IN BOOLEAN MODE) ";
Related
I have the following db query that is looking up rows in a MySql table that end in a certain pattern.
$res = db_query('SELECT identifier FROM {rules_scheduler} WHERE identifier LIKE %:schid', array(':schid' => '_' . $sch_id));
foreach ($res as $rec) {
scheduler_delete_schedule($component, $rec->identifier);
}
But this results in the following error...
PDOException: SQLSTATE[42000]: Syntax error or access violation: 1064
You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near '%'_591'' at line 1: SELECT identifier FROM {rules_scheduler}
WHERE identifier LIKE %:schid; Array ( [:schid] => _591 ) in
_callback_delete_scheduled_notifications()
So it looks like my :schid token is correctly being replaced with _591 , but there seems to be a single inverted comma between the % and the under score. I cant for the life of me figure out why!
I don't know what {rules_scheduler} is supposed to be, so I'll provide you with a query string that works with the wildcard:
$query = "SELECT identifier FROM rules_scheduler WHERE identifier LIKE CONCAT('%', :schid)";
$res = db_query($query, [':schid' => '_' . $sch_id]);
i did follow the solution here : Warning: pg_query(): Query failed: ERROR: syntax error at or near but i still got the following error :
Warning: pg_query(): Query failed: ERROR: column "rosmoffi" does not exist LINE 1: ... FROM public."espece" where "espece"."Code_Espece" =Rosmoffi ^
this is my code :
$conn = pg_connect($conn_string);
$query = 'SELECT * FROM public."espece" where "espece"."Code_Espece" ='.$idd ;
if (!$result = pg_query($conn, $query)){
echo pg_result_error ($conn);
return false;
}
$result = db($result);
return $result;
$query = 'SELECT * FROM public."espece" where "espece"."Code_Espece" ='.$idd ;
Do not do this. If you were to output what you get here you'd see the error, as you should from the error message. Whatever is in the variable $idd will be put into the query as is and it will not be considered a string. It's just a part of the query. So since there are no quotes it will in this case be understood as a column name.
The worst part of this is that if $idd is coming from the user think what will happen when someone sets it to 1; truncate table espece. Or something worse. Learn how to use parameters immediately.
Using parameters your code would be:
$query = 'SELECT * FROM public."espece" where "espece"."Code_Espece" =$1';
if (!$result = pg_query_params($conn, $query, array($idd))){
This way the variable is given properly to the database and there is no injection vulnerability.
NB! For those who keep saying the double quotes should be removed, no. They should not. If the column name is capitalized as Code_Espece then PostgreSQL will not recognize it without the quotes. Capitalization is usually not recommended.
i am having a problem with my script in php/mysql. here is the error displayed by the server:
Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'if exists (select * from notificacoes where uid in () order by id desc' at line 1' in C:\wamp\www\bigui\classes\Notificacoes.class.php on line 57
and here is my php code:
static function listar(){
$strIdAmigos = Amizade::$strIdAmigos;
$query = self::getConn()->query('select * from notificacoes where uid in ('.$strIdAmigos.') order by id desc');
return $query->fetchAll(PDO::FETCH_ASSOC);
}
my table in the mysql is empty, with no values. when i insert a value in it, the error goes away and everything is fine. any help?
If $strIdAmigos is empty, it causes syntax errors.
Before you execute this query, you should check the $strIdAmigos value whether it's empty or not to avoid this issue. Not to forget to escape the values if needed.
When you run your query with nothing in the variable $strIdAmigos, it will error out.
Try initializing and/or checking your variable, $strIdAmigos, before running your query:
$strIdAmigos = "";
if (empty($strIdAmigos)) {
/* Uh oh, throw an error */
} else {
$query = self::getConn()->query('select * from notificacoes where uid in ('.$strIdAmigos.') order by id desc');
}
Note that if $strIdAmigos = "0" , the empty($strIdAmigos) will still evaluate to true and, hence, will NOT run the query.
Because putting NULLs inside the variables gives headache here in PHP, I resorted to explicitly putting NULL on the prepared statement
The script is a csvupload script originally came from here Import CSV into MySQL
$linemysql = implode("','",$linearray);
$linemysql = "'".$linemysql."'";
$sql="SELECT * FROM `".$tblmei."` WHERE `".$shuHint."` = ".$linearray[0];
$stmt = $setsu->query($sql);
$rwCnt=$stmt->rowCount();
if ($rwCnt==0){
$fumeiKazu=substr_count($linemysql,"'Unknown'");
echo "<br>fumeiKazu=".$fumeiKazu;
if ($fumeiKazu==1)
{
$fumeiPos=mb_strpos($linemysql,"'Unknown'");
$l1=mb_substr($linemysql,0, $fumeiPos);
echo "<br>l1=".$l1;
$sfumeiPos=$fumeiPos+9;
echo "<br>sfumeiPos=".$sfumeiPos;
$l2=mb_substr($linemysql,$sfumeiPos);
echo "<br>l2=".$l2;
echo "<br>".$l1.NULL.$l2;
$tsuika = $setsu->prepare("INSERT INTO ".$tblmei." VALUES (".$l1.NULL.$l2.")");
$tsuika->execute();
$dataHaitaKazu++;
}
}
The idea of this php script block is when it finds Unknown, post it as NULL as the row's Risk during query
I made sure the the Risk column in the table structure phpmyadmin accepts null and default is null.
This is what I came up
$tsuika = $setsu->prepare("INSERT INTO ".$tblmei." VALUES (".$l1.NULL.$l2.")");
And it yiedls this error:
SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ',,'testArea','0')' at line 1' in
when i try to execute an update statement i got the following error :
Erreur : SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Issy-les-Moulineaux ' where ssiphone_idstation=46' at line 1
my update statement is :
$bdd->exec("update ssiphone_stationdeservice set $cle='$element' where ssiphone_idstation=$id");
this is in a php code, THX in advance for your help :)
$cle and $element are in array, my code is :
foreach($table1 as $cle => $element)
{
$bdd->exec("update ssiphone_stationdeservice set $cle='$element' where ssiphone_idstation=$id");
}
now table1 is an array which contain the columns name of my table and its values :
$table1=array();
$table1['ssiphone_etatstation']=$etat;
$table1['ssiphone_commerce']=$commerce;
$table1['ssiphone_stationdelavage']=$lavage;
$table1['ssiphone_typescarburants']=$lescarburants;
$table1['ssiphone_joursdelasemaine']=$jourssemaines;
$table1['ssiphone_horaires ']=$this->horaires;
$table1['ssiphone_telephone ']=$telephone;
$table1['ssiphone_sensdecirculation ']=$this->sensDeCirculation;
$table1['ssiphone_adresse ']=$this->adresse;
$table1['ssiphone_ville']=$this->ville;
$table1['ssiphone_departement']=$this->departement;
$table1['ssiphone_nomstation ']=$this->nomStation;
Most likely your $cle variable isn't set, making the query look like:
... set ='Issy-les-moulineaux ' where ...
comment followup:
Change your code to look like this, then:
$query = "update ssiphone_stationdeservice set $cle='$element' where ssiphone_idstation=$id";
$result = $bdd->exec($query);
if ($result === FALSE) {
print_r($bdd->errorInfo());
die("Query: " . $query);
}
This way you have the complete query string in a variable you can inspect (e.g. by echoing out). Obviously there's something wrong with the query - but the mysql error string doesn't show the entire query, so you have to take measures to capture it.