I am creating a property profile page for a real estate site. For some reason it wont check the index in the database to see if it is the same value as the ?id= in the address bar. When I use the code select * from properties it doesn't show any error but when I add WHERE index='$prop_id' it kills the page and echo's query error. The database connection file is included at the top off the index.php page. Can anyone help?
<?php
if(isset($_GET['id'])){
$prop_id = mysql_real_escape_string($_GET['id'])or die("get error");
$check = mysql_query("SELECT * FROM properties WHERE index='$prop_id'") or die("query error");
}
?>
index is a reserved keyword. Fix the errors in the query. Missing ' -
"SELECT * FROM properties WHERE `index` = '$prop_id'"
Try as below :
"SELECT * FROM properties WHERE `index` = ".$prop_id;
You forgot one single quote in the query. Please replace your query with the following:
$check = mysql_query("SELECT * FROM properties WHERE index='".$prop_id."'") or die("query error");
Related
The variable I use for the query prints properly, so it is there.
<?php
print $product_main["ean"];
//The variable is there, since it prints
?>
If I execute this query, it works
$query = ("SELECT * FROM graph ;") or die(mysql_error());
But not with the one where I use a variable
$query = ("SELECT * FROM graph WHERE ean IN ".$product_main["ean"]." group by DAY(created_at);") or die(mysql_error());
Does not work.
I belibe the problem is in how I include the array variable into the query
".$product_main["ean"]."
How has this to be done?
Ajith got it right. I was missing (' ')
$query = ("SELECT * FROM graph WHERE ean IN ('".$product_main["ean"]."') group by DAY(created_at);");
Thanks
I want to update remote database from local database, I have written php script to do that but it is showing me fatal error.
Remote database and local database has same name, same table, same fields.
I have tried this way but its not working.
$tablename="pc_games";
$database = 'games';
$local_query = "SELECT * FROM $tablename LIMIT 100 OFFSET $remoterows";
$local_result = mysql_query($local_query, $connection) or trigger_error("SQL", E_USER_ERROR);
while($list=mysql_fetch_array($local_result))
{
$remote_update=mysql_query("INSERT INTO $tablename SETLECT * from $tablename");
$remote_update_result = mysql_query($remote_update, $remote_connection) or trigger_error("SQL", E_USER_ERROR);
}
Please see and suggest any possible approach to do this.
"INSERT INTO $tablename SETLECT * from $tablename"
This is an invalid SQL statement. SETLECT have to be SELECT
Your remote query has a syntax error: "INSERT INTO $tablename SETLECT * from $tablename". You mean SELECT instead of SETLECT.
Replacement code:
$tablename="pc_games";
$database = 'games';
$local_query = "SELECT * FROM $tablename LIMIT 100 OFFSET $remoterows";
$local_result = mysql_query($local_query, $connection) or die(mysql_error());
while($list=mysql_fetch_array($local_result))
{
$remote_update=mysql_query("INSERT INTO $tablename SELECT * from $tablename");
$remote_update_result = mysql_query($remote_update, $remote_connection) or die (mysql_error());
}
What you did wrong, was you mistyped this line:
$remote_update=mysql_query("INSERT INTO $tablename SETLECT * from $tablename");
Notice that you used SETLECT, instead of what you meant to use (perhaps): SELECT.
I also marvel at how long it takes to detect a typing error.
I changed all your error handlers to the ones I mentioned in the comments. Use them in the future. They're better.
UPDATE: What did you do with your code? I just realised something drastic:
$remote_update=mysql_query("INSERT INTO $tablename SELECT * from $tablename");
$remote_update_result = mysql_query($remote_update, $remote_connection) or die (mysql_error());
First of all, you're running mysql_query on a result. Second, you aren't inserting anything INSERT INTO $tablename. Is it my fault, or are you doing something dreadfully wrong?
Why are you looping through the results(with while($list=mysql_fetch_array($local_result))
) when you absolutely don't need it?
Why have you set the error function everywhere as: trigger_error("SQL", E_USER_ERROR);.
Why are you still using mysql_* method for databases?
If you just need to insert data from another table, just put:
mysql_query("INSERT INTO $tablename SELECT * FROM $tablename LIMIT 100 OFFSET $remoterows") or die(mysql_error());
and be done with it.
I have a query on my page that uses a GET variable to pull data from my table...
If I echo my GET var the data is there so im doing something wrong with my query, instead of or die can I show an error in the browser?
// Get USER ID of person
$userID = $_GET['userID'];
// Get persons
$sql = 'SELECT * FROM persons WHERE id = $userID';
$q = $conn->query($sql) or die('failed!');
$sql = "SELECT * FROM persons WHERE id = $userID";
You must use double quotes to use variables inside the query string.
You can also do this:
$sql = "SELECT * FROM persons WHERE id = ".$userID;
What you should do is this (to protect yourself from sql injection):
$safeuid = $conn->prepare($userID);
$sql = "SELECT * FROM persons WHERE id = ".$safeuid;
You can always debug using this at the top of your php page:
ini_set('display_errors',1);
error_reporting(E_ALL);
Have you tried $q = $conn->query($sql) or die($conn->error()); ?
Yes you can, but you should only do it for debugging. Crackers can gain a lot of insight by purposefully feeding bad input and reading the error.
I'm assuming you're using MySQLi; the command is $conn->error(). So your line would be:
$q = $conn->query($sql) or die($conn->error());
Also, what you're doing wrong is you're using single quotes to define $sql. You need to use double quotes to write $userID into the string. So what you want is:
$sql = "SELECT * FROM persons WHERE id = $userID";
or
$sql = 'SELECT * FROM persons WHERE id = ' . $userID;
You need to use double quotes to evaluate variables within the string. That is,
$sql = 'SELECT * FROM persons WHERE id = $userID';
should be
$sql = "SELECT * FROM persons WHERE id = $userID";
Rather than removing the die you should make sure the query is always valid. In other words: validate the userID parameter. $_GET can contain anything the user wants to provide - it could be an array, it could be a string, it could be a string with a malicious payload that can drop your tables. So check it is an integer. If not, return a relevant message to the user.
Not a php expert but you might try:
// Get USER ID of person
$userID = $_GET['userID'];
// Get persons
$sql = 'SELECT * FROM persons WHERE id = $userID';
$q = $conn->query($sql) or die('failed!' . mysql_error());
The error should append to the end of your die message.
I have the code below which links to a page called deletepage.php which is in my FTP in the right directory. It adds the variable on the end from a database query, that bit works and it opens the page correctly:
X
But now I have this code to run a query on that in the MySQL database but it doesn't actually delete it when it should be deleting it:
$con = mysql_connect("localhost", "will", "blahblah");
if (!$con) {
die('Could not connect: '.mysql_error()); //check for database errors
}
$username = $_GET['user'];
mysql_select_db("themacsp_clipboy", $con);
$sql = ("DELETE * FROM links WHERE link = ".(int)$_GET['plink'] AND username='$username');
mysql_query($sql);
header("location: http://themacsplash.com/userfiles/$username");
?>
I get an error:
Parse error: syntax error, unexpected '=' in >/data/www/vhosts/themacsplash.com/httpdocs/ClipBoy/deletepage.php on line 10
Line 10 is the $sql line ($sql = ("DELETE * FROM links WHERE link = ".(int)$_GET['plink'] AND username='$username');)
How would I fix this?
You were missing some quotes again.
You should probably be doing it step by step, since it's less confusing:
$plink = (int)$_GET['plink'];
$sql = "DELETE FROM links WHERE link=$plink AND username='$username'";
Line should be
$sql = ("DELETE * FROM links WHERE link = ".(int)$_GET['plink'] . "AND username='$username'");
Also you should sanitize those $_GET strings with mysql_real_escape_string() to help avoid SQL injection hacks.
$sql = "DELETE * FROM links WHERE link = ".(int)$_GET['plink']." AND username='".$username."';";
You concatenated the strings and the variables in a wrong way. This'll do.
i think it is in this line
<?php
//replace
//$sql = ("DELETE * FROM links WHERE link = ".(int)$_GET['plink'] AND username='$username');
//with
$sql = "DELETE * FROM links WHERE link = ".(int)$_GET['plink']. "AND username='".$username."'";
?>
After I upload a photo to a server, I want to save it in the user's database in MySQL, but for some reason, it is not working. Below is the code for uploader.php:
session_start();
if(!$_SESSION['userid']) {
header("Location: index.php");
exit;
}
$con = mysql_connect("host","db","pw");
if (!$con)
{
die('Could not connect: ' .mysql_error());
}
mysql_select_db("db", $con);
$sess_userid = mysql_real_escape_string($_SESSION['userid']);
$query = "SELECT * FROM Members WHERE fldID='$sess_userid' UPDATE Members SET PortraitPath = 'profileportraits/' . '$_FILES[file][name]'");
$result = mysql_query($query) or trigger_error(mysql_error().$query);
$row = mysql_fetch_assoc($result);
I'm sure there is something very wrong with my query, but I can't figure out what it is. The photo is definitely being saved into the folder. But I simply want to update its path in the user database for later use. Thank you!
as it was mentioned already, you cannot use these two queries at once.
but there is also weird syntax: you're trying to use PHP's concatenation operator inside of mysql query.
And you did not escape a string parameter - very bad!
So, looks like you need something like
$sess_userid = mysql_real_escape_string($_SESSION['userid']);
$PortraitPath = mysql_real_escape_string('profileportraits/' . $_FILES['file']['name']);
$query = "UPDATE Members SET PortraitPath = '$PortraitPath' WHERE fldID='$sess_userid'";
You can do two separate queries:
UPDATE Members SET PortraitPath = 'profileportraits/' . '$_FILES[file][name]'
WHERE fldID='$sess_userid';
And:
SELECT * FROM Members WHERE fldID='$sess_userid'
It seems you tried to put two queries(SELECT and UPDATE) into one query which will result in invalid query error.
Just wondering why you need two queries since you already know the userid and all you want is to update. All you need is to update the file path
UPDATE Members SET PortraitPath = 'profileportraits/' . '$_FILES[file][name]' WHERE fldID='$sess_userid';