This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 7 years ago.
I need to select a user with a particular name:
mysql_query('select * from user where screen_name='.$userName.'');
Anyone can help me where I'm wrong?
Yes wrong sql :
mysql_query('select * from user where screen_name="'.$userName.'"');
mysql_query("select * from user where screen_name = '".$userName."';");
Better (in my mind)
$sql = "SELECT * FROM `user` WHERE `screen_name` = '".$userName."';";
mysql_query($sql);
Even better - use mysqli....
mysql_query("select * from user where screen_name='$userName'");
try that.....
Related
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 3 years ago.
In this part requires to replace it:
$sql = "SELECT * FROM wallets WHERE id = '$user' LIMIT 1";
Requires to do this: use the mysql_real_escape_string() function for the $user parameter
How to implement it?
$sql = "SELECT * FROM wallets WHERE id = '$user' LIMIT 1";
Eliminate vulnerability!
You really should upgrade the code from the mysql extension to mysqli or PDO, and then use parametrized queries. The mysql extension was deprecated years ago, and has been removed entirely from PHP 7.
But if you're still using this extension, you can do:
$user_esc = mysql_real_escape_string($user);
$sql = "SELECT * FROM wallets WHERE id = '$user_esc' LIMIT 1";
This question already has answers here:
PHP parse/syntax errors; and how to solve them
(20 answers)
Closed 6 years ago.
How can I select the 'description' row from my 'users' table? I want to just grab the description row depending on what user is logged in.
So far I have this code
$sql = "SELECT description FROM users WHERE uid="$_SESSION['uid']";
but I get this error:
Parse error: syntax error, unexpected '$_SESSION' (T_VARIABLE) in /Applications/XAMPP/xamppfiles/htdocs/login_sys/includes/profile.inc.php on line 19`
That's because your code is syntaxically wrong.
The correct code would be this:
$uid = $_SESSION['uid'];
$sql = "SELECT description FROM users WHERE uid='$uid'";
(I put the $_SESSION['uid'] in a variable to avoid the problem with lots of quotes in the query).
However, this solution is also wrong, in that you should never use a variable directly in the database like this, even when it's a session. You should read up on prepared queries, and make sure you use either mysqli_ or PDO as a database-handler in PHP.
you are getting this error beacause you are missing one " at end of query
$sql = 'SELECT description FROM users WHERE uid="$_SESSION['uid']"';
but always use prepare queries or pdo's as you query this is vulnerable to sql
injection
this should work
$sql = "SELECT description FROM users WHERE uid='$_SESSION[uid]'";
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Using LIKE in bindParam for a MySQL PDO Query [duplicate]
(2 answers)
Closed 7 years ago.
I'm trying to get PDO to return the results of a wildcard search. My code is:
$search = "%Notes%";
$result = $db->prepare("SELECT * FROM books WHERE 'name' LIKE :search");
$result->bindParam(':search', $search);
$result->execute();
while($arr = $result->fetch(PDO::FETCH_ASSOC)){
echo $arr['name'];
}
At the moment, I get a blank screen. If I run the sequel through PHPMyAdmin:
SELECT * FROM books WHERE name LIKE '%Notes%'
I get the appropriate result.
I assume it's something to do with the way I am formatting my PDO statement, I know you can't have a dynamic column name but I don't see what is going wrong?
in your query you have 'name' change that to just backticks instead of quotes
aka
$result = $db->prepare("SELECT * FROM `books` WHERE `name` LIKE :search");
you can also just remove the backticks
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 8 years ago.
I have mySQL tables namely q1 , q2 , q3 and so on....
now the following code is in loop with $n increasing with every step of loop.
$table = "q".$n;
$query="SELECT MAX(QNO) AS max2 FROM '$table'";
$q=mysqli_query($db,$query) or die("Error: ".mysqli_error($db));
$max2 = mysqli_fetch_array($q);
This gives me an error
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"q1"' at line 1
How to solve this problem and putting new name of table everytime in the query?
$query="SELECT MAX(QNO) AS max2 FROM $table"; is enough
Please change
'$table'
into
`$table`
in the query:
"SELECT MAX(QNO) AS max2 FROM '$table'";
so it looks like:
"SELECT MAX(QNO) AS max2 FROM `$table`";
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 9 years ago.
I have a MySQL query I'm running. I want to add 1 to a field called articleswritten.
I get this error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''users' SET articleswritten = articleswritten + 1 WHERE id = '1'' at line 1
Code:
$sql = "UPDATE 'users' SET articleswritten = articleswritten + 1 WHERE `id` = '$userid'";
$result = mysql_query($sql) or die(mysql_error());
I can't find an issue. Am I blind?
Any help would be appreciated.
This should either be
UPDATE `users`
Or just
UPDATE users
The single quotes make the table name invalid. Everything else in the query is okay.
However, your query is vulnerable to injection. Instead of using ext/mysql, you should use properly parameterized queries with PDO or mysqli
You don't need to single quote the table name here. This should do
$sql = "UPDATE users SET articleswritten = articleswritten + 1 WHERE id = '$userid'";