Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 7 years ago.
Improve this question
hi i am getting this error though i tried to change the new to i am stil getting this problem can anyone tell me what should i do. I have completely changed the page also database but still same error.
error>
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''calendar_admin' WHERE teacher_id='ipcst123' and password='a141c47927929bc2d1fb6'
at line 1
my code >
<?php
$username=$_POST['teacherId'];
$password=$_POST['password'];
$password=md5($password);
try {
$bdd = new PDO('mysql:host=localhost;dbname=XXX', 'XXX', 'XXX');
} catch(Exception $e) {
exit('Unable to connect to database.');
}
$query ="SELECT * FROM 'calendar_admin' WHERE teacher_id="."'".$username."' and password="."'".$password."' ";
$resultat = $bdd->query($query) or die(print_r($bdd->errorInfo()));
$res = $resultat->fetchAll(PDO::FETCH_ASSOC);
foreach($res as $result){
$pass=md5($password);
$user=$result["teacher_id"];
if ($pass==$result["password"]&& $username == $user ){
echo "login Success";
session_start();
$_SESSION['teacher_id'] = $username;
header('Location:/addEvents.php');
}else{
header('Location:/login.php');
//echo "Incorrect Password";
}
}
You should use backticks instead of single quotes :
$query ="SELECT * FROM `calendar_admin` WHERE teacher_id='".$username."' and `password`='".$password."' ";
or just remove them
$query ="SELECT * FROM calendar_admin WHERE teacher_id='".$username."' and `password`='".$password."' ";
And since you use PDO, you should bind parameters, but not concatenate them into the query:
$query ="SELECT * FROM calendar_admin WHERE teacher_id= :teacher and `password`= :password ";
$sth = $bdd->prepare($query);
$sth->bindParam(':teacher',$username);
$sth->bindParam(':password',$password);
$sth->execute();
$res = $sth->fetchAll(PDO::FETCH_ASSOC);
Around column and table names has to be backticks, not single quotes. O rnothing if the names aren't from reserved words (or spaces, or hyphens, or anything else that MySQL will scream about, #Fred -ii- in comments below):
`calendar_admin`
The full query:
$query ="SELECT *
FROM `calendar_admin`
WHERE teacher_id = '" . $username . "' AND
password = '" . $password . "'";
Don't forget to escape data from user inputs.
$query = "
SELECT *
FROM calendar_admin
WHERE teacher_id = '$username'
AND password = '$password';
";
Next, take a look at prepared statements
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 3 months ago.
Improve this question
This query works fine:
$query = "SELECT * from hired WHERE username = 'kaas' and dvd = 'dvd 2'";
But then I change it to this query:
$query = "SELECT * from hired WHERE username = " . $_SESSION['name'] . " AND dvd = " . $_POST['dvd'];
and it doesn't work, even though the values should be the same as the top query. It goes straight to my error message, You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '2' at line 1
The dvd's are having names like 'dvd 1' 'dvd 2' 'dvd 3'. Why is it not working? Is there anything wrong in my query?
I tried to use the query with the data written down instead of using the session and post. It worked as I expected, and showed me an echo.
You are not wrapping your string values in quotes
You must use prepared statements for security reasons (SQL Injection and escaping invalid values
$query = "SELECT * from hired WHERE username = :name AND dvd = :dvd";
$statement = $pdo->prepare($query);
$statement->execute([':name' => $_SESSION['name'], ':dvd' => $_POST['dvd']]);
$result = $statement->fetchAll();
It needs to be
$query = "SELECT * from hired WHERE username = '" . $_SESSION['name'] . "'" . "AND dvd = '" . $_POST['dvd'] . "'";
I forgot to put a ' around them, so it would see it (for example) as 'username = Fal' instead of 'username = 'Fal'
You have to concatenate variables inside query properly. Try this it will work.
$query = "SELECT * from hired WHERE username = '" . $_SESSION['name'] . "' AND dvd = '".$_POST['dvd']."'";
Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 2 years ago.
Improve this question
this is the code that i used:
<?php
$username = filter_input(INPUT_POST, 'username');
$password = filter_input(INPUT_POST, 'password');
if (!empty($username)){
if (!empty($password)){
$host = "localhost";
$dbusername = "root";
$dbpassword = "1234";
$dbname = "admin";
// Create connection
$conn = new mysqli ($host, $dbusername, $dbpassword, $dbname);
$dbunames = mysqli_query("SELECT * FROM entity WHERE username='$username'");
if (mysqli_num_rows($dbunames) > 0 ) { //check if there is already an entry
for that username
echo "Already taken";
}
else{
$sql = "INSERT INTO entity (username, password)
values ('$username','$password')";
if ($conn->query($sql)){
echo "New record is inserted sucessfully";
}
else{
echo "Error: ". $sql ."
". $conn->error;
}
$conn->close();
}
}
else{
echo "Password should not be empty";
die();
}
}
else{
echo "Username should not be empty";
die();
}
?>
and this is the error(in the web):
Warning: mysqli_query() expects at least 2 parameters, 1 given in
C:\xampp\htdocs\form\connect.php on line 15
Warning: mysqli_num_rows() expects parameter 1 to be mysqli_result, null
given in C:\xampp\htdocs\form\connect.php on line 19
New record is inserted sucessfully
i know "the record is inserted sucessfully" but the username is already taken validation is not working.
i'm not good at php so i would be pleased if you tell me how to fix this code simply.
please help me!!!
$dbunames = mysqli_query("SELECT * FROM entity WHERE username='$username'");
needs to use the $conn variable like so:
$dbunames = mysqli_query($conn, "SELECT * FROM entity WHERE username='$username'");
You need to add the $conn as the first parameter in your query. Because your query is not being executed correctly the mysql_num_rows() is not working either.
Change
$dbunames = mysqli_query("SELECT * FROM entity WHERE username='$username'");
To
$dbunames = mysqli_query($conn, "SELECT * FROM entity WHERE username='$username'");
Additionally, your query as it is written now is not safe against sql injection. You should take 30 mins to read up on how to use parameterized queries. It's not bad at all, learn it now so you can make sure all your queries going forward are coded correctly. It's just the right thing to do.
Here is a good link to read that will explain parameterized queries using mysqli. Good SQL Practices
Here is an example of how to properly code your query that you have above.
$stmt = $conn->prepare("SELECT * FROM entity WHERE username = ?");
$stmt->bind_param("s", $username);
$stmt->execute();
$result = $stmt->get_result();
if($result->num_rows > 0){
echo "That username is already taken.";
}
$stmt->close();
You forgot to add $conn variable at the // Create connection section so it should be:
$dbunames = mysqli_query($conn, "SELECT * FROM entity WHERE username='$username'");
Also Always store your passwords as Hash!!
As i said in my comment:
mysqli_query function needs two parameters to be passed.
Change this:
$dbunames = mysqli_query("SELECT * FROM entity WHERE username='$username'");
to this one:
$dbunames = mysqli_query($conn, "SELECT * FROM entity WHERE username='$username'");
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Closed 6 years ago.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Improve this question
I have a query that im certain is correct but alas it is not. and that being said i am at a loss as to what could be causing the issue. here is my php script.
$con = mysqli_connect($DB_HOST,$DB_USER,$DB_PASSWORD,$DB_DATABASE);
if(!$con){
echo "Connection Error...".mysqli_connect_error();
}
else
{
echo "Database connection Success...";
}
$user_name = $_POST["login_name"];
$user_pass = $_POST["login_pass"];
$sql_query = "SELECT name from user_info where user_name like '$user_name'
and user_pass like '$user_pass'";
$result = mysqli_query($con,$sql_query);
if(mysqli_num_rows($result)>0)
{
$row = mysqli_fetch_assoc($result);
$name = $row ["name"];
echo "Hello welcome".$name;
}
else {
echo "No user found";
}
?>
You haven't hadded quotes! Remember $query is a string!
$con = mysqli_connect($DB_HOST,$DB_USER,$DB_PASSWORD,$DB_DATABASE);
if(!$con) {
echo "Connection Error...".mysqli_connect_error();
} else {
echo "Database connection Success...";
}
$user_name = $_POST["login_name"];
$user_pass = $_POST["login_pass"];
$sql_query = "SELECT name from user_info WHERE user_name like '$user_name'
and user_pass like '$user_pass'";
$result = mysqli_query($con,$sql_query);
if(mysqli_num_rows($result)>0) {
$row = mysqli_fetch_assoc($result);
$name = $row ["name"];
echo "Hello welcome".$name;
} else {
echo "No user found";
}
You forgot to wrap your query string in quotes.
You are writing query in your PHP variable so it must be wrapped in quotes.
$sql_query = "SELECT name from user_info where user_name like '{$user_name}' and user_pass like '{$user_pass'}";
What kind of error are you experiencing?
Your query should be a string, which means you'll need to surround it with quotes when assigning it:
$sql_query = "SELECT name from user_info where user_name like '" . $user_name
. "' and user_pass like '" . $user_pass . "'";
you can also use this syntax:
$sql_query = "SELECT name from user_info where user_name like '{$user_name}' and user_pass like '{$user_pass}'";
This will, however leave you open to SQL Injection Attacks.
See this part of the PHP documentation for more.
Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 8 years ago.
Improve this question
$username = stripslashes($username);
// check if usernames exists
$sql = "SELECT Login_Name FROM memberdirectory WHERE Login_Name = $username";
if ($result = mysqli_query($pdo,$sql)) {
$row = mysqli_num_rows($result);
// if yes, fetch the encrypted password
You are missing quotes around the string value:
$sql = "SELECT Login_Name FROM memberdirectory WHERE Login_Name = '$username'";
If you are using mysqli, why limit yourself to manually sanitizing your inputs? MysqlI has prepared statements to handle and format your query correctly.
$Conn = new mysqli("host","user","pass","database");
$Query = $Conn->prepare("SELECT Login_Name FROM memberdirectory WHERE Login_name=?");
$Query->bind_param('s',$username);
$Query->execute();
$Query->fetch();
$Row_Number = $Query->num_rows;
$Query->close(); // close the connection. Always a benefit and can save you complications later down the line
Then validate:
if ($Row_Number > 0){
} // Example only.
$username = stripslashes($username);
$sql = "SELECT Login_Name FROM memberdirectory WHERE Login_Name =".$username;
if ($result = mysqli_query($pdo,$sql)) {
$row = mysqli_num_rows($result);
Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 9 years ago.
Improve this question
I am novice to php-mysql ...please help me to rectify the syntax error
the error is:
Parse error: syntax error, unexpected T_VARIABLE in /home/u831097172/public_html/php/update.php on line 13
line 13:
UPDATE $tbl_name SET password= '$password' WHERE email='$email';
maybe you mean something like
$query = "UPDATE $tbl_name SET password = '$password' WHERE email='$email'";
remeber to add slashes to your $password and $email variable to avoid sql-injection
I think you should learn directly with statements:
$mysqliConnection = new mysqli($SERVER, $USER, $PW, $TABLE);
$stmt = mysqliConnection->prepare("UPDATE ? SET password = ? WHERE email = ?");
$stmt->bind_param("sss", $tbl_name, $password, $email);
$stmt->execute();
Here's the doc :) http://es1.php.net/manual/en/mysqli.prepare.php
Are the variables filled?
Maybe its better you make
$query = "UPDATE " . $tbl_name . " SET password='" . $password . "'
WHERE email='" . $email . "'";
And then you can check simple if you print the String out. There you can see if your variables are filled:
print_r($query);
You have your variable $tbl_name not in quotes $tbl_name has to be '$tbl_name'