I have the following tables:
image_sources
character_trait_annotations
character_traits
characters
(and tables that are not pertinent to this problem). I am trying to use a stored procedure that looks for an ImageURL in image_sources where AnnotationID is equal to the one fetched from the code at random. That AnnotatonID belongs to character_trait_annotations table, which also has a CharacterID and a CharacterTraitID. The CharacterID is in characters table, which has CharacterName, and the CharacterTraitID is in character_traits, which has CharacterTraitName.
The code is to call the stored procedure with $character, $trait (which are CharacterName, CharacterTraitName, respectively), and attempt to fetch the ImageURL for it.
The stored procedure
The SQL code for the procedure is as follows:
CREATE PROCEDURE getImageURL(IN charName VARCHAR(35), IN traitName VARCHAR(100))
BEGIN
SELECT ImageSourceURL FROM image_sources WHERE
AnnotationID = (SELECT AnnotationID FROM character_trait_annotations WHERE CharacterID =
(SELECT CharacterID FROM characters WHERE CharacterName = charName) AND CharacterTraitName =
(SELECT CharacterTraitID FROM character_traits WHERE CharacterTraitName = traitName)
);
END;
However, when I call the procedure from PHP, I get this error: Unable to call stored procedure: Unknown column 'CharacterTraitName' in 'where clause'. I was able to create the stored procedure without complaint on the active server.
I check this procedure locally, on my own machine('s version of the database, in phpMyAdmin), by trying to create the stored procedure there to see what is going on, and I get this error: #1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 7
I even tried to enclose the column names and the table names with backticks, and it is telling me the same thing. What is wrong with this?
I figured it out; /* by "I", I mean a friend of mine */
OK, so what did you do?
I didn't have access to phpMyAdmin, MySQLConnect, or any other of those database editors, so I had to attempt making one of my own: http://dinotator.biokdd.org/ResearchProject/tableViewer.php . Right now, the only thing that works is the dropdown menu to select the tables.
I didn't have access to this up until today, and when I asked my friend, and he asked for a way to see the database, I gave him that. The problem he pointed out (and I should have seen) was the second condition in the subquery: CharacterTraitName =
(SELECT CharacterTraitID FROM character_traits WHERE CharacterTraitName = traitName) The stupid mistake that was made was trying to check for equality between CharacterTraitName and CharacterTraitID. Furthermore, CharacterTraitName column didn't exist in character_trait_annotations.
echo 'I feel dumb.';
Related
I wanted to update a column in my database table, the update should just add a numeric value to the existing one.
But this time around, I'm writing the query with CodeIgniter Query builder, the issue is that when I run the script, CodeIgniter throws an Sql Exception below:
"message": "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '11:01:37\nWHERE `user_id` = '26'' at line 1"
As you can see, it added a new line character to the query string.
The PHP code below is the query in CodeIgniter
$userModel->set('reputations', 'reputations+10', false)
->where('user_id', $user_id)
->update();
One thing I noticed is that if I removed the false (the third parameter) which tells CodeIgniter not to escape the column name, there won't be any error, instead '0' will be updated at reputation column.
I don't know what the problem might be, I could have moved on by writing a custom query, but, I wanted to be sure that I'm not doing something wrong.
P.S: custom one will look like this:
UPDATE users
SET reputations = reputations + 10 WHERE user_id = $user_id
Note: in the above error message you might be wondering where the digits in the error came from i.e
'11:01:37 in '11:01:37\nWHERE user_id
It is the value of a column in my table which is also updating along side reputation column.
Thanks amigos.
Could it be your code editor generating the newline?
Anyways, one fast way to avoid the problem is to use codeigniter query method:
$userModel->query("UPDATE `users` SET `reputations` = reputations + 10 WHERE `user_id` = $user_id)
Not the cleanest solution but it makes sure it works! :)
Mattia
I am trying a simple SQL Injection example which is already working correctly. The goal is to add SQL code to a login page that asks for EmployeeID and Password. In this example I am supposed to know the following information:
* There is a user called Admin
* There is a table field called Name
With this data at hand, the code below did the trick. A space is included after the second dash in order to be interpreted as a comment so the rest of the query is ignored. Basically, the password information is not necessary.
' or Name = 'Admin'; --
So far, so good. Now, I have to include a second SQL statement and I am told that I can use a semicolon as a separator for multiple SQL statements. So I did the following:
' or Name = 'Admin'; SELECT id FROM credential; --
But it does not work. I get a message saying that there is an error in the SQL syntax. I thought that maybe there is no support for multiple queries in one line but I tested using MySQL console and I could successfully issue 2 select statements separated by a semicolon. Below, I show the query (displayed intentionally by an echo statement) and the error that appears on screen.
I will very much appreciate your feedback to help me discover and fix my issue.
SELECT id, name, eid, salary, birth, ssn, phoneNumber, address, email,nickname,Password FROM credential WHERE eid= '' or Name = 'Admin'; SELECT id FROM credential; -- ' and Password='da39a3ee5e6b4b0d3255bfef95601890afd80709'
There was an error running the query [You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'SELECT id FROM credential; -- ' and Password='da39a3ee5e6b4b0d3255bfef95601890af' at line 3]\n
I've got a page that alters a large quantity of variables in my MySQL database, and so far they've all worked great, but now all of the queries inside of a single logic-gate have stopped working for no apparent reason.
I've confirmed the following:
- The variable posted and used in the "if" statement of the gate is as it was intended
- The logic gate is triggered as intended (I can echo stuff and etc inside of it).
- The database connection is established, I am successfully running queries of various types before and after this logic gate on the same connection variable.
- The connection user has ALL PRIVILEDGES enabled, the aforementioned queries surrounding this logic gate are using similar functions successfully.
Here's the logic gate:
if (!empty($_POST["addqual"])){
$coladqual = $_POST["addqual"];
$sqlf = "ALTER TABLE users ADD UNIQUE ('$coladqual') INT( 2 ) NOT NULL";
$conn->query($sqlf);
$sqlc = "INSERT INTO competencebonus (competence,bonus)
VALUES ($coladqual,0)";
$conn->query($sqlc);
}
I've tried multiple alterations, but they don't seem to execute no matter what I do. I've got at least 20 other queries in other logic gates before and after these two and there seems to be virtually no difference between them, apart from these two just not working at all.
EDIT - Here's the error (Thanks to all of you who provided me with the error report syntax)
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''TestAA') INT( 2 ) NOT NULL UNIQUE' at line 1
What strikes me as odd is that only the closing parenthesis is around the post input (TestAA). Is it supposed to have both or neither?
I tried changing the syntax and got the following error:
Duplicate entry '0' for key 'TestAB'
The syntax was:
$sqlf = "ALTER TABLE users ADD `$coladqual` INT( 2 ) NOT NULL UNIQUE";
FINAL EDIT:
Made it work. Deleted the "NOT NULL" statement as recommended by Jeff Pucket II. Somehow this combined with the deletion of the parenthesis and use of backticks instead of apostrophe made the thing work.
Thanks for those of you who had the patience to help me with this.
It looks like you're trying to alter an existing table with a unique not null column. I would expect this to fail if any rows already exist in the table, unless your engine imputes zero. Even then this would fail if there were more than one record because of the unique constraint. Also make sure that the column name being added doesn't already exist.
To get the error using MySQLi, try:
$result = $conn->query($sqlf) or die($conn->error);
The 'unique' constraint should go at the end of your query
$sqlf = "ALTER TABLE users ADD ('$coladqual') INT( 2 ) NOT NULL UNIQUE";
Error checking depends on what flavor of MySQL you're running
I'm designing a web interface for my clients database (A .mdb MS Access file). I'm using an ODBC driver to connect to it and the odbc_ functions provided by PHP.
My problem is access's 'append' queries. From what I gather, it's just inserting more rows, but something is breaking the query from executing:
INSERT INTO test ( TITLE, [LEVEL], UNITID, TITLEM, COHORTPLUSOPTIONS )
SELECT \"OPTION ONLY\" AS Expr, Units.LEVEL, UnitOptionNumbers.ID, Units.TITLE,
UnitOptionNumbers.OPTIONCOHORT
FROM UnitOptionNumbers INNER JOIN Units ON UnitOptionNumbers.ID = Units.ID WHERE
(((UnitOptionNumbers.NOAWARD)=Yes));
The most helpful error message I can get is:
[ODBC Microsoft Access Driver] Too few parameters. Expected 1.
Which isn't helpful at all. I'm confident with mySQL, but I just cannot pinpoint the problem here. Please can you help me find the reason the query wont execute, or help me figure out a work around.
Thanks for your time.
I don't have enough reputation to comment but perhaps it could be a problem with the fact that your table "test" has two fields with the same name ("TITLE")
According to Microsoft:
"This error occurs only with Microsoft Access when one of the column names specified in a select statement does not exist in the table being queried."
The solution therefore is to change
SELECT \"OPTION ONLY\" AS Expr
to
SELECT 'OPTION ONLY'
It seems the original code attempted to fill the first field with a default text value I.e "OPTION ONLY". "OPTION ONLY" was being read as a column name it seems.
I have a website with a sales and wanted page, which uses a query to return all of the sales & wanted ads into a recordset. It's been working for 4-5years without incident, but suddenly stopped working on Friday. My ISP tell me they have implemented v5 of MySQL, which seems to have caused the problem.
The query is below:
$query = "select * from $table order by uidno desc limit $from,$max_results";
It's executed via the following command
$recordset = mysql_query($query);
if($recordset == false)
{
echo("Could not retrieve comment. Please try later<br>");
echo("060211<br>");
return;
It's no longer able to load the comments into the recordset. Also the statement to populate the table is no longer populating the fields in the table correctly, though a new row is being created.
The statement is below:
$inputdata = "INSERT INTO $table(date,name,email,suggestion) values('$today','$inputname','$email','$suggestion')";
And it is executed via:
$outcome = mysql_query($inputdata);
The structure of the table is as follows:
uidno int(11) extra=AUTO_INCREMENT Null=no default = none
date date default 0000-00-00
Name varchar(60)
Email varchar (60) Null=yes Default = NULL
Suggestion blob attrbutes=binary null=no
Please help - I don't understand what changes I need to make to the syntax to make these queries compatible with MYSQL v5.
Update:
I added the echo mysql_error(); and it appears to output the following:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-10,10' at line 1
So this indicates an error in the syntax - but I've no idea what the error is.
http://dev.mysql.com/doc/refman/5.0/en/select.html
The LIMIT clause can be used to constrain the number of rows returned by the SELECT statement. LIMIT takes one or two numeric arguments, which must both be nonnegative integer constants (except when using prepared statements).
Column, index, stored routine, and
event names are not case sensitive on
any platform, nor are column aliases
so your lowercase column names in code and upper case column names in mysql structure should not be the problem.