This question already has answers here:
Are you allowed to use numbers as table names in MySQL?
(5 answers)
Closed 5 years ago.
Am trying to use dynamic column name in php mysql update but am getting error
Here is code
$time=date("H");
$video_view = 234
$update_query = "UPDATE videos SET ". $time . "= {$video_view} WHERE id={$id}";
Here is the error
UPDATE videos SET 14= 200079 WHERE id=1Query failedYou have an error in
your SQL syntax; check the manual that corresponds to your MariaDB
server version for the right syntax to use near '14= 200079 WHERE id=1' at line 1
First of all you should really use prepared statements and bound parameters.
If your column really got the name '14' like in the variable $time then you can try this
$update_query = "UPDATE videos SET `". $time . "` = {$video_view} WHERE id={$id}";
So far as I know column names should stand between `` because of reserved names like numbers or function names.
I would avoid it because it will make those errors und I don't know if the query does make sense
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 7 years ago.
I have an application which takes the information of a mysql database(a music-db) and shows it via echos in a div. Everything works fine.
Now I wanted to add a search bar so you can search the database for a specific song.
The search bar just loads a php file with a mysql query. The word or the letters you want to search for are passed via a varbiable in the link(for example test.php?searchvalue=it).
Now my problem: I get the following Mysql-error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1
The quotes in the error are single quotes!
The Query is:
$searchvalue = $_GET["searchvalue"];
$query = mysql_query("select SongID, Songtitel, artwork, duration, SCID from tMusic where Songtitel LIKE '%$searchvalue%'") or die(mysql_error());
Why is this wrong?
Thanks for help.
$searchvalue = $_GET["searchvalue"];
$query = mysql_query("select SongID, Songtitel, artwork, duration, SCID from tMusic where Songtitel LIKE '%".mysql_real_escape_string($searchvalue)."%'") or die(mysql_error());
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 7 years ago.
I'm getting a syntax error with this block of code, and I have no idea why. Here is the specific error itself:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'match ORDER BY id DESC' at line 1
Here is the PHP code block:
$sql = "SELECT * FROM match ORDER BY id DESC";
$res = mysqli_query($dbCon, $sql);
MATCH is a reserved keyword in mysql: https://dev.mysql.com/doc/refman/5.0/en/keywords.html
To make your code working change your query to:
$sql = "SELECT * FROM `match` ORDER BY id DESC";
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 9 years ago.
I have a MySQL query I'm running. I want to add 1 to a field called articleswritten.
I get this error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''users' SET articleswritten = articleswritten + 1 WHERE id = '1'' at line 1
Code:
$sql = "UPDATE 'users' SET articleswritten = articleswritten + 1 WHERE `id` = '$userid'";
$result = mysql_query($sql) or die(mysql_error());
I can't find an issue. Am I blind?
Any help would be appreciated.
This should either be
UPDATE `users`
Or just
UPDATE users
The single quotes make the table name invalid. Everything else in the query is okay.
However, your query is vulnerable to injection. Instead of using ext/mysql, you should use properly parameterized queries with PDO or mysqli
You don't need to single quote the table name here. This should do
$sql = "UPDATE users SET articleswritten = articleswritten + 1 WHERE id = '$userid'";
This question already has an answer here:
Syntax error due to using a reserved word as a table or column name in MySQL
(1 answer)
Closed 8 years ago.
Hopefully someone can help me out. All I am trying to do is insert a record into a database, but I keep getting the message
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'order (pid,uid,projecttitle,username,amount,odate) values (,,'','',,'6-2' at line 1` on my page.
Here is the main part of the code. I would be grateful for anyone that can help me out.
<?
extract($_REQUEST);
//print_r($_REQUEST);
//query fetch user & project info
//$queryorder="select * from project p where p.pid='".$id."'";
$queryorder="select * from users u,project p where p.pid='".$id."' and u.uid='".$_SESSION['key']."'";
$resultorder=executequery($queryorder,$link);
$rowo=mysql_fetch_assoc($resultorder);
//print_r($rowo);
//get today date
$createddate=date("n-j-Y");
//order
$order="insert into order (pid,uid,projecttitle,username,amount,odate)
values (".$rowo['pid'].",".$rowo['uid'].",'".$rowo['projectname']."','".$rowo['username']."',".$rowo['price'].",'".$createddate."')";
mysql_query($order) or die(mysql_error());
//end of insert order query
?>
<? //headtag.php conatain all javascript & css files
include('headtag.php');
?>
<body>
ORDER is a mysql keyword. Try this:
INSERT INTO `order` ...
order is a keyword. You need to escape it with backticks.
insert into `order` (pid,uid,projecttitle,username,amount,odate)...
You must supply a value for each column.
(,,'','',,'6-2'
You obviously have no values for pid, uid and amount.
Try this: (you are supplying empty values to that query)
$order="insert into order (pid,uid,projecttitle,username,amount,odate)
values (".(int)$rowo['pid'].",". (int)$rowo['uid'].",'".$rowo['projectname']."','".$rowo['username']."',". (float)$rowo['price'].",'".$createddate."')";
mysql_query($order) or die(mysql_error());
The second thing that will cause mysql syntax error is the table name - order is a reserved keyword in mysql, so you need to quote it. The beginning of the query will then be:
INSERT INTO `order` (...