This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 8 years ago.
Ignoring the fact that concatenating user input into SQL strings is possibly the worst thing you can do in terms of avoiding SQL injection (this is not for a production site), what is wrong with the following SQL?
"SELECT '_id', 'email', 'password', 'salt', 'banned', 'ban_reason' FROM 'tbl_users' WHERE 'email'='" . $email . "' LIMIT 1";
I'm getting the error message:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'_id\', \'email\', \'password\', \'salt\', \'banned\', \'ban_reason\' FROM \'tb' at line 1
I'm using mysqli_real_escape_string() on it right before running the query, hence the backslashes.
I also tried enclosing everything in backticks, but the error changed then to unknown column.
Exactly where it says. "near '\'_id\'"
You use `backticks` to surround column and table names. Not 'single quotes'.
You should be escaping your variables you're inserting, not your query, and using backticks around field names
$sql = "SELECT `_id`, `email`, `password`, `salt`, `banned`, `ban_reason` FROM `tbl_users` WHERE `email`='" . mysqli_real_escape_string($email) . "' LIMIT 1";
"SELECT `_id`, `email`, `password`, `salt`, `banned`, `ban_reason` FROM tbl_users WHERE `email`='" . $email . "' LIMIT 1"
You should use ` instead of ' when selecting fields.
Related
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 6 years ago.
I am trying to make a simple shoutbox for a school project.
Everything seems to be working fine, except when i try and send a message. My sql query is simple, but seems to not be working for some reason.
<?php
session_start();
require_once("includes/connect.db.php");
$sql = "SELECT * FROM shoutbox";
$result = mysql_query($sql);
echo '<table border=1>';
while($rows = mysql_fetch_assoc($result)){
$sb_username = $rows['username'];
$sb_message = $rows['message'];
$sb_sent_time = $rows['sent_time'];
echo '<tr><td>' . $sb_username . ': </td><td>' . $sb_message;
}
echo '</table>';
?>
<form method=post action=shoutbox.php>
<input type=text name="message">
<input type=submit value="Send!">
</form>
<?php
if(isset($_POST['message'])){
$date = time();
$message = mysql_real_escape_string(htmlentities($_POST['message']));
$username = $_SESSION['user_name'];
$sql = "INSERT INTO shoutbox ('username', 'message', 'time_sent') VALUES ('$username', '$message', '$date')";
mysql_query($sql) or die(mysql_error());
}
?>
Produces the following error:
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''username', 'message', 'time_sent') VALUES ('c4sper', 'hello', '1461107151')' at line 1
Replace the following line in your code with this new one:
$sql = "INSERT INTO shoutbox (`username`, `message`, `time_sent`) VALUES ('$username', '$message', '$date')";
Note : Use `` (Backticks) instead of '' (Quotes) around your table column's (fields) names in your INSERT query.
For detailed guidance,Take a look at :
When to use single quotes, double quotes, and backticks in MySQL
You are using single quotes (') around the field names - it should be the ` (backtick) symbol instead.
Came across an error i have never seen before after writing the following code:
$query= "UPDATE `Pharm_Log` SET `text` = ". $bloodtest . " WHERE `id` = " . $patientid;
$result = mysql_query($query) or die(mysql_error());
My error message was this
"You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near 'Pressure Test: 235/43 WHERE id = 1' at line 1"
Any one have any idea on how to fix this? would be greatly appreciated
the string literal (value of $bloodtest) must be wrap with single quotes,
$query= "UPDATE `Pharm_Log` SET `text` = '". $bloodtest . "' WHERE `id` = " . $patientid;
$result = mysql_query($query) or die(mysql_error());
As a sidenote, the query is vulnerable with SQL Injection if the value(s) of the variables came from the outside. Please take a look at the article below to learn how to prevent from it. By using PreparedStatements you can get rid of using single quotes around values.
How to prevent SQL injection in PHP?
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
How do I handle single quotes inside a SQL query in PHP?
Greeting ,
I have a small script which is used for applications and it saves questions answer into the database. The script is given below:
while(list($QKey,$QVal) = each($AppQuestions)) {
$result2= mysql_query("
INSERT INTO forum_app_answers (AID, AppID, Question, Answer)".
" VALUES (NULL, '$AppID', '$Questions[$QKey]', '$QVal')"
) or die(mysql_error());
Now the problem is that if someone write ' character in the answer , the data doesnt get saved. For simple writing its okay . The problem is only if the answer contains ' in it. any help will be highly appreciated tx
The following error occures:
You Have An Error In Your SQL Syntax; Check The Manual That Corresponds To Your MySQL Server Version For The Right Syntax To Use Near 's GF. Channel Services')' At Line 1
Use prepared statements. Look up PDO and use prepared statements.
mysql_ is deprecated.
After connecting with $dbh = new PDO(),
$sql = 'sql';
$stmt = $dbh->prepare($sql);
$stmt->execute($params);
do the following:
$QVal = $mysqli->real_escape_string($QVal);
$query = "INSERT INTO forum_app_answers (AID, AppID, Question, Answer)
VALUES (NULL, '$AppID', '$Questions[$QKey]', '$QVal')";
// $mysqli is previously defined
$mysqli->query($query);
if ($mysqli->errno !=0){
printf("you have an error in your query %s", $mysqli->error);
}
You may try:
while(list($QKey,$QVal) = each($AppQuestions)) {
$result2= mysql_query("
INSERT INTO forum_app_answers
(AID, AppID, Question, Answer)". "
VALUES (
NULL,
'$AppID',
'$Questions[$QKey]',
'". mysql_real_escape_string($QVal). "')
") or die(mysql_error());
Without mysql_real_escape_string() your script also has huge security issues.
This question already has an answer here:
Syntax error due to using a reserved word as a table or column name in MySQL
(1 answer)
Closed 8 years ago.
A MySQL query that I am running is throwing up the following error
You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near 'desc = 'Enter Description Here'' at line 2
The desc is a variable '$desc' the error suggests that there is an extra ' before desc but there is nothing in the code (below) if I remove desc altogether it works fine (obviously not updating that part) its very strange, your help is greatly appreciated :-)
The code is
//Get the form data
$title = $_POST['title'];
$keywords = $_POST['keywords'];
$desc = $_POST['desc'];
//initialise connection with databse
require_once('../Connections/EliteGrooming.php');
mysql_select_db($database_EliteGrooming, $EliteGrooming);
//Execute the query
mysql_real_escape_string($title, $keywords, $desc);
$query = "
UPDATE site_settings
SET site_title = '$title', keywords = '$keywords', desc = '$desc';";
mysql_query($query) or die(mysql_error());
mysql_close();
header('Location: ../admin/site-settings.php?updated');
desc is a reserved keyword, you must escaped it with backtick
$query = "
UPDATE site_settings
SET site_title = '$title', keywords = '$keywords', `desc` = '$desc';";
but your query is vulnerable with SQL Injection, please read the article below,
How can I prevent SQL injection in PHP?
You need to escape reserved words in MySQL like desc with backticks
UPDATE site_settings
SET site_title = '$title', keywords = '$keywords', `desc` = '$desc';";
my code below
$count++;
$yesstring = 'MATCH';
echo $count . '. RESULT ' . $idcheck . ': ' . $phonecheck . ' was matched. <br />';
$matchquery = sprintf("UPDATE `list` SET match = `%s` WHERE homephone = `%s` LIMIT 1",
mysql_real_escape_string($yesstring),
mysql_real_escape_string($phonecheck));
$matchresult = mysql_query($matchquery);
if (!$matchresult) {
die("Invalid query: " . mysql_error());
}
and this is my error
Invalid query: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'match = MATCH WHERE homephone = (999) 999-9999 LIMIT 1' at line 1
any help would be appreciated
match is a reserved word in MySQL. Escape it with backticks:
UPDATE `list` SET `match` = ...
You're using backticks when you should be using regular quotes. Backticks are reserved for escaping table or column names:
INSERT INTO `foo` VALUES ('value')
Although you're properly escaping your SQL, calling mysql_real_escape_string can prove to be a constant nuisance. Switching to mysqli or PDO would make writing correct SQL a lot easier in the long-run.