In the following code $keyresult and $valueresult are comma separated lists of columns in my db and the values I want to put into them in the identified row. The problem is, the code isn't doing what I hoped it would and is returning a syntax error in the query.
$q3 = "UPDATE post SET ($keyresult) VALUES ('$valueresult') WHERE user_id='$user_id' AND post_id='$post_id' AND post_status='active'";
How can I fix the syntax of this?
You are mixing INSERT and UPDATE syntax.
$q3 = "UPDATE `post` SET `$keyresult` = '$valueresult'
WHERE user_id='$user_id' AND post_id='$post_id' AND post_status='active'";
I am assuming you are properly escaping $valueresult, $user_id, and $post_id before you are executing your query. If not, and these are user-supplied values, you are wide open to SQL injections. I recommend looking into prepared statements to eliminate this risk.
Related
I am having with my query because Insert into value and select is not working, Is this the proper way of using it? thankyou!
This is my query line
$sql = "INSERT INTO `stud_class` (`stud_fullname`, `stud_uid`,`stud_code`, `stud_subject`, `stud_cname`,`stat`) VALUES ('$stud_full','$stud_uid',(SELECT subject_code,subsubject,class_Name FROM subject WHERE subject_code = '$subcode'),1)";
A subquery that's used as an expression is only allowed to return one value, not multiple columns.
You need to use the SELECT query as the source of all the values, not as an expression inside the VALUES list.
$sql = "INSERT INTO `stud_class` (`stud_fullname`, `stud_uid`,`stud_code`, `stud_subject`, `stud_cname`,`stat`)
SELECT '$stud_full','$stud_uid', subject_code,subsubject,class_Name, 1
FROM subject WHERE subject_code = '$subcode')";
You should also use a prepared statement rather than substituting variables into the SQL string. See How can I prevent SQL injection in PHP?
Following this syntax:
Here is generic SQL syntax of UPDATE command to modify data into MySQL table −
UPDATE table_name SET field1 = new-value1, field2 = new-value2 [WHERE Clause]
from https://www.tutorialspoint.com/mysqli/mysqli_update_query.htm
I made this:
$query = mysqli_query($MYSQL_CONNECT, "UPDATE forum_topics SET player_userid = ".$player_userid.", titulo = ".$titulo.", msg = ".$msg.", data = ".$data." WHERE UserID=".$inTopic."");
mysqli_query($MYSQL_CONNECT,$query);
But on line:
mysqli_query($MYSQL_CONNECT,$query);
Is showing:
mysqli_query(): Empty query in /var/www/html/ucp/php_func/edit_topic.php on line 30
The main problem is that you're trying to execute your query twice. And the second attempt is invalid because, where it expects a string query, you're either passing it a result object or a boolean (if the first query failed).
Just execute your query once:
$query = mysqli_query($MYSQL_CONNECT, "...");
Then the value in $query will be the result.
Additionally, you have the problem that your code is open to SQL injection and you're not checking for errors. If mysqli_query() returns false you'd need to examine what went wrong by using mysqli_error($MYSQL_CONNECT), which returns the error as a string.
For the SQL injection problem, what you should be doing is treating values as values (query parameters) instead of as executable code (by concatenating them directly into the query). This is a great place to learn more about that. Note that SQL injection is not just a security concern but is also a very common source of errors and bugs. Since you're currently having exactly that problem, it's worth correcting.
You should wrap your variables in single quotes, try:
$query = mysqli_query($MYSQL_CONNECT, "UPDATE forum_topics SET player_userid = '".$player_userid."', titulo = '".$titulo."', msg = '".$msg."', data = '".$data."' WHERE UserID='".$inTopic."'");
I fetch some values from a database and display them on some textfields. When I change one specific value and try to store it back to the database, it's done properly. But when I try to do the same with any other value from any other textfield, I get the error "syntax error at or near where". Any thoughts?
'UPDATE table1 SET "intcolumn"='. $value .', "stringcolumn"=\''. $value2.'\''.' WHERE "column2"='.$value3);
Update on intcolumn is done properly. On stringcolumn I get the error, even if I update only stringcolumn
Changing your apostrophes to quotes and putting your values inside delimiters will help readability.
This should make debugging easier, and easier to spot rather than having to escape characters etc.
pg_query($db, "UPDATE table1 SET intcolumn={$value}, stringcolumn='{$value2}' WHERE column2={$value3}");
A better approach would be to use pg_query_params and let postgres worry about escaping characters, and will stop injection attacks.
$params = array($value, $value2, $value3);
pg_query_params($db, "UPDATE table1 SET intcolumn=$1, stringcolumn=$2 WHERE column2=$3", $params);
I'm having problems with an INSERT statement, and the error only says:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1
It's not helpful at all.
The version I have tried so far and failed is:
mysql_query("INSET INTO `cos` VALUES ('".$_GET['prod']."','".$_GET['page']."')");
[needless to say that the two variables when printed show the right values]
I've also tried versions with nothing around the table name, with ` or ', a million combinations really and nothing works. Not even with constants or into different tables. It just won't insert anything ever. I've checked the privileges (I'm logging into it with root), and it's all on.
I've tried similar stuff on two different machines with the same server (XAMPP 1.7.7) and it works. I'm completely baffled! What can it be?
Thank you for your time!
First and foremost, just type INSERT correctly.
Using _GET like that really opens you up to SQL INJECTIONS...
Do take a look into MySQL prepared statements.
It is also considered good practice to name the columns that you're inserting data into. That allows you to, latter on, insert extra-columns and keep application logic.
INSERT INTO cos(rowName1, rowName2) VALUES(?, ?)
Where ? would be prepared statements.
Correct:
mysql_query("INSERT INTO `cos` VALUES ('".$_GET['prod']."','".$_GET['page']."')");
Have you tried passing the $link to mysql_query ?
Like:
mysql_query("INSERT INTO `cos` VALUES ('".$_GET['prod']."','".$_GET['page']."')", $link);
EDIT:
And of course you must take some security measures before inserting anything into the database, maybe mysql_real_escape_string() or even prepared statements.
You are doing it wrong. Why aren't you escaping the values?
Php.net documentation is providing some good and safe working examples:
$query = sprintf("SELECT firstname, lastname, address, age FROM friends
WHERE firstname='%s' AND lastname='%s'",
mysql_real_escape_string($firstname),
mysql_real_escape_string($lastname));
// Perform Query
$result = mysql_query($query);
So adapted to your code:
$query = sprintf("INSERT INTO `cos` VALUES (%s, %s);",
mysql_real_escape_string($_GET['prod']),
mysql_real_escape_string($_GET['page']));
$result = mysql_query($query);
Please, always escape your values. And use INSERT, not INSET :)
first this is you are using INSET make it correct with INSERT like
$pro = mysql_real_escape_string($_GET['prod']);
$page = mysql_real_escape_string($_GET['page']);
mysql_query("INSERT INTO `cos` (column1, column2)
VALUES ('$pro', '$page')" );
you forget to set the column names...
Try this:
$prod = $_GET['prod'];
$page = $_GET['page'];
mysql_insert("INSERT INTO 'cos' VALUES('$prod','$page)");
This should very well do it :)
I'm running the following line :
mysql_query("INSERT INTO tags
SET tag = '".$onesearch."',
SET date = '".date('d-m-Y')."'") or die(mysql_error());
...and its dieing saying this:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'SET date = '29-08-2010'' at line 1
I can't figure out what's wrong.
Remove second SET from your insert query. it should like be:
mysql_query("INSERT INTO tags
SET tag = '".$onesearch."',
date = '".date('d-m-Y')."'") or die(mysql_error());
Invalid syntax, you should only use one SET:
mysql_query("INSERT INTO tags
SET tag = '".$onesearch."',
date = '".date('d-m-Y')."'") or die(mysql_error());
And that is valid INSERT syntax, just an FYI (in response to one of the other answers).
Are you able to output the query that is actually being run? It could be that the tag contains a single quote, which escapes the closing quote & causes problems... Which is why you'd want to use:
mysql_query("INSERT INTO tags
SET tag = '". mysql_real_escape_string($onesearch) ."',
date = '".date('d-m-Y')."'") or die(mysql_error());
Which is it you're trying to do here?
You start with INSERT syntax, but after the table reference convert to using UPDATE syntax.
INSERT
mysql_query("INSERT INTO tags
(tag, date)
VALUES
('".$onesearch."', '".date('d-m-Y')."')") or die(mysql_error());
UPDATE
mysql_query("UPDATE tags
SET tag = '".$onesearch."',
date = '".date('d-m-Y')."'") or die(mysql_error());
...but you'll get records in the table to those two values. You'd want a WHERE clause on that...
i think your question was already answered by the others. but you should take care of that $onesearch variable. if it's not properly sanitized, a quote in it could break your code as well. if you are not doing it already, you should consider using mysql_real_escape_string() to protect you from errors and sql injection.