I am trying to update an SQL table with PHP.
I have a form that is submitted to the database - this is working fine.
I have retrieved the entries from the database and this is also working fine.
The problem I am having is when I try to update the database with additional information into the comment field (a 'cell' that already has information in).
Here is my SQL code. Can you please point me where the problem is?
There error I am getting is:
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '= 36tWHERE id = 0' at line 1
My code is below :
$commy = $_POST['comment'];
$ident = $_POST['id'];
$sql = "UPDATE issuelog".
"SET comment = $commy".
"WHERE id = $ident";
I know there are security issues here but this is only for localhost use at the moment and only by my self as an example.
You don't need to concatenate and you should put quotes around values.
$sql = "UPDATE issuelog
SET comment = '$commy'
WHERE id = '$ident';";
Update: As others pointed out you need spaces, but this is the reason you don't need to concatenate. By closing each line and concatenating, you are removing spaces between them. Be sure you use prepared statements, because as you said, this is subject to injections.
$sql = "UPDATE issuelog".
" SET comment = $commy".
" WHERE id = $ident";
You need spaces - try echoing out your $sql - you will see SET and WHERE are merged with the previous words.
Related
I'm almost sorry to ask this question but I'm drawing a complete blank. I'm getting the following error:
"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE number='7'' at line 1"
It seems whenever I try to use just an integer in the following code, I get the syntax error;
$go = mysql_query("UPDATE $db1 SET count='$t1c', WHERE number='$input2'") or die(mysql_error());
As you can see the page gets the value, that's not the issue.. it just doesn't seem to like the WHERE = 7 part. I've tried with and without the quote marks, I've tried changing that column in the table from a int to a varchar. Still get the same thing yet the code BEFORE this piece that runs:
$check1 = mysql_query("SELECT * FROM $db1 WHERE number='$input2'");
Run's absolutely fine. It finds the value where number equals $input2...
Can someone help me PLEASE? I'm drawing a complete blank here :/
Remove the , in the query:
mysql_query("UPDATE $db1 SET count='$t1c' WHERE number='$input2'");
Remove comma(,) which is placed before WHERE in UPDATE query
$go = mysql_query("UPDATE $db1 SET count='$t1c' WHERE number='$input2'") or die(mysql_error());
Change
"UPDATE $db1 SET count='$t1c', WHERE number='$input2'"
to
"UPDATE $db1 SET count='$t1c' WHERE number='$input2'"
The comma shouldn't be there (before WHERE) and is causing an error.
number is a reserved word in mysql sql
it is better not to name columns with that words or you need to backtick them in query
example:
`number`=3
mysql reserved words
I am currently attempting to create a dashboard for a personal trainer where they can update client records. I have a mySQL database and I am using PHP as the scripting language.
What I want to do: Be able to update client information via HTML input boxes. (Which I have already created). The first being username - which should correspond to a username in the mySQL database. Then the information in the next three input boxes should be inserted into the correct fields in the database.
The Problem: I currently cannot get the SQL statement to work correctly as the Client username is not recognized. This is the error message I am currently receiving :
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ') WHERE Client_username = JSmith' at line 1
JSMith is a valid username in the database.
Below is the PHP I am attempting to use:
//insert
$value1 = $_POST['height1'];
$value2 = $_POST['weight1'];
$value3 = $_POST['bodyfat1'];
$value4 = $_POST['username'];
$sql = "UPDATE client SET Height='$value1', Weight='$value2', Body_fat='$value3') WHERE Client_username = $value4";
if (!mysqli_query($con,$sql))
{
die('Error: ' . mysqli_error($con));
}
mysqli_close($con);
?>
My connection etc is working just fine.
If ayone could help me out that would be great!
Here's the deal.
The first error is coming from the bracket just before your where clause:
$sql = "UPDATE client SET Height='$value1', Weight='$value2', Body_fat='$value3') WHERE...
^ there
Remove it.
MySQL was telling you:
...right syntax to use near ') WHERE
^
Then, the "username" which is a string, needs to be treated as such, therefore wrapping the $value4 variable in your where clause with quotes.
WHERE Client_username = '$value4'
However, I need to point out that your present code is open to SQL injection. Use mysqli with prepared statements, or PDO with prepared statements, they're much safer.
An insight:
Make sure that your form contains name attributes to go with your POSTs, and contain no typos, and that letter-case matches.
Add error reporting to the top of your file(s) which will help find errors.
<?php
error_reporting(E_ALL);
ini_set('display_errors', 1);
// rest of your code
Sidenote: Error reporting should only be done in staging, and never production.
been learning php for 3 weeks now and i find myself with a simple error that does not make sense:
I cant see what is wrong with this code.
Could someone please point me to why this is happening.
Its a simple insert and set sql query which is like this:
code:
$insertresults = "UPDATE usage SET message='".$message."',islive='".$islive."' WHERE id=1";
$insertresults_doit = mysql_query($insertresults) OR die(mysql_error());
the error i am getting is this:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'usage SET message='hello',islive='0' WHERE id=1' at line 1
as you can see, the variables are correct and to what i can see the sql string is correct also.
Thanks
Your table name, usage, is actually a reserved word in MySQL. You'll have to quote it with backticks:
UPDATE `usage` SET ...
$insertresults = "UPDATE usage SET message=$message,islive=$islive WHERE id=1";
$insertresults_doit = mysql_query($insertresults) OR die(mysql_error());
You don't need to wrap the variables the way you did, give this a try :) Taking a look at that error shows you the extra ' surrounding the column names - you don't want that.
Try removing the quotes from $islive
Check whether you have a single quote in the variable values. It is always better to escape it before using in the sql statement
$message=addslashes($message);
$islive=addslashes($islive);
$insertresults = "UPDATE usage SET message='".$message."',islive='".$islive."' WHERE id=1";
$insertresults_doit = mysql_query($insertresults) OR die(mysql_error());
Assuming both the columns are of varchar type
"UPDATE usage SET message='{$message}',islive='{$islive}' WHERE id=1" – Nick 21 mins ago
#Nick i still get the exact same error if i use braces and even if i do not use the ' on int's the message is a message and the islive is either a 0 or a 1. – Robert 6 mins ago
#Robert, have you made sure $message and $islive has been properly escaped? use: addslashes() or mysql_real_escape_string()
moved to answer (grew)
I'm running the following line :
mysql_query("INSERT INTO tags
SET tag = '".$onesearch."',
SET date = '".date('d-m-Y')."'") or die(mysql_error());
...and its dieing saying this:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'SET date = '29-08-2010'' at line 1
I can't figure out what's wrong.
Remove second SET from your insert query. it should like be:
mysql_query("INSERT INTO tags
SET tag = '".$onesearch."',
date = '".date('d-m-Y')."'") or die(mysql_error());
Invalid syntax, you should only use one SET:
mysql_query("INSERT INTO tags
SET tag = '".$onesearch."',
date = '".date('d-m-Y')."'") or die(mysql_error());
And that is valid INSERT syntax, just an FYI (in response to one of the other answers).
Are you able to output the query that is actually being run? It could be that the tag contains a single quote, which escapes the closing quote & causes problems... Which is why you'd want to use:
mysql_query("INSERT INTO tags
SET tag = '". mysql_real_escape_string($onesearch) ."',
date = '".date('d-m-Y')."'") or die(mysql_error());
Which is it you're trying to do here?
You start with INSERT syntax, but after the table reference convert to using UPDATE syntax.
INSERT
mysql_query("INSERT INTO tags
(tag, date)
VALUES
('".$onesearch."', '".date('d-m-Y')."')") or die(mysql_error());
UPDATE
mysql_query("UPDATE tags
SET tag = '".$onesearch."',
date = '".date('d-m-Y')."'") or die(mysql_error());
...but you'll get records in the table to those two values. You'd want a WHERE clause on that...
i think your question was already answered by the others. but you should take care of that $onesearch variable. if it's not properly sanitized, a quote in it could break your code as well. if you are not doing it already, you should consider using mysql_real_escape_string() to protect you from errors and sql injection.
Good Morning everyone,
I am using an update command in php to update data in mysql. This is my code:
$sql=mysql_query("UPDATE blpublication SET JournalName = '$_POST[journal]', AcceptanceDate = '$_POST[acceptancedate]', PublishedDate = '$_POST[publisheddate]', Comment = '$_POST[comment]'
WHERE JobNo = '$_POST[jobno]'");
if (!mysql_query($sql,$con))
{
die('Error: ' . mysql_error());
}
echo "record Updated";
It does updates the field but, it gives me the following error. And i can not figure it out why am i getting this error.
"Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1' at line 1"
Can you help me in this
Best
Zeeshan
Can you tell us what the exactly output of $sql is? By the way, BIG security hole there. You should always escape query inputs namely:
$journal = mysql_real_escape_string($_POST['journal']);
$acceptance_date = mysql_real_escape_string($_POST['acceptancedate']);
$publish_date = mysql_real_escape_string($_POST['publisheddate']);
$comment = mysql_real_escape_string($_POST['comment']);
$job_no = intval($_POST['jobno']); // assuming jobNo is a number
$sql = <<<END
UPDATE blpublication
SET JournalName = '$journal',
AcceptanceDate = '$acceptance_date',
PublishedDate = '$publish_date',
Comment = '$comment'
WHERE JobNo = $jobno
END;
mysql_query($sql);
if (mysql_error()) {
die("Error executing query '$sql': " . mysql_error());
}
echo "record Updated";
I would sanitize your input first. This could lead to some very nasty errors such as what you are experincing and malicious attacks. Look up SQL Injection.
I think the problem is that you're running mysql_query twice. The first time it works and returns 1 (true), which you assign to $sql. Then you call mysql_query again, passing $sql (which equals 1). Of course "1" is not a valid SQL query, so you get the syntax error.
I wholeheartedly agree that you must sanitize those inputs!
Similar to the following post, i believe when you have any object or array syntax, you need to put in braces.
SET JournalName = '${_POST[journal]}'
edit: and yes, as others pointed out you are risking sql injection.
First of all, your code is prone to SQL injection, escape your POST values:
$journal = mysql_real_escape_string($_POST['journal']);
And to actually debug your query, we need the query itself. Add an echo() statement before the actual execution of the query and post the result, the POST values possibly contain some unexpected value.
Your general UPDATE syntax looks ok, except for the obvious injection possibilities, but you need to output $sql. One of your variables probably has a quote in it or some other issue like that....
Looking at the SQL UPDATE statement in your code, one thing leaps out at me. The table name is blpublication, are you maybe missing a 't', i.e. tblpublication?
Also you should really sanitise your input, otherwise you're going to be a victim of a SQL injection attack.
Try concatenating the $_POST values. Im not sure if including them without quoting the key is possible?
$sql= mysql_real_escape_string("UPDATE blpublication SET JournalName = '".$_POST['journal']."', AcceptanceDate = '".$_POST['acceptancedate']."', PublishedDate = '".$_POST['publisheddate']."', Comment = '".$_POST['comment']."'
WHERE JobNo = '".$_POST['jobno']."'");
$result = mysql_query($sql);
Note: mysql_* commands are depreciated. You should switch over to mysqli_*.