I'm trying to execute the following query where I want to add a value in the column firstime in the corresponding row with $netid and mac.
$query="INSERT INTO node WHERE netid='".$netid."' AND mac='" . $_GET['mac'] . "' (firstime) VALUES ('" . $firstcheck . "')";
mysql_query($query, $conn) or die("Error executing query: ".mysql_error($conn));
when I try I get the following error message:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE netid='28' AND mac='24:A4:3C:40:4D:EB' (firstime) VALUES ('2014-01-16 12:0' at line 1
Any Idea??
You cannot use WHERE clause for INSERT query since it makes no sense
Here is a documentation page about its proper syntax: http://dev.mysql.com/doc/refman/5.6/en/insert.html
A scientific guess: what you need is UPDATE
Perhaps you want an update:
update node
set firsttime = '" . $firstcheck . "'
WHERE netid = '".$netid."' AND mac = '" . $_GET['mac'] . "';
insert inserts a new row into the table, not a new value into the row.
update updates a value in a row.
The WHERE conditions must go at after the colums and values declaration.
INSERT INTO node (firstime) VALUES ('" . $firstcheck . "') WHERE netid='".$netid."'
AND mac='" . $_GET['mac'] . "'";
Also use prepared statements and sanitize user submitted data, in order to prevent a SQL INJECTION which is a present and clear threaten.
Related
I have a form that updates multiple row ids with 6 fields, I am trying to get the correct code to set the column to NULL if there is nothing changed.
Below is my code.
What I am trying to do is at the (shippedto_customer), the update works fine if I dont add in the if statement, but I want the if statement in case user does not change the date for the field shippedto_customer.
Sorry if I am not explaining correctly.
if(isset($_POST['Submit']))
{
$count=count($_POST["id"]);
for($i=0;$i<$count;$i++){
$sql1="UPDATE $tbl_name SET status='" . $_POST['status'][$i] . "',
ship_from_factory='" . $_POST['ship_from_factory'][$i] . "',
shippedto_customer=if(shippedto_customer='',NULL,'" .
$_POST['shippedto_customer'][$i] . "'), ship_comments='" .
$_POST['ship_comments'][$i] . "' WHERE id='" . $_POST['id'][$i] . "'";
$result1=mysql_query($sql1);
}
}
You're testing the old shippedto_customer in the table, not the value from the form.
You can use the NULLIF() function to test if the value being stored is an empty string, and store NULL instead.
if(isset($_POST['Submit']))
{
$count=count($_POST["id"]);
for($i=0;$i<$count;$i++){
$status = mysql_real_escape_string($_POST['status'][$i]);
$ship_from_factory = mysql_real_escape_string($_POST['ship_from_factory'][$i]);
$shipped_to_customer = mysql_real_escape_string($_POST['shippedto_customer'][$i]);
}
$ship_comments = mysql_real_escape_string($_POST['ship_comments'][$i]);
$id = mysql_real_escape_string($_POST['id'][$i]);
$sql1="UPDATE $tbl_name
SET status='$staus', ship_from_factory='$ship_from_factory',
shippedto_customer=NULLIF('$shipped_to_customer', ''),
ship_comments='$ship_comments' WHERE id='$id'";
$result1=mysql_query($sql1);
}
}
If you're forced to use the old mysql extension, you need to escape all the parameters. I've shown that above. But as mentioned in the comments, you should migrate to a modern MySQL API (I recomment PDO) and use prepared statements. If you do this, a PHP null value will be converted automatically to SQL NULL when used as a parameter.
I'm trying to add products to a database from an XML file and when there's a duplicate article number I want to just update the stock level.
I'm still learning PHP and MySQL and I've read numerous post on this forum but I just can't get it to work.
So what I did is this:
$xml = simplexml_load_file("a-link-to-downloaded_products.xml") or die("Error: Cannot create object");
foreach ($xml->children() as $row) {
$article_code = $row->artikelnummer;
$brand = $row->merk;
$name_nl = $row->naam;
$ean = $row->ean;
$stock = $row->voorraad_aanwezig;
$sql = "INSERT INTO `products` (article_code,brand,name_nl,ean,stock) VALUES ('" . $article_code . "','" . $brand . "','" . $name_nl . "','" . $ean . "','" . $stock . "') ON DUPLICATE KEY UPDATE `stock` = VALUES(`$stock`)";
$result = mysqli_query($db, $sql);
..... etc .....
}
Above gives me an error saying
Unknown column '1' in 'field list'
or
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '1)' at line 1
Because of that second error I assume that it has something to do with ON DUPLICATE KEY UPDATE stock = VALUES($stock)" However I tried a lot of different variations but I just can't get it to work! I used backticks, quotes etc. Almost anything I can think of.
Just replace this:
ON DUPLICATE KEY UPDATE `stock` = VALUES(`$stock`)
With:
ON DUPLICATE KEY UPDATE `stock` = VALUES(`stock`)
Explanation: the VALUES() construct in the ON DUPLICATE UPDATE clause is used to reference a column value that is passed in the INSERT clause.
Important note: anyone on SO will tell you that you should really consider using prepared statement and parameterized queries, in order to make your queries safer and more efficient.
I am running this query on my MySQL Database - with mysql_query it throws me an error but the data is still properly inserted into the table. If I enter it in PhpMyAdmin it works without error.
INSERT INTO `kommentare` VALUES(NULL,'1','MyName','MyEmail','MyText','2014-08-05');
PHP :
$name = mysql_escape_string($name);
$email = mysql_escape_string($email);
$kommentar = mysql_escape_string($kommentar);
$datum = mysql_escape_string($datum);
$reiseid = str_replace("/", "", $reiseid);
$query = "INSERT INTO kommentare VALUES(NULL,'" . $reiseid . "','" . $name . "','" . $email . "','" . $kommentar . "','" . $datum . "');";
$result = mysql_query($query) or die(mysql_error());
echo $query;
Error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1
How is that possible? I am experienced with MySQL but this wrecks my nerves - it works but says it doesn't?!
UPDATE:
It just happens when I have more than one entry in the table. ANd even if I remove all the ' it gives me the same error, saying I should check near the '
If the first column is a auto-increment primary key, you don't pass it NULL, you pass it DEFAULT:
INSERT INTO kommentare VALUES
(DEFAULT,'$reiseid','$name','$email','$kommentar','$datum');
But really you should instead be naming your columns and skipping those that you don't have a value for:
INSERT INTO kommentare
(reiseid, name, email, kommentar, datum)
VALUES
('$reiseid','$name','$email','$kommentar','$datum');
SOLUTION:
My id has been passed not as 1 but as 1/ for some reason. This caused MySQL to crash although it was not shown to me. I replace the / with "" now and everything works fine!
I have tried all combinations of single quotes, double quotes etc but the following code keeps erroring with sql syntax error. The en and cy are paragraphs of text. I think I must be missing something obvious but I cant see it. Any suggestions?
$insert_dana = mysql_query("UPDATE Contributor (Summary_en,Summary_cy) VALUES ('" . mysql_real_escape_string($insert[en][0]) . "','" . mysql_real_escape_string($insert[cy][0]) . "') WHERE id='$insert[id]'");
You mixed insert and update statement syntax. Use this one
$insert_dana = mysql_query("UPDATE Contributor set Summary_en = '" . mysql_real_escape_string($insert[en][0]) . "', Summary_cy = '" . mysql_real_escape_string($insert[cy][0]) . "' WHERE id='$insert[id]'");
you're confusing the UPDATE- and the INSERT-syntax. for UPDATE, it's like:
UPDATE
table
SET
field = 'value'
WHERE
...
while an INSERT looks like:
INSERT INTO
table
(field)
VALUES
('value')
you can't write an UPDATE with (field) VALUES ('value')-syntax.
Can anyone show me a query in MySQL that would delete rows from all available columns.
I use this to insert rows:
$sql = "INSERT INTO " . KEYS . " // KEYS is a constant
(key, user_id, time, approved)
VALUES ('" . $randkey . "', '" . $user_id . "', '" . $time . "', '0')";
I need the opposite of this now, delete created rows.
delete from <table> where ....
Keep in mind that the delete statement is always for an entire row.
Using similar syntax sql = "DELETE FROM " . KEYS . " WHERE 1=1";
Replace 1=1 with the conditions for the row you want to delete or it will delete all rows.
Also, it's good to get out of the habit of just dropping variables into SQL as soon as possible, because it will open your code up to SQL Injection attacks. Look into using parameterized queries.