I have been beating my head against a wall for a few hours now trying to get this to update my DB.
<?
//edit_item_data.php
$con=mysqli_connect("localhost","root","","Inventory");
// Check connection
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
$sql= "UPDATE Item
SET Catagory = '$_POST[Catagory]',
Cost = '$_POST[Cost]',
Condition = '$_POST[Condition]',
PurchaseLot_PurchaseLotID = '$_POST[PurchaseLot]',
Location = '$_POST[Location]',
Desc = '$_POST[Desc]',
Notes = '$_POST[Notes]'
WHERE
ItemID = '$_POST[id]'";
if (!mysqli_query($con,$sql))
{
die('Error: ' . mysqli_error($con));
}
echo "1 record added";
mysqli_close($con);
?>
<script type='text/javascript'>
settimeout('self.close()',5000);
</script>
this is the error I'm getting
Error: You have an error in your SQL syntax; check the manual that corresponds to
your MySQL server version for the right syntax to use near 'Condition = New,
PurchaseLot_PurchaseLotID = 1, Location = e' at line 4
I'm running mysql 5.6 and php 5.5. I'm sure its something dumb but I can't for the life of me see what it is.
Well you are hilariously vulnerable to SQL injection doing what you are doing, but the problem is that you aren't enclosing your variables in quotes, e.g:
SET Catagory = '$_POST[Catagory]',
-- etc
Use mysqli_real_escape_string to escape your variables before you put them into your SQL, like this:
SET Catagory = '" . mysqli_real_escape_string($_POST['Catagory'], $con) . "',
You want something like this:
$sql = "UPDATE `Item` SET
`Catagory` = '".mysqli_real_escape_string($_POST['Catagory'],$con)."',
`Cost` = '".mysqli_real_escape_string($_POST['Cost'],$con)."',
........
WHERE `ItemID` = ".intval($_POST['id']);
Side-note, it's spelled "category".
EDIT: If you, like me, can't be arsed to type out such a long function name...
$e = function($str) use ($con) {
return mysqli_real_escape_string($str,$con);
};
Then:
... `Catagory` = '".$e($_POST['Catagory'])."' ...
The real issue was lack of grave accents
SET `Catagory` = '$_POST[Catagory]',
Related
i am trying to figure out the syntax problem in my query
the block of code goes like this:
$updatequery = "update patient_dim set dentist_id = $dentist_id where".
"patient_id = $patient_id";
$queryResult = mysql_query($updatequery,$con);
if(!$queryResul){
trigger_error("insert error" . mysql_error());
}
mysql_close($con);
then the error goes like this:
Notice: inssert errorYou have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\"1" where patient_id = 4'
i suspect incorrect syntax in the $updatequery statement
for further information value of the $patient_id = 1 while the value of the $dentist_id = 4, i have tried all of your approaches still the same error. anyway thanks your helping
Your query needs space after where
$updatequery = "update patient_dim set dentist_id = $dentist_id where patient_id = $patient_id";
$updatequery = "update patient_dim set dentist_id = $dentist_id where".
" patient_id = $patient_id";
you forgot to add space after WHERE clause
After WHERE Clause there must be a blank space before the condition.
Use as follows.
<?php
$updatequery = "update patient_dim set dentist_id = ".$dentist_id ." where patient_id = ".$patient_id;
$queryResult = mysql_query($updatequery);
if(!$queryResult){
die("insert error" . mysql_error());
}
mysql_close($con);
?>
Im facing this problem when inserting a SQL query:
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '30000001'', NULL, 'Pending', NULL, NULL)' at line 1
The code is:
<?php
// Connecting to the MySQL server
include "connection.php"; // Check connection
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
$query = "SELECT * FROM meet ORDER BY meetid DESC LIMIT 1"; $result =
mysqli_query($con,$query) or die(mysqli_error($con)); $last_val =
mysqli_fetch_array($result); // print_r($last_val); $last_val1 =
$last_val[0];
$query = "SELECT * FROM hdr_student WHERE Stud_NO = '$stud_no'";
$result = mysqli_query($con,$query) or die(mysqli_error($con));
$check_over = mysqli_fetch_array($result);
$null = 'sss'; $validateon = '0000-00-00 00:00:00.000000';
$supprephour = '0';
if(!empty($check_over['c_supervisor']))
{
if(!empty($check_over['p_supervisor']))
{
$check_supp = $check_over['p_supervisor'];
$check_supp1 = var_export($check_supp,true);
$query = "INSERT INTO supervisorattendance (meetid, sup_no, supnote, supvalidate, supprephour, validateon) VALUES ('$last_val1', '$check_supp1', NULL, 'Pending', NULL, NULL)";
if (!mysqli_query($con,$query))
{
die('Error: ' . mysqli_error($con));
}
}
$check_supc = $check_over['c_supervisor'];
$check_supc1 = var_export($check_supp,true);
$query = "INSERT INTO supervisorattendance (meetid, sup_no, supnote, supvalidate, supprephour, validateon) VALUES ('$last_val1', '$check_supc1', NULL, 'Pending', NULL, NULL)";
if (!mysqli_query($con,$query))
{
die('Error: ' . mysqli_error($con));
}
}
?>
you problem is about single quotes in your variable used in mysql
so escape them like this before use in mysql
$check_supc = $check_over['c_supervisor'];
$check_supc1 = var_export($check_supp,true);
$last_val1 = mysqli_real_escape_string($con, $last_val1); // use this line
$check_supc1 = mysqli_real_escape_string($con, $check_supc1); // use this line
$query = "INSERT INTO supervisorattendance (meetid, sup_no, supnote, supvalidate, supprephour, validateon) VALUES ('$last_val1', '$check_supc1', NULL, 'Pending', NULL, NULL)";
var_export tries to generate a string that's valid as PHP code. Among other things, this means that if your content is a string, it'll get quotes around it. Since you're also adding quotes while you're cobbling your SQL, you end up with something like ...''$check_supp1'', NULL, 'Pending', NULL, NULL).
Unless you have a good reason for using var_export here (and i'm about 94% certain you don't), get rid of it. Use mysqli_real_escape_string to make stuff safer for a MySQL query.
Or, if there's nothing but that number, you can use intval to make sure it's always a number.
Or, learn to use prepared statements. :P They can handle most of this stuff automatically.
I have written a php script on my web server to insert values into the table table3. The variables used to get values are username and image. username contains varchar type data and image contains text type data in it. I need to insert it into my table table3 . The table3 is having two columns username and imagename which is of varchar type and text type respectively.
When I try to run the above script by entering values, an error shows as given below:
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1' at line 1.
I don't understand what the error is and I'm stuck here with knowing the error. Can someone please clear the errors for me. I'm a newbie in php and doesnot know much about php. So a little help from anyone is needed... Please help me out. My php script is shown below:
<?php
$con=mysqli_connect("localhost","username","password","db_name");
if (mysqli_connect_errno($con))
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
$username = $_POST['username'];
$image = $_POST['image'];
$result = mysqli_query($con,"INSERT INTO table3 (username,imagename) VALUES ('$username','$image')");
if (!mysqli_query($con,$result))
{
die('Error: ' . mysqli_error($con));
}
else
echo "1 record added";
mysqli_close($con);
?>
1) **You have an error in your SQL syntax; ** means that You have error in your query. It seems that your query is okay but that error may come from your post data. you need to mysqli_real_escape_string for post data.
2) you have executed twice the query.
try like this :
$username = mysqli_real_escape_string($con, $_POST['username']);
$image = mysqli_real_escape_string($con,$_POST['image']);
$result = mysqli_query($con,"INSERT INTO table3 (username,imagename) VALUES ('$username','$image')");
if (!$result)
{
die('Error: ' . mysqli_error($con));
}
else
echo "1 record added";
mysqli_close($con);
You should have written something like
$result = mysqli_query($con,"INSERT INTO table3 (username,imagename) VALUES ('$username','$image')");
if (!$result)
{
die('Error: ' . mysqli_error($con));
}
the condition should be something like
if (!$result)
{
die('Error: ' . mysqli_error());
}
Your SQL request (INSERT) is sent at the 9th line and the result is caught in $result.
$result contains the number of lines affected by the previous request (1).
Then you call the mysqli_query method again with the value of $result as a SQL request : "1" is not a valid SQL request.
I'm new at this, what are the problems with this statement:
$sql=" SELECT * FROM `calendar` WHERE `DayId` ='".$day."'";
$result = mysql_query($sql, $conn);
if (!$result){
echo "DB Error, could not query the database\n";
echo 'MySQL Error: ' . mysql_error();
exit;
}
while ($row = mysql_fetch_array($result)) { //set $dayType
$dayType = $row[DayType];
}
I keep getting the error:
DB Error, could not query the database
MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to
your MySQL server version for the right syntax to use near '' at line 1
but when I put an "echo $result;" in after the line that starts with $result=... then I get a value for $result of "Resource id #2"
You need to enclose your "day" variable in quotes (and you should be escaping it if you haven't already!)
$sql = "SELECT * FROM calendar WHERE DayId = '" . mysql_real_escape_string($day) . "'";
Shouldn't it be
$sql="SELECT * FROM `calendar` WHERE `DayId` = '".$day."'";
It seems likely to me that your $day variable is not getting populated ... Try echoing the SQL statement before you run it to make sure everything looks as it should ...
If it's date(z) change it to date('z').
Hey, I wrote some code for extracting some information out of the database and checking to see if it met the $_COOKIE data. But I am getting the error message:
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ')' at line 1
My code so far is:
$con = mysql_connect("XXXX","XXXXX","XXXXXXX");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
mysql_select_db("XXXXXX", $con);
$id = $_COOKIE['id'];
$ends = $_COOKIE['ends'];
$userid = strtolower($_SESSION['username']);
$queryString = $_GET['information_from_http_address'];
$query = "SELECT * FROM XXXXX";
$result = mysql_query($query) or die(mysql_error());
while($row = mysql_fetch_array($result)){
if ($queryString == $row["orderid"]){
$sql="UPDATE members SET orderid = ''WHERE (id = $id)";
$sql="UPDATE members SET level = 'X'WHERE (id = $id)";
$sql="UPDATE members SET payment = 'XXXX'WHERE (id = $id)";
$sql="UPDATE members SET ends = '$ends'WHERE (id = $id)";
if (!mysql_query($sql))
{
die('Error: ' . mysql_error());
}
}
}
Any help would be appreciated,
Thanks.
$sql="UPDATE members SET ends = '$ends'WHERE (id = $id)";
should be
$sql="UPDATE members SET ends = '$ends'WHERE (id = '$id')";
(IE add the ' around $id)
I'm not sure if this is the error, but do you realize you're code only runs the last UPDATE? You're assigning $sql 4 time, and only running it after the fourth assignement...
If $_COOKIE['id'] does not have a value, then $id in your SQL statements will be blank, leaving your SQL looking like this:
UPDATE members SET ends = 'something' WHERE (id = )
which, of course, is invalid SQL.
Only one of the SQL statements will execute, and that's the last one. You need to add some whitespace before the WHERE clause, like this:
$sql="UPDATE members SET ends = '$ends' WHERE (id = $id)";
Also be wary of SQL injection attacks in the event that your cookie is altered by the end user. One other thing of note is your orderid column. Is it a VARCHAR or some other unique identifier? If it's an integer, then setting it to empty string will not work. You might want to rethink your schema a bit here.
EDIT: Another thing you need to do is check to make sure the cookies actually have values. If not, your SQL strings will be messed up. Have you though about using parameterized queries through PDO so you don't have to worry about SQL injection at all?
first of all you keep overwriting $sql variable so only the
$sql="UPDATE members SET ends = '$ends'WHERE (id = $id)";
is being executed.
And I would say that $id variable is not what you think it is (maybe empty as query like the one above without id:
$sql="UPDATE members SET ends = '$ends'WHERE (id = )";
would throw such error back.
Try
$id = NULL;
before
$id = $_COOKIE['id'];
if the error is gone that means that $id is not what you think it is