You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''stats' WHERE ip = '::1' && date = '28-11-2013'' at line 1.
<?php
require_once 'includes/config.php';
$getStats = mysql_query("SELECT * FROM 'stats' WHERE `ip` = '" . $ip . "' && `date` = '" . $time ."'") or die(mysql_error());
if( mysql_num_rows($getStats) == 0)
{
$select = mysql_query("INSERT INTO `stats` (`ip`,`data`,`hits`,`online`) VALUES ('" . $ip . "','" . $time . "', '1', '" . $timestamp ."')") or die(mysql_error());
}
else
{
$select = mysql_query("UPDATE `stats` SET `hits` = `hits`+1, `online` = '" . $timestamp . "' WHERE `ip` = '" . $ip . "' && `date` = '" . $time . "'");
}
?>
MySQL quotes identifiers with a backtick like `stats`, and not like 'stats' - which is what causes the syntax error.
Either remove the useless identifier quote (stats is not reserved) or switch to proper identifier quotes.
The subsequent issue is that there is no data column, which is just as the error says. The correct column is probably date (which should be quoted, or perhaps renamed).
Also, dates should be supplied in the form of 'YYYY-MM-DD' (or variant). The fact that the query works with a locale-specific date makes me believe a proper DATE column is not used as it ought to be. Correcting the column type now will avoid issues in the future, especially with sorting.
In addition to the above corrections, also update the query to use mysqli/PDO and placeholders - this will tidy up the code, eliminate the use of deprecated functions, and prevent SQL injection (accidental or otherwise).
Related
I have this php script:
$query = "UPDATE event_rsvp SET event_note = '" . $_POST[note] . "', event_rsvp_type_id = '" . $_POST[rsvpId] . "' WHERE user_id = '" . $_POST[userId] . "' AND event_id = '" . $_POST[eventId] . "'";
$result = $mysqli->$query;
echo $query;
that echo gives me this:
UPDATE event_rsvp SET event_note = 'test',
event_rsvp_type_id = '4'
WHERE user_id = '1' AND event_id = '1'
Problem is that only the event_rsvp_type_id is updated in database, event_note isn't.
However, if I copy this echo-ed query and paste it directly into adminer or phpmyadmin, it works fine and updates the note as expected.
Any help? Thanks!
Try the following code:
$query = $mysqli->prepare("UPDATE event_rsvp SET `event_note`=?, `event_rsvp_type_id`=? WHERE `user_id`=? AND `event_id`=?");
$query->bind_param("siii", $_POST['note'], $_POST['rsvpId'], $_POST['userId'], $_POST['eventId']);
$query->execute();
Your real problem is that you were missing the singlequotes on your variables, and also, $mysqli->$query doesn't make any sense, the $query part isn't a variable, it should just be query. I converted your code to use prepared statements as well, hopefully this will allow you to see how easy they are to use, while giving you way more security.
When i update data using php mysql, got some issue, my code php code are here
$query = "UPDATE `wp_experience` SET
`exp_from` ='". $exp_from."' ,
`exp_to` = '". $exp_to."' ,
`exp_title` = '". json_encode($exp_title)."',
`exp_desc` = '". json_encode($exp_desc)."' ,
`exp_cat` = '". $exp_cat."'
WHERE `id` =".$oldid;
it will produce data like,
UPDATE wp_experience SET exp_from ='2016-01-22 00:00:00' , exp_to = '2002-11-14 00:00:00' , exp_title = '{"en":" PSA Peugeot Citroën Automobiles, Mulhouse (F-68)","fr":"Technical Directué - FRENCH","de":"Responsable d'unité de maintenance"}', exp_desc = '{"en":"
Test</p>","fr":"
Test</p>","de":"
H</p>"}' , exp_cat = '18' WHERE id =28
i got this issue,
1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'unité de maintenance"}', exp_desc = '{"en":"
Test</p>","fr":"
Test</p' at line 1
How to fix this issue??
Some of your embedded strings breaks your query, so either use mysqli_real_escape_string() or prepared SQL statements:
$query = "
UPDATE
wp_experience
SET
exp_from = '" . $exp_from . "' ,
exp_to = '" . $exp_to . "' ,
exp_title = '" . mysqli_real_escape_string($con, json_encode($exp_title)) . "',
exp_desc = '" . mysqli_real_escape_string($con, json_encode($exp_desc)) . "' ,
exp_cat = '" . mysqli_real_escape_string($con, $exp_cat) . "'
WHERE
id = " . $oldid;
My query was:
$query = "UPDATE shop.titem SET
item = $nitem, comment = $comment visible = $visible
WHERE titem.item =$item;";
And the error I get is:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'visible = 1 WHERE titem.item =lolipop' at line 2
I noticed that new version of MySQL doesn't really care about the hyphens so I chose to omit that. However, it gives me the same errors even though I use them for the variables.
Help please.
You are missing a commaafter $comment and quotes around string value:
try
$query = "UPDATE shop.titem SET
item = '$nitem', comment = '$comment', visible = '$visible'
WHERE titem.item ='$item'";
Remove the semicolon after $item; inside the query and use '' for the string values
Much better way to write the SQL query is :-
$query = "UPDATE shop.titem SET item = '" . $nitem . "', comment = '" . $comment . "', visible = '" . $visible . "' WHERE titem.item = $item";
Also, I guess it should be shop.item instead of shop.titem.
I am a MySQL noob and basically hacking an insert query to become an update query instead. So I am sure it's something simple with the grammar. But what's wrong with this?
// Save data
$mySQLQuery = 'update `'. $fl['mysql_table']. '` SET '. $fl['mysql_query']. "' WHERE speres = '" . mysql_real_escape_string($_POST['speres']);
$rs = #mysql_query($mySQLQuery);
the original INSERT query (working) was
// Save data
$mySQLQuery = 'INSERT INTO `'. $fl['mysql_table']. '` SET '. $fl['mysql_query'];
$rs = #mysql_query($mySQLQuery);
The data is generated here:
$fl['mysql_query'] = "menrecin = '" . mysql_real_escape_string(YDFLValue($_SESSION['form']['item_17'])) . "', menrecvej = '" . mysql_real_escape_string(YDFLValue($_SESSION['form']['item_18'])) . "', menrecser = '" . mysql_real_escape_string(YDFLValue($_SESSION['form']['item_19'])) . "', menrecud = '" . mysql_real_escape_string(YDFLValue($_SESSION['form']['item_20'])) . "', menresmor = '" . mysql_real_escape_string(YDFLValue($_SESSION['form']['item_22'])) . "', menresfro = '" . mysql_real_escape_string(YDFLValue($_SESSION['form']['item_23'])) . "', menresmid = '" . mysql_real_escape_string(YDFLValue($_SESSION['form']['item_24'])) . "', menresres = '" . mysql_real_escape_string(YDFLValue($_SESSION['form']['item_25'])) . "', menrumind = '" . mysql_real_escape_string(YDFLValue($_SESSION['form']['item_28'])) . "', menrumren = '" . mysql_real_escape_string(YDFLValue($_SESSION['form']['item_29'])) . "', menrumved = '" . mysql_real_escape_string(YDFLValue($_SESSION['form']['item_30'])) . "', tekip = '" . $_SERVER['REMOTE_ADDR'] . "', tekbro = '" . $_SERVER['HTTP_USER_AGENT'] . "', tektid = NOW()";
I have an entry with speres = 100525 in the database, so please try:
http://www.konferencer.nu/form/index.php?speres=100525
Good practices of troubleshooting dynamic SQL:
Look at the SQL, not the code that builds the SQL. In other words, echo out $mySQLQuery to see the final SQL, and most of the time you can see the error right away.
Don't suppress errors. Error-checking is helpful and necessary in any code.
It looks to me like your query ends up being:
update `tablename` SET ..., tektid = NOW()' WHERE speres = '...;
So you have a spurious quote after the NOW() and a missing quote at the end.
If you had checked for errors, you'd get something like this:
ERROR 1064 (42000): You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version for
the right syntax to use near '' WHERE speres = '...' at line 1
The quoting around the start of the WHERE clause looks odd:
UPDATE `...some table...` SET ...some query... 'WHERE speres = ' ... some criterion ...
Note the single quote placement. Maybe you want to remove the single quotes from inside the double quotes?
you query should look like
$mySQLQuery = 'update'. $fl['mysql_table'].'SET'. $fl['mysql_query'].'= <some value>' ' WHERE speres = '.mysql_real_escape_string($_POST['speres']);
$rs = #mysql_query($mySQLQuery);
I have written a PHP class which will update 4 fields of a certain row in a table. The row is decided by a session var 'user' (which is unique). It's not working, but i'm not sure if it is because of the query or the class itself. So i'm first gonna ask you guys if there are any errors in this query (there probaply are) and when the query is correct, i'll see if the class itself has errors as well.
Query:
UPDATE tblRegistratie(lengte, gewicht, bmi geluk) WHERE `gebruikersnaam` = '" . $_SESSION['regain-user'] . "'
VALUES(
'".mysqli_real_escape_string($conn, $this->Lengte_update)."',
'".mysqli_real_escape_string($conn, $this->Gewicht_update)."',
'".mysqli_real_escape_string($conn, $this->BMI_update)."',
''".mysqli_real_escape_string($conn, $this->Geluk_update)."',
);
The quotes look funny here, but I think your problem is a trailing comma , after the last param:
''".mysqli_real_escape_string($conn, $this->Geluk_update)."',
^^^^^
Last line:
''".mysqli_real_escape_string($conn, $this->Geluk_update)."',
^^//fix the double qoute and make it single '
This is what an UPDATE query should look like.
UPDATE tblRegistratie
SET lengte=mysqli_real_escape_string($conn, $this->Lengte_update),
gewicht=mysql...etc
`bmi geluk`=...etc
WHERE `gebruikersnaam` = '" . $_SESSION['regain-user'] . "'
Yours looks nothing like that.
The correct syntax for UPDATE in MySQL would be something like::
$sql = "UPDATE tblRegistratie SET
lengte = '".mysqli_real_escape_string($conn, $this->Lengte_update)."',
gewicht = '".mysql_real_escape_string($conn, $this->Gewicht_update)."',
bmi = '".mysql_real_escape_string($conn, $this->BMI_update)."',
geluk = '".mysqli_real_escape_string($conn, $this->Geluk_update)."'
WHERE gebruikersnaam = '". $_SESSION['regain-user'];
You need to have your where clause after the values you're setting. Also, it sounds like you have some punctuation issues.
Consider the following rewrite for general easier-to-read goodness:
$query = 'UPDATE tblRegistratie
SET `lengte` = "' . mysqli_real_escape_string($conn, $this->Lengte_update) . '",
`gewicht` = "' . mysqli_real_escape_string($conn, $this->Gewicht_update) . '",
`bmi` = "' . mysqli_real_escape_string($conn, $this->BMI_update) . '",
`geluk` = "' . mysqli_real_escape_string($conn, $this->Geluk_update) . '"
WHERE `gebruikersnaam` = "' . $_SESSION['regain-user'] . '"
';
Also, functions like sprintf() can be your friend. :)
$query = sprintf('UPDATE `tblRegistratie`
SET `lengte` = "%s",
`gewicht` = "%s",
`bmi` = "%s",
`geluk` = "%s"
WHERE `gebruikersnaam` = "%s";',
mysqli_real_escape_string($conn, $this->Lengte_update),
mysqli_real_escape_string($conn, $this->Gewicht_update),
mysqli_real_escape_string($conn, $this->BMI_update),
mysqli_real_escape_string($conn, $this->Geluk_update),
$_SESSION['regain-user']
);
PHP
On the last line you have two initial single quotes.
Fix:
''".mysqli_real_escape_string($conn, $this->Geluk_update)."',
becomes
'".mysqli_real_escape_string($conn, $this->Geluk_update)."',
MySQL
Additionally, your UPDATE syntax appears to be completely invalid. Have a read through the documentation.