MySQL UPDATE syntax error - Everything is ok? - php

I've got an error with my update query in PHP... I've seen other people's mistakes, and I'm almost certain I'm not making the same old mistakes, but I may be ignoring one.
This is my code:
$sQuery = "UPDATE clientes
SET
Nombre = '$_POST[Nombre]',
Apellidos = '$_POST[Apellidos]',
Telefono = '$_POST[Telefono]',
Email = '$_POST[Email]',
WHERE ID= $sIDCliente";
First I thought it had a problem with the $_POST's, but when I echo'ed the query, it was allright. The error I get is this one:
You have an error in your SQL syntax; check the manual that corresponds to
your MySQL server version for the right syntax to use
near 'WHERE ID= F17DEF774C' at line 7
Well, that's what the page outputs. Thank you all before hand :)


You have an extra comma in the row
Email = '$_POST[Email]',
should be
Email = '$_POST[Email]'
edit:
Also I should mention that you are better off using parameterized queries, and then binding the parameters. It makes your database transactions more secure.
So in your case it would look like this
$mysqli = new mysqli('localhost', 'my_user', 'my_password', 'world');
$stmt = $mysqli->prepare("
UPDATE clientes
SET
Nombre = ?,
Apellidos = ?,
Telefono = ?,
Email = ?
WHERE ID= ?
");
$stmt->bind_param('ssssd', $_POST[Nombre], $_POST[Apellidos], $_POST[Telefono], $_POST[Email], $sIDCliente);
$stmt->execute();

Related

PHP+MySQL wrong syntax in where clause

This is my query
$query = "SELECT * FROM ham WHERE Call = $call";
I've tried with it all kinds of configurations with backticks and single quotes. Every time I get this:
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'CALL = LZ1IRQ' at line 1
'LZ1IRQ' is an actual value I set using an HTML form via POST.
$call = mysqli_escape_string($con, $_POST['call']);

CALL is reserved keyword in MySQL. I think you cannot use this keyword as you are using now. See this official list of reserved keywords.
If you are required to use reserved key then you should wrap it in back-ticks.

I can infer you are using mysqli so the best and most secure is to bind parameters, with this solution you prevent sql injection at the same time:
$mysqli = new mysqli('localhost', 'my_user', 'my_password', 'world');
$stmt = $mysqli->prepare("SELECT * FROM ham WHERE Call =?");
$stmt->bind_param('s', $call);

Change your query to this
$query = "SELECT * FROM ham WHERE Call = {$call}";

Try this
$query = "SELECT * FROM ham WHERE `Call` = '".$call."' ";

Syntax error in mysql when inserting an image into a database

I am new to mysql and I would really appreciate any help. What I want to do is to upload an image to a specific row in a database and then display the image in the user's page. The error I get is:
Error in Query:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = 1' at line 4.
This is the piece of code referenced:
$sql = "INSERT INTO users5 (image, imageName)
VALUES ('{$imgData}', '{$_FILES['userfile']['name']}')WHERE id = $id;";

What I want to do is to upload an image to a specific row in a database
You have to use an UPDATE command if a row is already existing.
$sql = "UPDATE users5 SET image = ?, imageName = ? WHERE id = ?";
$stmt = $mysqli->prepare( $sql );
$stmt->bind_param( 'ssi', $imgData, $_FILES['userfile']['name'], $id );
As suggested, you better use prepared statement to bind parameter values for placeholders safely, avoiding SQL injection.

Php pdo update statement

I need to update my database so I write:
try {
$STH = $db->prepare("UPDATE zemljiste (naziv, ha, ar, m2, udeo_ha, udeo_ar, udeo_m2, lokacija, osnov, kat_kul, 2013_kol, ocekivano) VALUES (:1,:2,:3,:4,:5,:6,:7,:8,:9,:10,:11,:12) WHERE id = :id_akt AND user_id=:13");
$STH->bindParam(':id_akt', $_POST['naziv']);
$STH->bindParam(':1', $_POST['naziv']);
$STH->bindParam(':2', $_POST['ha']);
$STH->bindParam(':3', $_POST['ar']);
$STH->bindParam(':4', $_POST['m2']);
$STH->bindParam(':5', $_POST['udeo_ha']);
$STH->bindParam(':6', $_POST['udeo_ar']);
$STH->bindParam(':7', $_POST['udeo_m2']);
$STH->bindParam(':8', $_POST['lokacija']);
$STH->bindParam(':9', $_POST['osnov']);
$STH->bindParam(':10', $_POST['kultura']);
$STH->bindParam(':11', $_POST['prinos_2013']);
$STH->bindParam(':12', $_POST['ocekivano']);
$STH->bindParam(':13', $user_id);
$STH->execute();
but I get error:
SQLSTATE[42000]: Syntax error or access violation: 1064 You have an
error in your SQL syntax; check the manual that corresponds to your
MySQL server version for the right syntax to use near '(naziv, ha, ar,
m2, udeo_ha, udeo_ar, udeo_m2, lokacija, osnov, kat_kul, 2013_ko' at
line 1Data submitted successfully
How I can solve this?
What is exactly error in my code?

UPDATE syntax is wrong and you should avoid integer placeholders
$query ="UPDATE `zemljiste`
SET naziv = :naziv, ha = :ha, ar = :ar, m2 = :m2, udeo_ha = :udeo_ha,
udeo_ar = :udeo_ar, udeo_m2 = :udeo_m2, lokacija=:lokacija, osnov = :osnov,
kat_kul = :kultura, 2013_kol=:prinos_2013, ocekivano = :ocekivano
WHERE id = :id_akt AND user_id=:user_id";
$STH = $db->prepare($query);
$STH->bindParam(':id_akt', $_POST['naziv']);
$STH->bindParam(':naziv', $_POST['naziv']);
$STH->bindParam(':ha', $_POST['ha']);
$STH->bindParam(':ar', $_POST['ar']);
$STH->bindParam(':m2', $_POST['m2']);
$STH->bindParam(':udeo_ha', $_POST['udeo_ha']);
$STH->bindParam(':udeo_ar', $_POST['udeo_ar']);
$STH->bindParam(':udeo_m2', $_POST['udeo_m2']);
$STH->bindParam(':lokacija', $_POST['lokacija']);
$STH->bindParam(':osnov', $_POST['osnov']);
$STH->bindParam(':kultura', $_POST['kultura']);
$STH->bindParam(':prinos_2013', $_POST['prinos_2013']);
$STH->bindParam(':ocekivano', $_POST['ocekivano']);
$STH->bindParam(':user_id', $user_id);
$STH->execute();

You're using a syntax for INSERT statement in UPDATE, which is wrong.
It should look like this,
UPDATE table SET key=:value, key1=:value1 WHERE id=:id AND foo=:bar. So just replace,
"UPDATE zemljiste (naziv, ha, ar, m2, udeo_ha, udeo_ar, udeo_m2, lokacija, osnov, kat_kul, 2013_kol, ocekivano) VALUES (:1,:2,:3,:4,:5,:6,:7,:8,:9,:10,:11,:12) WHERE id = :id_akt AND user_id=:13"
with
UPDATE zemljiste SET naziv =:1, ha =:2, ...... WHERE id=:id_akt AND user_id = :13

You are using the wrong syntax for update. It should be:
UPDATE zemljiste SET naziv=:1, ha=:2, ar=:3, ... WHERE ...

mysqli_real_escape_string not working

I just learned I had magic_quotes_gpc on (much to my chagrin). I turned that off.
My database connection is made prior to this query. I have the following:
$subject = mysqli_real_escape_string($link, $_POST["subject"]);
$body = mysqli_real_escape_string($link, $_POST["body"]);
$id = mysqli_real_escape_string($link, $_POST["id"]);
mysqli_query($link, "UPDATE press SET press_title = '$subject', press_release = '$body' WHERE press_id = '$id'") or die( mysqli_error($link) );
With magic quotes on, this works fine. Once I turn it off, single quotes jam up the works (with a MySQL syntax error at the quote). I thought I understood the concept but I must be missing something. Can someone explain what I'm doing wrong?
UPDATE
Error spit out by MySQL:
you have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's what she said' at line 1
UPDATE #2
Here's the echo'd query:
UPDATE press SET press_title = \'That\'s what she said\', press_release = \'That\'s what she said again!\' WHERE press_id = \'513\'

Use a parametrized query:
$stmt = mysqli_prepare($link, "UPDATE press SET press_title = ?, press_release = ? WHERE press_id = ?") or die (mysqli_error($link));
mysqli_stmt_bind_param($stmt, "ssi", $_POST['subject'], $_POST['body'], $_POST['id']);
mysqli_stmt_execute($stmt);
Manual

Trouble Taking a company name from one table an inserting it to another

Hi I have a table full of company names, the problem I am having is that it is full of duplicates.
To resolve this I am using the following piece of code to remove the data from one table and then insert it in to another using DISTINCT.
When i run the code, i keep getting the following error,
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's Group Holdings Ltd')' at line 4
If i remove the company name variable it inserts all of the ip address fine, but as soon as i try to insert a company name i get the above error.
$query = "SELECT DISTINCT ip_address, company_name, FROM companydetail1";
$result = mysql_query($query) or die(mysql_error());
while($row = mysql_fetch_array($result)){
$ip_address = $row['ip_address'];
$company_name = $row['company_name'] ;
mysql_real_escape_string($company_name);
mysql_real_escape_string($ip_address);
mysql_query("INSERT INTO companydetail30 (ip_address, company_name) VALUES ('$ip_address', '$company_name') ") or die(mysql_error());
}
Any suggestions would be appreciated.
Thanks

Not only does your code not work in its current state, it is also vulnerable to SQL injection because you are using mysql_real_escape_string incorrectly.
The mysql_real_escape_string function gives back the escaped string as its return value, so you need to assign it back to the variable to save the escaped string:
$company_name = mysql_real_escape_string($company_name);
$ip_address = mysql_real_escape_string($ip_address);

in your query with distinct there ia an error
$query = "SELECT DISTINCT ip_address, company_name, FROM companydetail1";
there is a "," after company_name it should not be
query should be like this
$query = "SELECT DISTINCT ip_address, company_name FROM companydetail1";
Secondly you should do like this.
$company_name = mysql_real_escape_string($company_name);
$ip_address = mysql_real_escape_string($ip_address);

Categories