I just learned I had magic_quotes_gpc on (much to my chagrin). I turned that off.
My database connection is made prior to this query. I have the following:
$subject = mysqli_real_escape_string($link, $_POST["subject"]);
$body = mysqli_real_escape_string($link, $_POST["body"]);
$id = mysqli_real_escape_string($link, $_POST["id"]);
mysqli_query($link, "UPDATE press SET press_title = '$subject', press_release = '$body' WHERE press_id = '$id'") or die( mysqli_error($link) );
With magic quotes on, this works fine. Once I turn it off, single quotes jam up the works (with a MySQL syntax error at the quote). I thought I understood the concept but I must be missing something. Can someone explain what I'm doing wrong?
UPDATE
Error spit out by MySQL:
you have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's what she said' at line 1
UPDATE #2
Here's the echo'd query:
UPDATE press SET press_title = \'That\'s what she said\', press_release = \'That\'s what she said again!\' WHERE press_id = \'513\'
Use a parametrized query:
$stmt = mysqli_prepare($link, "UPDATE press SET press_title = ?, press_release = ? WHERE press_id = ?") or die (mysqli_error($link));
mysqli_stmt_bind_param($stmt, "ssi", $_POST['subject'], $_POST['body'], $_POST['id']);
mysqli_stmt_execute($stmt);
Manual
Related
Subject Update Failed!!You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '' at line 1
I am stuck here can anyone help me what I am missing in this code.The error is in Update Query.
Everything is ok, and I don't get any syntax error when I write the code (I am using a Dreamviwer code editor software. However, when I run it, I get this error:
//Process the form
$id= $current_subject["Id"];
$name=mysql_prep($_POST["Name"]);
$position=(int)$_POST["Position"];
$visible=(int)$_POST["Visible"];
$query="UPDATE subjects SET Name='{$name}',Position=$position,Visible=$visible WHERE Id={$id}";
$result= mysqli_query($conn, $query);
if($result && mysqli_affected_rows($conn)==1){
//success
$_SESSION["message"]="Subject updated.";
redirect_to("manage_content.php");
}else{
//Failure
$message="Subject Update Failed" . $conn->error;
}
Most likely you mistyped the parameter name. Đ•cho your parameters first.
And use prepared statements to prevent SQL injections:
$dbh = new PDO('mysql:host=localhost;dbname=test', $user, $pass);
$query="UPDATE subjects SET Name = ? ,Position = ?,Visible = ? WHERE Id = ?";
$stmt = $dbh->prepare($query);
$stmt->bindParam(1, $name);
$stmt->bindParam(2, $position);
$stmt->bindParam(3, $visible);
$stmt->bindParam(4, $id);
$stmt->execute();
$stmt->fetchAll();
Further reading: PDO.
I have created a form that submits to the mysql database. Now what I am trying to do is get it to update. The bit I'm having trouble with is the update query below, I just can not figure out where I am going wrong.
<?php
/*
Attempt MySQL server connection. Assuming you are running MySQL
server with default setting (user 'root' with no password)
*/
include 'db.php';
// Check connection
if($link === false){
die("ERROR: Could not connect. " . mysqli_connect_error());
}
// Escape user inputs for security
$title = mysqli_real_escape_string($link, $_POST['title']);
$price = mysqli_real_escape_string($link, $_POST['price']);
$sqm = mysqli_real_escape_string($link, $_POST['sqm']);
$sqm_land = mysqli_real_escape_string($link, $_POST['sqm_land']);
$type = mysqli_real_escape_string($link, $_POST['type']);
$area = mysqli_real_escape_string($link, $_POST['area']);
$location = mysqli_real_escape_string($link, $_POST['location']);
$bedroom = mysqli_real_escape_string($link, $_POST['bedroom']);
$terrace = mysqli_real_escape_string($link, $_POST['terrace']);
$orientation = mysqli_real_escape_string($link, $_POST['orientation']);
$water = mysqli_real_escape_string($link, $_POST['water']);
$seaview = mysqli_real_escape_string($link, $_POST['seaview']);
$pool = mysqli_real_escape_string($link, $_POST['pool']);
$ownerinfo = mysqli_real_escape_string($link, $_POST['ownerinfo']);
$gaddress = mysqli_real_escape_string($link, $_POST['gaddress']);
$description = mysqli_real_escape_string($link, $_POST['description']);
// attempt insert query execution
$sql = "update INTO property (title, price, sqm, sqm_land, type, area, location, bedroom, terrace, orientation, water, seaview, pool, ownerinfo, gaddress, description) VALUES
('$title', '$price', '$sqm', '$sqm_land', '$type', '$area', '$location', '$bedroom', '$terrace', '$orientation', '$water', '$seaview', '$pool', '$ownerinfo', '$gaddress', '$description' )";
if(mysqli_query($link, $sql)){
echo "Records updated successfully.";
} else{
echo "ERROR: Could not able to execute $sql. " . mysqli_error($link);
}
// close connection
mysqli_close($link);
?>
You're using the wrong syntax for UPDATE.
Read the manual:
http://dev.mysql.com/doc/en/update.html
What you're using is INSERT syntax. http://dev.mysql.com/doc/en/insert.html
Example from the manual:
UPDATE t1 SET col1 = col1 + 1, col2 = col1;
and use a WHERE clause, otherwise you will be updating your entire db.
Example from the manual:
UPDATE items,month SET items.price=month.price
WHERE items.id=month.id;
So in your case and for example (fill in the rest):
UPDATE property SET title = '$title', price = '$price' ... WHERE column = ?
column being the column name you want to target and the ? being the row.
Your mysqli_error($link) would have thrown you something about it.
Sidenote: "Teach a person how to fish, rather than throwing them a fish".
However, if the goal here is to INSERT, then you need to use INSERT INTO table and not UPDATE INTO table.
Also make sure your form uses a POST method and that all POST arrays contain values.
Add error reporting to the top of your file(s) which will help find errors.
<?php
error_reporting(E_ALL);
ini_set('display_errors', 1);
// Then the rest of your code
Sidenote: Displaying errors should only be done in staging, and never production.
Footnotes:
The MySQL API used to connect with in db.php is unknown. Make sure you are using the same API you are using to query with, being mysqli_. Different APIs do not intermix.
Your syntax is incorrect, it should be formatted like this:
$sql = "UPDATE property SET title='$title'";
You'll have to add all the name/value pairs separated by commas since I only included 'title.'
I have made a php file from which parameters are passed through GET method..
The Problem is when I am passing paramenters it is saying:
Parameters using Following URL:
http://www.akshay.site90.net/sendlats.php?username=rakesh&lat=30.13348419&longitude=77.28685067
MySQL query failedYou have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' longitude=77.28685067 WHERE `username`=rakesh' at line 1
The code of MY Php file is given below please have a look:
<?php
$username = $_GET['username'];
$latitude = $_GET['latitude'];
$longitude = $_GET['longitude'];
$con = mysql_connect("mysql3.000webhost.com","a2418693_GCM","[passwordhere");
if(!$con){
die('MySQL connection failed'.mysql_error());
}
$db = mysql_select_db("a2418693_GCM",$con);
if(!$db){
die('Database selection failed'.mysql_error());
}
$sql = "UPDATE driver SET lat=$latitude, longitude=$longitude WHERE `username`=$username";
if(!mysql_query($sql, $con)){
die('MySQL query failed'.mysql_error());
}
mysql_close($con);
IMPORTANT!
Try to avoid SQL-Injection situation.
Before using these values:
$username = $_GET['username'];
$latitude = $_GET['latitude'];
$longitude = $_GET['longitude'];
...
filter, escape, prepare them in order to have safe query to your Database.
The best way is to use PDO
use this:
$sql = "UPDATE driver SET lat='$latitude', longitude='$longitude' WHERE `username`='$username'";
instead of this:
$sql = "UPDATE driver SET lat=$latitude, longitude=$longitude WHERE `username`=$username";
your variables must be quoted.
Try as below, you have missed quotes for variable $username:
$sql = "UPDATE driver SET lat=$latitude, longitude=$longitude WHERE `username`='".$username."'";
You are missing quotes for both field names and variable names :
$sql = "UPDATE driver
SET `lat` = '".$latitude."',
`longitude` = '".$longitude."'
WHERE `username` = '".$username."'";
PS: Don't forget the "." concat operator for PHP!
I am new to PDO and I'm trying to build my own CRUDS application. I already created CRD but I'm getting stuck with Updating user information. It seems that I have a problem with my syntax, but I thoroughly checked the documentation and I can't figure out what is wrong with the code. It's passing me this error:
ERROR: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Doe, email=johndoe#gmail.com, location=New York City WHERE id=1' at line 1
Here is my code:
include('database.inc.php');
if (isset($_POST['submit'])) {
$id = $_POST['userId']; // 1
$name = $_POST['employee_name']; // John Doe
$email = $_POST['email']; // johndoe#gmail.com
$location = $_POST['location']; // New York City
try {
$query = "UPDATE users SET employee_name=$name, email=$email, location=$location WHERE id=$id";
$statement = $conn->prepare($query);
$statement->execute();
header('Location: ../index.php');
} catch(PDOException $e) {
echo 'ERROR: ' .$e->getMessage();
}
}
The problem with your code is that you didn't put quotes around the string values in the SQL. But you should use parametrized queries, not substitute variables into the SQL. This solves the quoting problem, and also prevents SQL injection.
$query = "UPDATE users SET employee_name=:name, email=:email, location=:location WHERE id=:id";
$statement = $conn->prepare($query);
$statement->execute(array(':name' => $name,
':email' => $email,
':location' => $location,
':id' => $id));
Try surrounding the variables in the statement with single quotes ( ' )
$query = "UPDATE users SET employee_name='$name', email='$email',
location='$location' WHERE id='$id'";
I've got an error with my update query in PHP... I've seen other people's mistakes, and I'm almost certain I'm not making the same old mistakes, but I may be ignoring one.
This is my code:
$sQuery = "UPDATE clientes
SET
Nombre = '$_POST[Nombre]',
Apellidos = '$_POST[Apellidos]',
Telefono = '$_POST[Telefono]',
Email = '$_POST[Email]',
WHERE ID= $sIDCliente";
First I thought it had a problem with the $_POST's, but when I echo'ed the query, it was allright. The error I get is this one:
You have an error in your SQL syntax; check the manual that corresponds to
your MySQL server version for the right syntax to use
near 'WHERE ID= F17DEF774C' at line 7
Well, that's what the page outputs. Thank you all before hand :)
You have an extra comma in the row
Email = '$_POST[Email]',
should be
Email = '$_POST[Email]'
edit:
Also I should mention that you are better off using parameterized queries, and then binding the parameters. It makes your database transactions more secure.
So in your case it would look like this
$mysqli = new mysqli('localhost', 'my_user', 'my_password', 'world');
$stmt = $mysqli->prepare("
UPDATE clientes
SET
Nombre = ?,
Apellidos = ?,
Telefono = ?,
Email = ?
WHERE ID= ?
");
$stmt->bind_param('ssssd', $_POST[Nombre], $_POST[Apellidos], $_POST[Telefono], $_POST[Email], $sIDCliente);
$stmt->execute();