What exactly is the correct syntax for adding PHP variables to a MySQL string?
This is my query:
"SELECT cd.SectionID, cd.CompanyName, cd.ShowOnSite, cd.LiveDate, cd.EndDate, cds.SiteID, s.SiteName
FROM CompanyDirectory cd
LEFT JOIN CompanyDirectorySections cds ON cd.SectionID = cds.SectionID
LEFT JOIN Sites s ON cds.SiteID = s.SiteID
WHERE s.SiteID = " . $id . " AND cd.ShowOnSite = 'y'
ORDER BY cd.EndDate DESC"
But it throws the following:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'AND cd.ShowOnSite = 'y' ORDER BY cd.EndDate DESC' at line 5
I have also tried WHERE s.SiteID = $id and WHERE s.SiteID = '" . $id . "' but to no avail. The former gives a blank screen, and the latter gives the aforementioned error. The variable is an integer.
I have tried the query in phpMyAdmin and it works perfectly, substituting the variable for an actual ID.
Note: if it's important, $id has been received from a form via $id = $_POST['id']; before the query, and then stripped and escaped.
Thanks.
If MySQL is saying there is an error near "AND cd.ShowOnSite = 'y'", this normally means there's an issue with whatever comes before it - in this case, the $id.
Can you print out the query in your PHP file? This may show you that $id is in fact blank, which would make the query look like "WHERE s.SiteID = AND cd.ShowOnSite = 'y'".
If it's blank, there's obviously something wrong with the $id value which you will need to sort out before your MySQL code.
Related
can't figure out what's the problem with this code
keep getting error on
Notice: Undefined index: userID in C:\wamp\www\myProject\editProfile\edit_save.php on line 10
and
Could not run query: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '(UserID, matrix_num,student ,username ,town ,email , txtFavorite,noDate,txtMobil' at line 1
if($_GET) {
$noEdit = $_POST[''];
//"SELECT *FROM "
$sql = "SELECT * FROM tblmyprofile where student='$name', username='$username', matrix_num='$matric', town='$town' and mail='$email'";
$query = mysql_query($sql, $masuk,$boleh) or die ("Gagal query".mysql_error());
$data = mysql_fetch_array($query);
}
The comma operator is invalid in the WHERE clause.
It looks like you wanted logical AND or OR operators. A query of the form something like this:
SELECT t.*
FROM tblmyprofile t
WHERE t.student = 'fee'
AND t.username = 'fi'
AND t.matrix_num = 'fo'
AND t.town = 'fum'
AND t.mail = 'foo'
But that's a very odd construct for a SQL query; there's nothing invalid with it. But usually, with SELECT, we're usually intending to retrieve rows based on a few predicates, and then getting the values from the row back.
For debugging issues with SQL queries, it's often a good idea to string together the SQL text you intend to send to the database, and then echo (or printf or vardump) the string, e.g.
$sql = "SELECT col, expr, col FROM mytable WHERE col = 'abc'";
echo $sql;
Then, reference $sql in the call to parse and execute a SQL statement.
I believe part of the issue you are encountering may be the construction of the string containing the SQL text. Some languages are persnickety about including variables and quotes within string literals.
e.g.
$sql = " WHERE t.fee = '" . mysql_real_escape_string($foo) . "'"
. " AND t.fi = '" . mysql_real_escape_string($bar) . "'"
. ... ;
Again, after you put together the SQL text, echo it out for debugging, and verify that it's the string you intend to send to the database.
Also note that the mysql_ interface is deprecated. New development should be using mysqli_ or PDO. Also note that including any unsafe variables in SQL text can lead to SQL injection vulnerabilities. Either "escape" special characters in variables you include in the SQL text, or better, use prepared statements with bind parameters, to avoid SQL injection.
I am using this database class for my project: GitHub.
When trying to execute a SHOW query to determine whether a table exists or not I receive this error:
Fatal error: Problem preparing query (SHOW TABLES LIKE users) You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'users' at line 1 in mysqli.php on line 679
The query looks like this:
$result = $DATABASE->rawQuery("SHOW TABLES LIKE " . $TABLE);
$TABLE is obviously filled with a string, I double checked that.
Any idea what could be wrong?
You probably missed the quotes:
$result = $DATABASE->rawQuery("SHOW TABLES LIKE '" . $TABLE . "'");
The like statement it's value is wrong.
You should use:
BAD
$result = $DATABASE->rawQuery("SHOW TABLES LIKE 'value here' ");
Good
$result = $DATABASE->rawQuery("SHOW TABLES LIKE ? ");
$DATABASE->addParam($table);
I think you allso want to add % in front and after your $table :)
Hi I have a query in php file which is used to filter the data in file from mysql database
$_SESSION['sc_session'][$this->Ini->sc_page]['grid_deposit']['where_orig'] = " where Reg_no = \"69\"";
In this line if Reg_no = \"69\"" , if i change the 69 to any value data is being modified but if i use an array instead of 69 then its not working like this
$_SESSION['sc_session'][$this->Ini->sc_page]['grid_deposit']['where_orig'] = " where Reg_no = " . $fc . "";
But if i use
$fc = 69;
echo $fc;
Then its working but not on that line please tell me how to code this The error on which i get is
Error
Error while accessing the database:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1
select count(*) from deposit where Reg_no =
from your Reg_no =\"69\""
and your Reg_no =". $fc."";
are you not missing the "" of the $fc
$_SESSION['sc_session'][$this->Ini->sc_page]['grid_deposit']['where_orig'] = " where Reg_no = \"" . $fc . "\"";
to match your 69 example.
In your original question you stated this error text
Error
Error while accessing the database:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1
select count(*) from deposit where Reg_no =
If the $fc would be an array you would see this in the query as such. If i remember correctly it would look like that ...
Error
Error while accessing the database:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1
select count(*) from deposit where Reg_no = Array
As it does not i assume that the variable $fc is empty. Did you check the variable or better create the query and log it somewhere to check the query as it gets sent to the sql server.
As mentioned, if it would be an array PHP would convert it when wrongly used to the text "Array" which you should find in the query.
i guess you try to do something like
"where Reg_no IN (".implode(",", $fc).")";
I'm trying to order my blog posts by user defined category, i.e, the one they click on my blog page.
Here's my code thus far,
##########################################################
$cat = mysql_real_escape_string($_GET['category']);
##########################################################
$sql = "SELECT * FROM php_blog WHERE category = $cat ORDER BY timestamp";
$result = mysql_query($sql) or print ("Can't select entry from table php_blog.<br />" . $sql . "<br />" . mysql_error());
But that gives me this error,
Can't select entry from table
php_blog. SELECT * FROM php_blog WHERE
category = Update ORDER BY timestamp
You have an error in your SQL syntax;
check the manual that corresponds to
your MySQL server version for the
right syntax to use near 'Update ORDER
BY timestamp' at line 1 Warning:
mysql_fetch_array(): supplied argument
is not a valid MySQL result resource
in
/home/funding9/public_html/jbblog/htdocs/category.php
on line 91
$sql = "SELECT * FROM php_blog WHERE category = '" . mysql_real_escape_string($cat) . "' ORDER BY timestamp";
The string needed to be quoted (in your example it was Update, needs to be 'Update'), and also I ran it through mysql_real_escape_string() to protect you from SQL Injection.
MySQL uses back ticks to allow you to escape names. You should be using something like the following:
$cat = mysql_real_escape_string($_GET['category'], $mysql_link);
$queryString = "SELECT * FROM `php_blog` WHERE `category` = '$cat' ORDER BY `timestamp`";
Supplying the link will make sure it is escaped for that connection, where different databases may have different configurations and require different things to be escaped in them.
You may also want to look into the use of prepared statements with MySQLi as well. That takes the difficulty out of knowing which input needs to be escaped, how it should be quoted and even some of the verification.
I have this query, running from a PHP page:
$feed_sql = "SELECT id, title, description, rssDate
FROM feed
WHERE MATCH (title) AGAINST ('" . $rows['suburb'] . "')
AND NOT EXISTS(SELECT feed_id, recipient_id, issent
FROM tracking_table
WHERE tracking_table.feed_id = $feed_id
AND tracking_table.recipient_id = $recipient_id
AND tracking_table.issent = 'Y')
GROUP BY pubDate
ORDER BY pubDate DESC
LIMIT 1";
However, it returns the following errors upon running it:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'AND tracking_table.recipient_id =
AND tracki' at line 7
Line 7 being this:
AND tracking_table.recipient_id = $recipient_id
Some server information:
PHP Version 5.2.6-1+lenny9
MySQL Version 5.0.51a
Thanks :-)
As you can see here:
'AND tracking_table.recipient_id = AND tracki'
// value missing here --^
the value of $recipient_id seems to be empty and generates invalid syntax.
Perhaps $recipient_id is an empty string. Please check it