I have the code below that UPDATE my database record.
$assign_id_input = $_POST['assign_id_input']; // Get ID input from user, it is always an integer
$assign_math = $_POST['input_math']; // Get the input from user
mysql_query("UPDATE free_ebook SET math = $assign_math WHERE useid = $assign_id_input;")or die(mysql_error());
I will display the SQL error below
You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near 'WHERE useid = 8' at line 1
I bet your 'math' column is a String so you have to secure the String with quotes around your variable.
mysql_query("UPDATE free_ebook SET math = '$assign_math' WHERE useid = $assign_id_input;")or die(mysql_error()
Math data is in string format and it shoud be passed like a string
mysql_query("UPDATE free_ebook SET math = '$assign_math' WHERE useid = $assign_id_input;")or die(mysql_error());
You should enclose variable names in SQLquery with single quotes like this:
Code:
mysql_query("UPDATE free_ebook SET math = '$assign_math' WHERE useid = '$assign_id_input'");
' is only use for column values, and it is for text/date/varchar types. Please take a look for column value which you are updating.
mysql_query("UPDATE free_ebook SET math = '$assign_math' WHERE useid = $assign_id_input")
You have ; inside the query, take it out
mysql_query("UPDATE free_ebook SET math = '$assign_math' WHERE useid = $assign_id_input")or die(mysql_error());
Related
I have a table called pack_details with 4 columns. I'm trying to insert new data into an existing table. Can somebody tell me what's wrong with my codes and why i have a parse error?
$sql_query = "UPDATE pack_details SET $delivery_date = $_POST["delivery_date"], $delivery_time = $_POST["delivery_time"]
WHERE $delivery_building = $_POST["delivery_building"]
AND $delivery_room = $_POST["delivery_room"]";
Try any from below options:
$sql_query = "UPDATE pack_details SET $delivery_date = '{$_POST['delivery_date']}', $delivery_time = '{$_POST['delivery_time']}' WHERE $delivery_building = '{$_POST['delivery_building']}' AND $delivery_room = '{$_POST['delivery_room']}'";
or
$sql_query = "UPDATE pack_details SET delivery_date = '".$_POST["delivery_date"]."', delivery_time = '".$_POST["delivery_time"]."' WHERE delivery_building = '".$_POST["delivery_building"]."' AND delivery_room = '".$_POST["delivery_room"]."'";
Note: If field name doesn't contain $, remove $ from field name in query. For eg. "$delivery_date" should be "delivery_date"
Suggestion: Instead of using string concatenation for building, You should use bind parameters to pass value to query. It helps to prevent SQL injection as well as code look well.
I know that i shouldn't use mysql_query for make database query, but i need to modify an existing code.
What i need to do is to pass a php variable as field name of sql query.
I've try in this way:
$my_field = "field_name";
mysql_query("UPDATE my_table SET ".$my_field." =somevalue") or die(mysql_error());
but i've noticed that it's wrong, because resulting query is
UPDATE my_table SET =somevalue
What's the correct way to do it?
you missed the closing quotes, change to:
mysql_query("UPDATE my_table SET ".$my_field." =somevalue") or die(mysql_error());
for checking, add the statement to variable and echo it, as:
$my_field = "field_name";
$query = "UPDATE my_table SET ".$my_field." =somevalue");
echo $query; //see the output to check if it shows correct statement
try this
$my_field = "my_field";
$my_value = "my_value;
$query = "UPDATE my_table SET $my_field=$my_value");
php allows variables to work inside double quotes
Whats wrong with my code?
Basically what I'm trying to do is add a number and update a field in the sql with what is connected to the variable. But since steamids look like this STEAM_0:0:123123123 or STEAM_0:1:123123123 I get this
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ':0:14166834' at line 1
This is just for learning, so I know my code has useless echos, but its just to see it being added and making sure i was doing it correctly anyways
addmoney.php
<?php
include("inc/config.php");
$mysteamid=mysql_real_escape_string($_POST['mysteamid']);
$sql = "SELECT * FROM $tbl_name WHERE steamid='$mysteamid'";
$result=mysql_query($sql);
$cash=mysql_result($result, 0, 'cash'); // outputs 7th
echo $cash;
$newcash= $cash + "10000";
echo "\n";
echo $newcash;
mysql_query("UPDATE $tbl_name SET `cash` = $newcash WHERE `steamid` = $mysteamid") or die(mysql_error());
?>
index.php contains a working formdata its not really required with the error in my code.
my main problem is this line from addmoney.php which is
$mysql_query("UPDATE $tbl_name SET `cash` = $newcash WHERE `steamid` = $mysteamid") or die(mysql_error());
As your steamid field in your DB is a string (it seems to be, as possible values are STEAM_0:0:123123123 and STEAM_0:1:123123123), you must use quotes arround the value :
mysql_query("UPDATE $tbl_name SET `cash` = $newcash WHERE `steamid` = '$mysteamid'");
Using mysql_real_escape_string() is necessary, as it escapes quotes inside the variable you pass it as a parameter -- but you still have to put quotes arround the string, in your SQL queries.
In the first query you surrounded your $mysteamid value with simple quotes, and in the second query you didn't. If the steamid is a string type, you need to surround the value with quotes, like
"UPDATE $tbl_name SET `cash` = $newcash WHERE `steamid` =' $mysteamid'"
What is wrong with this query? It appears to be correct to me:
mysql_query("UPDATE culture SET cult_desc=$culture WHERE cult_id is $UID");
Modified it, NetBeans is still giving me an error. Here's my total code for the page:
$culture = $_POST["culture"];
if (isset($_POST["id"]))
$UID = $_POST["id"];
mysql_query("UPDATE culture SET cult_desc='$culture' WHERE cult_id=$UID");
else
mysql_query("INSERT INTO culture
VALUES(cult_desc='$culture')");
what's the value of $culture?
If it's a string, you'll need to encapsulate it with quotes.
Same thing for $UID.
Also, The 'is' in the where-condition should be '='
Also: watch our with this code. Make sure that $culture and $UID can not contain any malicious values (e.g. malicious input from users)
cult_desc probably string so need to wrap with ' '
mysql_query("UPDATE culture SET cult_desc='$culture' WHERE cult_id = $UID");
Seeing the newly edited code, your update-statement is now correct, but your insert statement now is wrong.
Try:
mysql_query("INSERT INTO culture (culture_desc)
VALUES ('$culture')");
if SET cult_desc is a string then
mysql_query("UPDATE culture SET cult_desc='$culture' WHERE cult_id = $UID");
or
mysql_query("UPDATE culture SET cult_desc=$culture WHERE cult_id = $UID")
your problem in the { and } of if else statement
$culture = $_POST["culture"];
if (isset($_POST["id"])){
$UID = $_POST["id"];
mysql_query("UPDATE culture SET cult_desc='$culture' WHERE cult_id=$UID");
}else{
mysql_query("INSERT INTO culture
VALUES(cult_desc='$culture')");
}
$sql = "UPDATE 'culture' SET `cult_desc` = '$culture' WHERE `cult_id` = '$UID'";
Basically, you're using is instead of =
Depending on the data type of $culture and $UID you might be missing quotes. Cult_desc sounds like a string and thus $culture should be enclosed in quotes.
You should always check the output of mysql_error.http://php.net/manual/en/function.mysql-error.
I also usually use = instead of 'is' and also wrap all of my input data in quotation marks. eg
$sql = "UPDATE 'culture' SET cult_desc = '".$culture."' WHERE cult_id = '".$UID."'";
This is simple one i am using the following insert query
mysql_query(insert into table1 set saltval = 'Y'Z' where uid ='1');
but i does not work becaues the value for the field saltval is Y'Z . my question is how to considered this value is as a string .
You need to escape any single quotes with a backslash.
mysql_query("insert into table1 set saltval = 'Y\'Z' where uid ='1'");
However your SQL is invalid as well... Did you mean to do an update? Insert statements don't have a where.
As mentioned in other answers, if the input is from a user then you should use mysql_real_escape_string()
http://www.php.net/manual/en/function.mysql-real-escape-string.php
$string = mysql_real_escape_string("Y'Z");
mysql_query("insert into table1 set saltval = '{$string}' where uid ='1'");
Always use mysql_real_escape_string() function for this if values come from user input
$query="insert into table1 set saltval = '".mysql_real_escape_string($InputVal)."' where uid ='1'";
See http://php.net/manual/en/function.mysql-real-escape-string.php
You have to add a backslash to certain characters to make your string fit into SQL syntax rules.
Assuming you're creating your query dynamically, PHP has special escaping function for this and you should use it for the every quoted string in the query, no exceptions.
So, write your code like this:
$salt = "Y'Z";
$id = 1;
$salt = mysql_real_escape_string($salt);
$id = mysql_real_escape_string($id);
$sql = "update table1 set saltval = '$salt' where uid ='$id'";
mysql_query($sql) or trigger_error(mysql_error()." ".$sql);
to make it safe and fault-tolerant