I'm working with a PHP site right now that connects to a database and selects off 1 of our tables to compare information. Currently we are running into an issue with the # sign when comparing our email with a record in the table.
Here is exactly what is happening:
We are using a SELECT statement to compare the variable $Email to find out what is the associated ID for the account. The problem is when comparing with $Email and we have turned error reporting on we can see that the #hotmail.com is causing an error by SQL syntax standards.
$id = "SELECT idaccount FROM `animator`.`account` WHERE email = $Email";
$result = mysqli_query($dbc, $id) or die("Error: ".mysqli_error($dbc));
The outcome is the following:
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '#hotmail.com' at line 1
Anyone got any ideas?
You should enclose the $Email value in single quotes, so the generated statement looks like this:
SELECT idaccount FROM `animator`.`account` WHERE email = 'something#hotmail.com'
Even better, you should prepare the statement and bind the value of $Email. Take a look here: http://php.net/manual/en/mysqli-stmt.bind-param.php
Related
I am trying to update my database with php and for that I have written the following query :
$query = " UPDATE users SET username = '$username' , password = '$password' WHERE id = $id ";
and the error is shown as :
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use
near '' at line 1
can you please help..
“syntax to use near ‘something’” shows the first few characters after the last part of the query that MySQL could parse. When ‘something’ is a zero-length string like in this case, it means the query ended before it was complete. That points to $id being an empty string.
You didn’t ask for comments on whether your query has other severe problems that will certainly lead to cybercreeps pwning your web site, so I won’t offer any such comments. :-)
I am currently attempting to create a dashboard for a personal trainer where they can update client records. I have a mySQL database and I am using PHP as the scripting language.
What I want to do: Be able to update client information via HTML input boxes. (Which I have already created). The first being username - which should correspond to a username in the mySQL database. Then the information in the next three input boxes should be inserted into the correct fields in the database.
The Problem: I currently cannot get the SQL statement to work correctly as the Client username is not recognized. This is the error message I am currently receiving :
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ') WHERE Client_username = JSmith' at line 1
JSMith is a valid username in the database.
Below is the PHP I am attempting to use:
//insert
$value1 = $_POST['height1'];
$value2 = $_POST['weight1'];
$value3 = $_POST['bodyfat1'];
$value4 = $_POST['username'];
$sql = "UPDATE client SET Height='$value1', Weight='$value2', Body_fat='$value3') WHERE Client_username = $value4";
if (!mysqli_query($con,$sql))
{
die('Error: ' . mysqli_error($con));
}
mysqli_close($con);
?>
My connection etc is working just fine.
If ayone could help me out that would be great!
Here's the deal.
The first error is coming from the bracket just before your where clause:
$sql = "UPDATE client SET Height='$value1', Weight='$value2', Body_fat='$value3') WHERE...
^ there
Remove it.
MySQL was telling you:
...right syntax to use near ') WHERE
^
Then, the "username" which is a string, needs to be treated as such, therefore wrapping the $value4 variable in your where clause with quotes.
WHERE Client_username = '$value4'
However, I need to point out that your present code is open to SQL injection. Use mysqli with prepared statements, or PDO with prepared statements, they're much safer.
An insight:
Make sure that your form contains name attributes to go with your POSTs, and contain no typos, and that letter-case matches.
Add error reporting to the top of your file(s) which will help find errors.
<?php
error_reporting(E_ALL);
ini_set('display_errors', 1);
// rest of your code
Sidenote: Error reporting should only be done in staging, and never production.
I am trying to update an SQL table with PHP.
I have a form that is submitted to the database - this is working fine.
I have retrieved the entries from the database and this is also working fine.
The problem I am having is when I try to update the database with additional information into the comment field (a 'cell' that already has information in).
Here is my SQL code. Can you please point me where the problem is?
There error I am getting is:
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '= 36tWHERE id = 0' at line 1
My code is below :
$commy = $_POST['comment'];
$ident = $_POST['id'];
$sql = "UPDATE issuelog".
"SET comment = $commy".
"WHERE id = $ident";
I know there are security issues here but this is only for localhost use at the moment and only by my self as an example.
You don't need to concatenate and you should put quotes around values.
$sql = "UPDATE issuelog
SET comment = '$commy'
WHERE id = '$ident';";
Update: As others pointed out you need spaces, but this is the reason you don't need to concatenate. By closing each line and concatenating, you are removing spaces between them. Be sure you use prepared statements, because as you said, this is subject to injections.
$sql = "UPDATE issuelog".
" SET comment = $commy".
" WHERE id = $ident";
You need spaces - try echoing out your $sql - you will see SET and WHERE are merged with the previous words.
I am working on a social networking site for my company and I am setting up the messaging system.
I have a table in the database called "mail" and for some reason the simplest SELECT query is returning an error.
here's the code:
$sql = "SELECT * FROM mail WHERE to='$username'";
$result = mysql_query($sql) or die(mysql_error());
while($row = mysql_fetch_assoc($result)){
$from = $row['from'];
$content = $row['content'];
echo "<tr><td>$from</td><td>$content</td></tr>";
}
It is returning this error; You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'to='cody'' at line 1
I have used this type of query with the same syntax a hundred times before I have no idea whats wrong this time.
A few notes: The database connection works fine, "to", "from" and "content" are columns in my "mail" table.
Thanks in advance for your help
TO is a reserved word. Try the following instead
$sql = "SELECT * FROM mail WHERE `to`='$username'";
Reserved words are permitted as
identifiers if you quote them as
described in Section 8.2,
Reference
"TO" is also a keyword try encapsulating the field name with a backtick `
I think the problem occurs due to this
to='$username'
$username is a Php variable so check out
I've been trying to query an email address using the following statement, however after hours of trying to escape the string successfully I've accepted defeat.
The query I am using is: SELECT id, email FROM user WHERE email = '$email'
That gives me an error:
MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '#gmail.com' at line 1
I'm sure it's simple.. I just can't seem to find an answer anywhere that works.
UPDATE #1
The code that I have been using is:
$email = "abc#gmail.com";
$sql = "SELECT id, email FROM user WHERE email = '$email'";
$result = mysql_query($sql) or die('Unable to connect: '.mysql_error());
UPDATE #2
The email comes from the Facebook connect API.
This is probably because you the E-Mail address that you get from Facebook connect contains quotes, e.g. something like
"Harry"#gmail.com
"Harry#gmail.com"
when pulling data from a web service (or from anywhere else), you need to escape the data to prevent SQL injection, and garbled queries like in your situation.
In your case:
$email = mysql_real_escape_string($email);