I'm trying to write a MySQL in my PHP script which will update a field in the database however I get the error:
Fatal error: Wrong SQL: Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''user' SET 'currentsong' = '' WHERE 'userid' = '1893''
While using this code.
$setcurrentsongsql = "UPDATE 'user' SET 'currentsong' = '$currentsong' WHERE 'userid' = '$sql1'";
$setcurrentsong = $db->query($setcurrentsongsql);
I'm sure it's something simple however I'm completely baffled. Even if I replace the variables with just a normal string it doesn't work.
Thank you in advance for any help.
Use back ticks not single quotes for table names and column names. Try the following:
$setcurrentsongsql = "UPDATE `user` SET `currentsong` = '$currentsong' WHERE `userid` = '$sql1'";
In MySQL, identifier quote character is the backtick " ` ". This short page should give you a good understanding of the schema rules, identifiers and so on: http://dev.mysql.com/doc/refman/5.0/en/identifiers.html
mySQL uses the backtick ` for column and table names, and apostrophes ' for string constants. However these aren't needed unless you're using a reserved keyword (such as your table is actually called "table") or your table or column name contains spaces (such as "my table").
You can use:
$setcurrentsongsql = "UPDATE `user` SET `currentsong` = '$currentsong' WHERE `userid` = '$sql1'";
Or:
$setcurrentsongsql = "UPDATE user SET currentsong = '$currentsong' WHERE userid = '$sql1'";
Also, if $currentsong comes from an untrusted source, you might want to worry about SQL injection.
Related
The query I'm using (from php) is
"UPDATE articles SET
title='".$_POST['title']."',
contents='".$_POST['cont']."',
category='".$_POST['cat']."',
desc='".$_POST['desc']."'
WHERE stitle='".$_POST['stitle']."'";
and I get the error
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'desc='hello' WHERE stitle='banana'' at line 1.
If I remove desc='".$_POST['desc']."' the query works. The field 'desc' is varchar(150). I can insert text directly from phpMyAdmin, the field is definitely called 'desc', and $_POST['desc'] definitely captures a value (I tried using echo $_POST['desc']; and a value is passed). I tried changing the code to desc='test' and that doesn't work.
Any ideas?
I managed to resolve the issue. I created a new column in the table, copied the information from 'desc' into that column, deleted 'desc'. I ran the query with the new column name, and it works. I don't know what the issue was, but that fixed it.
The problem are your $_POST['desc'] contains an apostrophe. I recommend you to use on all parameters the function mysqli_real_escape_string (doc: http://be2.php.net/manual/en/mysqli.real-escape-string.php).
Also, try to escape all rows and tables with backticks, to avoid reserved words creating errors.
Your query example looks like this with them:
"UPDATE `articles` SET `title` = '".mysqli::real_escape_string($_POST['title'])."', `contents` = '".mysqli::real_escape_string($_POST['cont'])."', `category` = '".mysqli::real_escape_string($_POST['cat'])."', `desc` = '".mysqli::real_escape_string($_POST['desc'])."' WHERE `stitle` = '".mysqli::real_escape_string($_POST['stitle'])."'";
If you are programming with procedural style calls to mysqli functions, use:
"UPDATE `articles` SET `title` = '".mysqli_real_escape_string($link, $_POST['title'])."', `contents` = '".mysqli_real_escape_string($link, $_POST['cont'])."', `category` = '".mysqli_real_escape_string($link, $_POST['cat'])."', `desc` = '".mysqli_real_escape_string($link, $_POST['desc'])."' WHERE `stitle` = '".mysqli_real_escape_string($link, $_POST['stitle'])."'";
(Obviosuly, replace $link with the variable initialized when you do mysqli_connect())
Using these function, you can avoid these errors, and, also, a lot of SQL exploits. There's no required if the variable contains an integer, but, you always need to check the data passed to the SQL engine to avoid problems.
Is a good practice, to have some checks, for example, testing who integer vars contains integers, or doing escape with mysqli::real_escape_string. And, if something are incorrect on the input data, halt the process and don't request the SQL query.
I'm having problems trying to insert a key value (which I generate) into a table (jml_acymailing_subscriber).
$generateKey = md5(substr($email[1],0,strpos($email[1],'#')).rand(0,10000000));
$subid = 3603;
$sql2 = "UPDATE jml_acymailing_subscriber SET key='$generateKey', WHERE subid='$subid'";
$result2 = mysql_query($sql2,$con) or trigger_error(mysql_error(),E_USER_ERROR);
The key type is:
TYPE --> varchar(250)
ORDENATION --> utf8_general_ci
NULL --> yes
DEFAULT --> NULL
And this is the error I get:
Fatal error: You have an error in your SQL syntax; check the manual that corresponds to
your MySQL server version for the right syntax to use near
'key='15e3e092aa8672a6f7ad3e8a5a1db537', WHERE subid='3603'' at line 1 in
/public_html/bootstrap3/donarAltaCatala.php on line 136
I have no problem inserting values like userid, name, created or any other ones. Any one knows where is the problem? I'm starting in PHP/SQL...
Thank you! I really appreciate it!
key is reserverd word in mysql, so can use backticks key
$sql2 = "UPDATE jml_acymailing_subscriber SET `key`='$generateKey' WHERE subid='$subid'";
http://dev.mysql.com/doc/refman/5.5/en/reserved-words.html
remove the , after key='$generateKey' so that it looks like:
"UPDATE jml_acymailing_subscriber SET key='$generateKey' WHERE subid='$subid'";
Two things;
KEY is a reserved word in MySQL, so to use it as a field/table name it needs to be quoted with backticks (`)
...and...
"UPDATE jml_acymailing_subscriber SET key='$generateKey', WHERE subid='$subid'"
^ erroneous comma
Corrected, that would result in;
"UPDATE jml_acymailing_subscriber SET `key`='$generateKey' WHERE subid='$subid'"
Here's the function I created:
function get_phurl_option($option) {
$db_result = mysql_query("SELECT value FROM ".DB_PREFIX."options WHERE option = '$option'") or db_die(__FILE__, __LINE__, mysql_error());
$db_row = mysql_fetch_row($db_result);
return $db_row[0];
}
However, upon visiting a page that uses the function, I get the following error:
File: /usr/home/<removed>/includes/functions.php
Line: 28
Message: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'option = 'shortcode_type'' at line 1
I'm not sure why this would be, I've tried apostrophes, speech marks, and backticks, neither of which seem to work. I can't figure out the problem here, so any help would be much appreciated.
option is a MySQL reserved word, so you need to enclose it in backticks
$db_result = mysql_query("SELECT value FROM ".DB_PREFIX."options WHERE `option` = '$option'")
The specified error usually means that the field you're attempting to access is invalid or reserved by MySQL. Make sure you escape all variables in backticks:
SELECT `value` FROM `".DB_PREFIX."options` WHERE `option` = '$option'
Hello guys and girls im trying to a sql update but think i forgot a ' or a "
im getting this error messege
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''Brock'='1'WHERE username = 'admin'' at line 1
The fault lies with in this bit of code if i take the code out the page loads witht he rest of the scripts on it. But need it two do the update.
$blah = mysql_query("UPDATE users SET '".$_SESSION['gymleader']."'='1'WHERE username = '".$_SESSION['username']."'")
or die(mysql_error());
Were am i going wrong ?
You miss a space between the '1' and the WHERE if I am not mistaken. And you should use backticks (`) when you want to escape a column name
So your code becomes:
$blah = mysql_query("UPDATE users SET `".$_SESSION['gymleader']."`='1' WHERE username = '".$_SESSION['username']."'")
Note the ` instead of the ' around the column name (right after the SET).
Further possible improvements:
In case the column is of type INT, you can replace the '1' by 1 (without the ')
You should never directly use the $_SESSION,$_POST,$_GET or other values which can be altered by users in your queries. Do a Google search on SQL injection for more information
UPDATE user SET field = '1' WHERE ...
instead of
UPDATE user SET 'field' = '1' WHERE ...
and if your field is of type int, you might use
UPDATE user SET field = 1 WHERE
If you want to escape your fieldname, use
`field`
in backticks `
Besides the fact that this looks like a bad idea to code like this, assuming you have a column named Brock then you should use this types of quotes instead:
$blah = mysql_query("UPDATE users SET `".$_SESSION['gymleader']."`='1' WHERE username = '".$_SESSION['username']."'")
or die(mysql_error());
Notice I replaced your ' with `
I have a following code:
<?php
include("config.php");
$key = 'blahblah';
$sql = "INSERT INTO softversions SET key='$key'";
$result = mysql_query($sql) or die ($mysql_error());
echo "dude";
?>
This gives me an error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'key='svksskjfvns'' at line 1
The thing is that I've used this script about a hundred times on other pages and it worked.
Table and field names are 100% correct.
I don't understand what is going on.
Do you see the syntax error there?
KEY is a reserved word in MySQL and you need to escape it using backticks to use it as a column name and also you should not use SET when inserting.
$sql = "INSERT INTO softversions (`key`) VALUES ('$key')";
key is a reserved word in MySQL. To use it as a column, you need to escape it every time you call it.
$sql = "INSERT INTO softversions SET `key`='$key'";
$sql = "INSERT INTO softversions(keyName) values('{$key}')";