If I have a user's email address as d'anthony.fredrick#hotmail.com and I use addslashes to make it d\'anthony.fredrick#hotmail.com, the following SQL statement fails.
"UPDATE subscriptions SET sent = '1' WHERE email ='" . $email . "' Limit 1";
The database as the email address is d\'anthony.fredrick#hotmail.com. Why does the UPDATE fail?
Always, always, always escape strings before adding them to queries.
"UPDATE subscriptions SET sent = '1' WHERE email ='" . $dbconn->real_escape_string($email) . "' Limit 1";
If you're using the original mysql API then you'd use mysql_real_escape_string in place of $dbconn->real_escape_string
use mysql_real_escape_string()
UPDATE `subscriptions` SET `sent` = '1' WHERE `email` ='" . mysql_real_escape_string($email) . "' Limit 1";
note: mysql_* has been depreciated. use MySQLi
Related
Uggh, I've had a few beers and I just can't seem to progress.
I'm teaching myself a bit of PHP with MySQL (just because) and this one line just has me stumped:
$user = $mysqli->query ("SELECT id FROM members WHERE username = " . $_SESSION['user_name'] . " LIMIT 1");
I'm sure it's something completely stupid but I need to have the '$_SESSION['user_name']' passed with quotes around it.
Look, I know its a stupid question, apologies in advanced but I can't even get the right Google terms to find what I'm after... sad I know!\
I've tried all combinations of slash escaping and single / double quotes... please help!
You should use prepared statements :)
$stmt = $mysqli->prepare("SELECT id FROM members WHERE username = ? LIMIT 1");
$stmt->bind_param('s', $_SESSION['user_name']);
http://es1.php.net/manual/en/mysqli-stmt.bind-param.php
You're missing the unescaped quotes, and concatenate operators. Try this:
$user = $mysqli->query ("SELECT id FROM members WHERE username = '" . $_SESSION['user_name'] . "' LIMIT 1");
Note the '" . $_SESSION['user_name'] . "' is changed.
$user = $mysqli->query ("SELECT id FROM members WHERE username = '" . $_SESSION['user_name'] . "' LIMIT 1");
As everybody stated before, the following would be a working (but not perfect!) query:
$user = $mysqli->query("SELECT `id` FROM `members` WHERE `username` = '" . $_SESSION['user_name'] . "' LIMIT 1");
But please note: Inserting strings in SQL queries this way is a security risk, since $_SESSION['user_name'] may contain quotes itself, so that somebody attacking your site could execute arbitrary SQL statements! (Search for SQL Injection if you want to get more information on this.)
Using prepared statements as suggested by naoxink is a safer way, but I just want to mention another safe way to insert strings into SQL queries: Use the mysqli::real_escape_string() method:
$user = $mysqli->query("SELECT `id` FROM `members` WHERE `username` = '" . $mysqli->real_escape_string($_SESSION['user_name']) . "' LIMIT 1");
Use this instead
$user = $mysqli->query ("SELECT `id` FROM `embers` WHERE username = '".$_SESSION['user_name']."' LIMIT 0,1");
I want to update an already existing table it only has email and I want to add first name and last name does this code work to do so?
UPDATE table
SET fname='$fname', lname='$lname'
WHERE email= '$_SESSION['email'].';
Or can I also use this
$sql="INSERT INTO $tbl_name(fname, lname)VALUES( '$fname, $lname')" WHERE email= '$_SESSION['email'].';
Your UPDATE has a syntax error (problem with apostrophes.)
INSERT will not update but multiply rows. That is not what you want to have.
Here is my suggested query:
$sql="UPDATE table SET fname='$fname', lname='$lname' WHERE email='".$_SESSION["email"]."'" ;
Fix your quotes, like so:
$sql="INSERT INTO $tbl_name(email) VALUES ( '" . $email . "') WHERE email = '" . $_SESSION['email'] . "'";
Try like this: In case of simple Update Query
$user_email = $_SESSION['email'];
$fname = 'Thierry';
$lname = 'Henry';
UPDATE table
SET fname='$fname', lname='$lname'
WHERE email= '$user_email';
Insertion is not a good idea here. It might duplicate your records.
If you want to be more specific than Go like this: Just providing your general syntax. No real time Syntax:
$user_email = $_SESSION['email'];
$fname = 'Thierry';
$lname = 'Henry';
$check_user = 'SELECT * FROM table WHERE email = "user_email"';
if($check_user)
{
YOUR UPDATE QUERY
}
else
{
YOUR INSERT QUERY
}
In case you are using mysql_ functions you should also escape the input:
$email = mysql_real_escape_string($_SESSION['email']);
Disclaimer for idiots: This does not imply I suggest to use mysql_* functions. Use mysqli or PDO instead.
You should also check against NULL and empty values in your query.
$sql = "REPLACE INTO " . $table . "
SET email='" . $email . "'
WHERE email='" . $email . "'
AND email IS NOT NULL
AND email != ''";
From http://dev.mysql.com/doc/refman/5.0/en/replace.html:
REPLACE works exactly like INSERT, except that if an old row in the
table has the same value as a new row for a PRIMARY KEY or a UNIQUE
index, the old row is deleted before the new row is inserted.
Please don't downvote if this doesn't exactly fit, just use INSERT or UPDATE with the same syntax then.
mysql_query($sqlQ, $connection);
mysql_query("DELETE FROM Leaderboards WHERE UserName=" . $row['UserName'] . " LIMIT 1", $connection);
echo("Success3");
Table Information is comprised of: {UserName, Cash, Assets}.
$row['UserName'] has data as $row['Assets'] has data, INSERT works via query, yet it does not delete the row from the db table.
Tell me what I am doing wrong, this is the first time I worked with PHP & MySQL so I have no idea what I am doing.
Is UserName a string? You're missing quotes.
mysql_query("DELETE FROM Leaderboards WHERE UserName='" . $row['UserName'] . "' LIMIT 1", $connection);
All mysql_* functions are deprecated and will be removed in a future version of PHP. You should use an alternative.
You must escape the data used in a query. Using MySQLi functions, your code would be:
mysqli_query($sqlQ, $connection);
mysqli_query("DELETE FROM Leaderboards WHERE UserName='" . mysqli_real_escape_string($connection, $row['UserName']) . "' LIMIT 1", $connection);
echo("Success3");
You are also missing quotes around the username.
I recommand not to, but if you really want to use mysql_* functions, then use:
mysqli_query("DELETE FROM Leaderboards WHERE UserName='" . mysql_real_escape_string($row['UserName']) . "' LIMIT 1", $connection);
Consider this:
$query = 'UPDATE ' . $table . 'SET optin_date = NOW() WHERE MD5(email_address) = ' . $email;
And I get this error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '= NOW() WHERE MD5(email_address) = c5dfd29d956b52c1ffa00ce4a06ab' at line 1
What I want is to store the current timestamp to the optin_date column using NOW() function as its value (I'm not sure on how it works), only if the hashed email from the query string matches the hashed email from the database using MD5() from mysql. I already have a column having TIMESTAMP type and CURRENT_TIMESTAMP default.
Also, I need to send a mail for confirmation using the email address. Is this possible? What's a better way of doing this?:
$recipient = 'SELECT * FROM ' . $table . ' WHERE MD5(email_address) = ' . $email;
Please help me on the syntax and if there's an elegant way of coding 'Email Confirm Subscriptions" (At least the function handling hashed emails) that you might want to share, please feel free. Thanks.
Try adding these `` around table names and field names, also you have a missing SPACE after $table
$query = 'UPDATE `' . $table . '` SET `optin_date` = NOW() WHERE MD5(`email_address`) = ' . $email;
you should probably also use .mysql_real_escape_string($email) instead of just .$email at the end there - Security risk
$query = 'UPDATE `' . $table . '` SET `optin_date` = NOW() WHERE MD5(`email_address`) = ' . mysql_real_escape_string($email);
Unless of course (as it seems) your $email would be a md5 hash
you have syntex error at in sql query
write this query
$query = "Update '".$table."' SET option_date = NOW() WHERE email_address ='".md5($email)."' ";
try with this:
$query = "UPDATE " . $table . "SET optin_date = CURRENT_TIMESTAMP
WHERE MD5(email_address) = '" . $email . "'";
Ok, maybe I'm a bit overtired, but I can't understand why this isn't working! I have a comments box on my website, with profiles for people who post. I want to show just their posts in the profile. Their profile page is userinfo.php?user=(whatever)
This query is failing:
$query = "SELECT message,`date`,ip,name,website,id
FROM `guestbook_message`
WHERE name=" . intval($_GET['user']) . "
AND deleted=0
ORDER BY `date` DESC";
You are getting the name of the user and casting it directly to integer and then comparing it with name. This does not make sense.
If the $_GET['user'] is the ID of the user, then compare it with the ID and not with the name.
If $_GET['user'] is the username of the user, then you have to put the quotes around the username value. As UserName value is a string, you need to encapsulate it in quotes and remove the intval. Do it like this:
$query = "SELECT message,`date`,ip,name,website,id
FROM `guestbook_message`
WHERE name='" . mysql_real_escape_string($_GET['user']) . "'
AND deleted=0
ORDER BY `date` DESC";
try this:
$name = intval($_GET['user']);
$query = "SELECT message,date,ip,name,website,id
FROM guestbook_message
WHERE name='" .$name. "'
AND deleted=0
ORDER BY date DESC";
$result = mysql_query($query) or die(mysql_error());
Assuming you're using mysql_query() to execute the query, have you checked if the query succeeded?
$query = "SELECT ...";
$result = mysql_query($query) or die(mysql_error());
Doing this will force the script to abort if the query fails and tell you why the query failed.
One thing to note that using $_GET directly in your query leaves you open to SQL injection attacks.
Consider cleaning your input prior to building your SQL statement, or use PDO / Prepared statements.