This is the error message I am getting:
Parse error: syntax error, unexpected '"', expecting T_STRING or T_VARIABLE or T_NUM_STRING in /home/content/50/8492150/html/colejoh/web/ai/form.php on line 10
For my HTML form I am using this code:
<html>
<head>
</head>
<body>
<form action="form.php" method="post">
Search: <input type="text" name="term" /><br />
<input type="submit" name="submit" value="Submit" />
</form>
<body OnLoad="document.myform.query.focus();">
</body>
</html>
And for my form.php code:
<body>
<?php
$con = mysql_connect ("xxx.xxx.xxx.xxx", "user", "password");
mysql_select_db ("user", $con);
if (!$con)
{
die ("Could not connect: " . mysql_error());
}
$sql = mysql_query("SELECT * FROM ai WHERE key LIKE $_POST["term"];") or die
(mysql_error());
while ($row = mysql_fetch_array($sql)){
echo 'ID: ' .$row['id'];
echo '<br /> Key: ' .$row['key'];
echo '<br /> Page: '.$row['page'];
}
mysql_close($con)
?>
</body>
I believe the error is in the form.php in the sql statement at LIKE $_POST["term"];") What I am trying to do is to make that code to be what I submitted on the form page.
This line is causing the problem:
$sql = mysql_query("SELECT * FROM ai WHERE key LIKE $_POST["term"];") or die
Change it to:
$sql = mysql_query("SELECT * FROM ai WHERE key LIKE " . mysql_real_escape_string($_POST["term"]) . ";") or die
Also you should avoid using the mysql_ functions they are deprecated. Rather you should use mysqli_ or PDO. This code is also vulnerable to sql injection.
You are not encoding the double quotes correctly. Change the $sql assignment to
$sql = mysql_query("SELECT * FROM ai WHERE key LIKE '".mysql_real_escapse_string($_POST["term"])."'") or die(mysql_error());
This will also guard you from sql injections.
try this
$sql = mysql_query("SELECT * FROM ai
WHERE key LIKE '".mysql_real_escape_string($_POST['term'])."'")
or die(mysql_error());
In php you have to be very careful when working on string variables. To connect multiple string variables you should do it like this:
"SELECT * FROM ai WHERE key LIKE" . $_POST["term"] . ";"
To make your life easier, you should often create "helper" variables like this:
$my_variable="SELECT * FROM ai WHERE key LIKE" . $_POST["term"] . ";"
And then add it to your script like so:
$sql = mysql_query($my_variable) or die(mysql_error());
$sql = mysql_query("SELECT * FROM ai WHERE key LIKE 'mysql_real_escapse_string($_POST[term])'");
Update the above query.
There should not be any double quotes for term
First off, you should not post your mysql username and password.
Second of all, The search term should be quoted.
Replace your line error by this one :
$sql = mysql_query("SELECT * FROM ai WHERE key LIKE $_POST[\"term\"];") or die
(mysql_error());
try this
<body>
<?php
$con = mysql_connect ("xxx.xxx.xxx.xxx", "user", "password");
mysql_select_db ("user", $con);
if (!$con)
{
die ("Could not connect: " . mysql_error());
}
$sql = mysql_query("SELECT * FROM ai WHERE key LIKE ".$_POST["term"].";") or die
(mysql_error());
while ($row = mysql_fetch_array($sql)){
echo 'ID: ' .$row['id'];
echo '<br /> Key: ' .$row['key'];
echo '<br /> Page: '.$row['page'];
}
mysql_close($con)
?>
</body>
Related
Im pretty new on making webpages. But i´m doing a homepage with forms to Insert to my database. Thats no problem, my problem is that I want to show a specific column from the last row. And the code that I've got so far is this:
<html>
<body>
<form action="insert.php" method="post">
Publiceringsdag (OBS! En dag tidigare an foregaende):<br>
<?php
$con=mysqli_connect("localhost","rss","Habb0","kalender");
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
$lastPub = mysql_query("SELECT DISTINCT pub FROM event ORDER BY `id` DESC LIMIT 1")
or die(mysql_error());
echo $lastPub
?>
<br>
<input type="text" name="pub"><br>
<input type="submit">
</form>
</body>
</html>
Actually, it is not a very good idea to use the deprecated mysql_ functions. Look at PDO or Mysqli instead.
Meanwhile, in your current implementation you just need to fetch your data after the query execution:
$con = mysql_connect("localhost", "rss", "Habb0", "kalender");
if (mysql_connect_errno())
echo "Failed to connect to MySQL: " . mysqli_connect_error();
$lastPub = mysql_query("SELECT DISTINCT pub FROM event ORDER BY `id` DESC LIMIT 1")
or die(mysql_error());
if($row = mysql_fetch_assoc($lastPub)))
$result = $lastPub['pub'];
Now the result should be in your $result variable.
EDIT: I just noticed that in your code you use mysqli_connect, mysqli_connect_errno and mysql_query, mysql_error at the same time. But they belongs to different PHP extensions.
You must fetch the result first:
$lastPub = mysql_query("SELECT DISTINCT pub FROM event ORDER BY `id` DESC LIMIT 1")
or die(mysql_error());
$result = mysql_fetch_array($lastPub);
echo $result['pub'];
Try this.
<html>
<body>
<form action="insert.php" method="post">
Publiceringsdag (OBS! En dag tidigare an foregaende):<br>
<?php
$con=mysql_connect("localhost","rss","Habb0") or die("Failed to connect to MySQL: " . mysql_error());
$db=mysql_select_db("kalender",$con) or die("Failed to connect to MySQL: " . mysql_error());
$result = mysql_query("SELECT DISTINCT pub FROM event ORDER BY `id` DESC LIMIT 1");
$data = mysql_fetch_array($result);
echo $data['pub'];
?>
<br>
<input type="text" name="pub"><br>
<input type="submit">
</form>
</body>
</html>
I am using php to get records from a mysql database using the following code:
<?php
$username="";
$password="";
$database="";
$hostname="";
$con = mysql_connect($hostname, $username, $password);
if (!$con){
die('Could not connect: ' . mysql_error());
}
mysql_select_db($database, $con);
if(isset($_POST['emp'])){
$emp = $_POST['emp'];
$result = mysql_query("SELECT * FROM contact_log", $con);
echo mysql_num_rows($result);
die();
while($row = mysql_fetch_array($result)){
$emp = $row['emp'];
echo $emp.'<br>';
}
die();
}
mysql_close($con);
?>
This works fine and returns the correct fields. The problem is that if I change the query to
$result = mysql_query("SELECT DISTINCT * FROM contact_log", $con);
or
$result = mysql_query("SELECT * FROM contact_log GROUP BY emp", $con);
no results are returned.
mysql_num_rows does not even return a value which indicates to me that those lines are breaking my code but I am unable to figure out how.
I doubt you want to do a distinct * on your first query. Looking at your code, you probably want:
"SELECT DISTINCT emp FROM contact_log"
And you can get more information about what is going wrong with mysql_error:
mysql_query("select * from table") or die(mysql_error())
Finally, are you sure that $_POST['emp'] is being sent? Put an echo right after that if to make sure. And just so you know, you aren't using the emp POST variable for anything other than a flag to enter that block of code. $emp = $_POST['emp']; is doing absolutely nothing.
I am trying to Build a simple search that first grabbs 'query' from a form passed from a HTML form through the url to this script. Once I run the script I get the output: Resource id #140Resource id #141Resource id #142. Why am I getting this output and what does it mean?
Side note I am just using the "echo" as a way to see the output of each variable.
<?php
//connect to database
mysql_connect("localhost", "user", "password") or die("Error connecting to database: " .mysql_error());
mysql_select_db("dataBase") or die(mysql_error());
?>
<?php
$query = $_GET['query'];
// gets value sent over search form
$user_id = mysql_query("SELECT id FROM users WHERE email = '$query'") or die(mysql_error());
echo $user_id;
$account_id = mysql_query("SELECT 'account_id' FROM accounts_users WHERE 'user_id' LIKE ('$user_id')") or die(mysql_error());
echo $account_id;
$user_name = mysql_query("SELECT 'account_name' FROM accounts WHERE 'id' LIKE ('$account_id')") or die(mysql_error());
echo $user_name;
?>
This is not the way to print the results. The method mysql_query returns a resource that you have to use within a loop to actually print the results. For instance, loop at the second example in the official doc page.
P.S. $query = $_GET['query']; using this statement you could have Sql injections problems.
Try something similar to this - after first "SELECT" query :
while($user_id_obj = mysql_fetch_object($user_id))
{
echo $user_id_obj->id;
}
The way you implemented leads to SQL Injection Attacks
SQL Injection Attacks Example
This could be possible in two ways.Which is usefull for you is depends on your requirements.
1.if your query contains a single value as a result then following code with changes in your code will be usefull for you.
<?php
//connect to database
mysql_connect("localhost", "user", "password") or die("Error connecting to database: " .mysql_error());
mysql_select_db("dataBase") or die(mysql_error());
?>
<?php
$query = $_GET['query'];
// gets value sent over search form
$result_user = mysql_query("SELECT id FROM users WHERE email = '$query'") or die(mysql_error());
if (!$result_user) {
die('Could not query:' . mysql_error());
}
$user_id=mysql_result($result_user,0); // outputs first user's id
echo $user_id;
$result_accountuser = mysql_query("SELECT 'account_id' FROM accounts_users WHERE 'user_id' LIKE ('$user_id')") or die(mysql_error());
if (!$result_accountuser) {
die('Could not query:' . mysql_error());
}
$account_id=mysql_result($result_accountuser,0); // outputs first accounts_users's account_id
echo $account_id;
$result_account = mysql_query("SELECT 'account_name' FROM accounts WHERE 'id' LIKE ('$account_id')") or die(mysql_error());
if (!$result_account) {
die('Could not query:' . mysql_error());
}
echo mysql_result($result_account,0); // outputs first accounts's account_name
?>
2.Or your query contains more than one result or more than one rows than following changes in your code will help you
<?php
//connect to database
mysql_connect("localhost", "user", "password") or die("Error connecting to database: " .mysql_error());
mysql_select_db("dataBase") or die(mysql_error());
?>
<?php
$query = $_GET['query'];
// gets value sent over search form
$result_user = mysql_query("SELECT id FROM users WHERE email = '$query'") or die(mysql_error());
while($row=mysql_fetch_array($result_user))
{
$user_id = $row['id'];
echo $user_id;
}
$result_accountuser = mysql_query("SELECT 'account_id' FROM accounts_users WHERE 'user_id' LIKE ('$user_id')") or die(mysql_error());
while($row=mysql_fetch_array($result_accountuser))
{
$account_id = $row['account_id'];
echo $account_id;
}
$result_account = mysql_query("SELECT 'account_name' FROM accounts WHERE 'id' LIKE ('$account_id')") or die(mysql_error());
while($row=mysql_fetch_array($result_account))
{
echo $row['account_name'];
}
?>
<html>
<form action="update.php" method="POST" name="ID">
<input type="text" name="ID"">
<input type="Submit" value="Submit">
</form>
</html>
Up there is the submit form to get an ID number.
I try to get that ID entered by user ( NOTE: It's a number) and show mysql table row coresponding to that ID.
Example : User enter 2 and row number 2 from database is shown.
My problem is that all rows are shown and not only wanted one.
- Extra Question : How can I show user an error if he entered a NULL value ?
<?php
$id=$_POST['ID'];
.
.
.
mysql_connect($host,$username,$password);
if (!mysql_select_db($database))
die("Can't select database");
$query="SELECT * FROM table WHERE ID= '$id'";
$result = mysql_query("SELECT * FROM vbots");
$num=mysql_num_rows($result) or die("Error: ". mysql_error(). " with query ". $query);
mysql_close();
.
.
.
?>
You're not running your query.
You have this:
$query="SELECT FROM table WHERE ID= '$id'";
$result = mysql_query("SELECT * FROM vbots");
You want this:
$query="SELECT FROM table WHERE ID= '$id'";
$result = mysql_query( $query);
**Insert nag about SQL injection**
It should be this.
<?php
$id=$_POST['ID'];
mysql_connect($host,$username,$password);
if (!mysql_select_db($database))
die("Can't select database");
$query="SELECT * FROM table WHERE ID= '$id'";
$result = mysql_query($query);
$num=mysql_num_rows($result) or die("Error: ". mysql_error(). " with query ". $query);
mysql_close();
?>
to check if $id is null:
if (!isset($id))
die("Enter a value for id!");
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result
I have this bug:
mysql_fetch_assoc(): supplied argument is not a valid MySQL result resource in /home/marlon/domains/webmasterplaats.nl/public_html/edit.php on line 36
This is the code:
<?php
$ip = $_SERVER['REMOTE_ADDR'];
$toegang[] = '86.91.195.26';
$toegang[] = '84.86.189.70';
$valid = true;
if(in_array($ip, $toegang) || isset($valid))
{
if(isset($_GET['id']))
{
if($_SERVER['REQUEST_METHOD'] == 'POST')
{
mysql_query("UPDATE news SET titel='" . mysql_real_escape_string($_POST['titel']) . "', inhoud='" . mysql_real_escape_string($_POST['edit2']) . "' WHERE id='" . mysql_real_escape_string($_GET['id']) . "'");
echo 'Met success geupdate.' ;
}
$database = mysql_connect('localhost','marlonhe19','123456789asd');
mysql_select_db('wmp', $database);
$id = $_GET['id'];
$mysql = mysql_query("SELECT * FROM news WHERE id='$id' ;");
while($row = mysql_fetch_assoc($mysql)){
$id = $row['id'];
$titel = $row['titel'];
$inhoud = $row['inhoud'];
echo '
<form id="form1" name="form1" method="post" action="">
<input type="text" name="titel" value="$titel" /><br />
<textarea name="edit2">$inhoud</textarea> <br />
<input type="submit" name="Submit" value="Opslaan" />';
}
}
}
What's the problem?
Warning: SQL injection possible.
It looks like your query failed.
Replace this:
$mysql = mysql_query("SELECT * FROM news WHERE id='$id' ;");
With:
$mysql = mysql_query("SELECT * FROM news WHERE id='$id' ;") or die(mysql_error());
You should make your own error handling function, it's prefferable to display an error message, without exiting immediately.
You don't need a semi colon(;) in:
$mysql = mysql_query("SELECT * FROM news WHERE id='$id' ;");
Since you are passing a ;, the query execution fails and mysql_query return false and not an object. When you pass false to mysql_fetch_assoc it gives the error that you are getting.
Always add error check:
$mysql = mysql_query("SELECT * FROM news WHERE id='$id'") or die(mysql_error());
Looks like your DB selection part has a problem. Add error checking to that aswell:
EDIT:
mysql_select_db('wmp', $database) or die(mysql_error());
You should check for errors, eg.
$news_result = mysql_query("SELECT * FROM news WHERE id='$id'")
or die("Query failed: ".mysql_error());
In addition, you should name your query result variables something sensible, i.e. not $mysql and you should be using bind variables to protect against SQL injection. Consider a query string of the following:
page.php?id='+OR+'1'='1
Have you tried running the query from mysql prompt.
Looks like query returns error.
Try changing your line
$mysql = mysql_query("SELECT * FROM news WHERE id='$id' ;");
to
$mysql = mysql_query("SELECT * FROM news WHERE id='$id' ;") or die(mysql_error());